CN109951319B - Method for backing up lock of manager of encryption equipment and encryption equipment - Google Patents
Method for backing up lock of manager of encryption equipment and encryption equipment Download PDFInfo
- Publication number
- CN109951319B CN109951319B CN201910135319.8A CN201910135319A CN109951319B CN 109951319 B CN109951319 B CN 109951319B CN 201910135319 A CN201910135319 A CN 201910135319A CN 109951319 B CN109951319 B CN 109951319B
- Authority
- CN
- China
- Prior art keywords
- administrator lock
- administrator
- lock
- backup
- backup request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a method for backing up a manager lock of an encryption machine, which comprises the following steps: the method comprises the steps of sending a backup request packet to a cloud end, wherein the backup request packet comprises a first administrator lock ID of a first administrator lock in a factory state and a second administrator lock ID of a second administrator lock in a ready state, receiving a first backup command packet which is from the cloud end and generated according to the backup request packet after the backup request packet is verified successfully, sending the first backup command packet to the second administrator lock, receiving a second backup command packet which is generated by the second administrator lock and comprises the first administrator lock ID, the second administrator lock ID and administrator lock core data, sending the second backup command packet to the first administrator lock to enable the first administrator lock to be in the ready state, and storing the administrator lock core data in the first administrator lock in the ready state. The invention also provides encryption equipment. The scheme of the invention can realize the copying of the administrator lock under the condition of ensuring the safety.
Description
Technical Field
The invention relates to the field of computer security, in particular to a method for backing up a lock of an administrator of an encryption machine and encryption machine equipment.
Background
In the internet era, information security is more and more concerned, and the range of information security is wide, wherein the range includes how to prevent secret leakage of business enterprises, prevent bad information browsing of teenagers, leakage of personal information and the like; at present, reliable hardware equipment and a matching solution for ensuring authentication security, account information security and data security are provided for enterprises and public institutions in an informatization process or an internet enterprise building system or platform process, and in order to improve the use security of the security encryption equipment, the products generally provide an administrator authority protection lock to control the use authority of related personnel and prevent irrelevant and malicious personnel from illegal control so as to avoid unnecessary loss; the administrator authority protection lock is bound with the equipment to be effective when leaving a factory, and each administrator configures one corresponding administrator lock under the common condition, if the administrator authority protection lock needs to be returned to the factory and bound with the equipment again and initialized due to loss or damage, the administrator authority protection lock brings troubles and wastes time.
Therefore, there is a need in the art for a technique that can back up an administrator rights protection lock so that the administrator's use of the protection lock is not affected when the original administrator rights protection lock is unavailable due to loss or damage, etc.
Disclosure of Invention
One of the objectives of the present invention is to provide a method for backing up an administrator lock of an encryption apparatus and an encryption apparatus device, which can copy the administrator lock under the condition of ensuring the security of the device, so that a user can obtain a standby administrator protection lock quickly even when the original administrator protection lock has a problem, without affecting the use and operation of the device, thereby improving the user experience.
According to a first aspect of the present disclosure, a method for backing up a lock of an administrator of a crypto engine is provided, which may include: sending a backup request packet to a cloud, wherein the backup request packet comprises a first administrator lock ID of a first administrator lock in a factory state and a second administrator lock ID of a second administrator lock in a ready state, receiving a first backup command packet generated according to the backup request packet after the backup request packet is successfully verified from the cloud, the first backup command packet including a first administrator lock ID and a second administrator lock ID, sending the first backup command packet to a second administrator lock and receiving a second backup command packet generated by the second administrator lock including the first administrator lock ID, the second administrator lock ID, and administrator lock core data, sending the second backup command packet to the first administrator lock to put the first administrator lock in a ready state, and storing the administrator lock core data in the first administrator lock in the ready state.
In the method of backing up an administrator lock of a crypto machine according to the first aspect, the backup request packet may be generated by the second administrator lock and generating the backup request packet may include: and acquiring an initial backup request packet which is generated by the first administrator lock and contains a first administrator lock ID, and sending the initial backup request packet to the second administrator lock to acquire the backup request packet generated by the second administrator lock.
In the method for backing up an administrator lock of an encryption machine according to the first aspect, obtaining the initial backup request packet generated by the first administrator lock may further include obtaining the initial backup request packet including the first administrator lock ID generated by the first administrator lock and a first administrator lock certificate chain.
In the method of backing up an administrator lock of an encryption machine according to the first aspect, sending the initial backup request packet to the second administrator lock to obtain the backup request packet generated by the second administrator lock may include sending the initial backup request packet and a first administrator lock certificate chain to the second administrator lock to obtain the backup request packet including the first administrator lock ID and the second administrator lock ID and a second administrator lock certificate chain generated by the second administrator lock successfully verifying the first administrator lock certificate chain.
In the method for backing up an administrator lock of an encryption machine according to the first aspect, sending a backup request packet including a first administrator lock ID and a second administrator lock ID to the cloud may include sending the backup request packet and a second administrator lock certificate chain to the cloud.
In the method for backing up an administrator lock of an encryption machine according to the first aspect, the verifying of the backup request packet by the cloud may include the cloud verifying a second administrator lock certificate chain.
In the method for backing up an administrator lock of a crypto machine according to the first aspect, the crypto machine may further include an encryption module, and the administrator lock core data may include: a user ID, a seed code for generating an application key, and a seed code for generating a symmetric key for encryption that the encryption module shares with the administrator lock and a key for computing a message authentication code that the encryption module shares with the administrator lock.
In the method of backing up an administrator lock of an encryption machine according to the first aspect, sending the second backup command packet to the first administrator lock to put the first administrator lock in a ready state may include the first administrator lock decrypting the second backup command packet and verifying a signature.
According to a second aspect of the present disclosure, there is provided an encryption apparatus device that may include: a first interface to communicatively couple with at least one first administrator lock in a factory state; a second interface to communicatively couple with a second administrator lock in a ready state; a memory having computer program instructions stored therein; a processor configured to implement the method of the first aspect described above when executing computer program instructions.
According to a third aspect of the present disclosure, a method for backing up a lock of an administrator of a crypto engine is provided, which may include: the method comprises the steps of receiving a backup request packet from a first administrator lock in a factory leaving state, wherein the backup request packet comprises a first administrator lock ID, sending the backup request packet to a second administrator lock in a ready state, receiving a backup command packet from the second administrator lock, wherein the backup command packet is generated according to the backup request packet after the backup request packet is successfully verified, the backup command packet comprises the first administrator lock ID, the second administrator lock ID and administrator lock core data, sending the backup command packet to the first administrator lock to enable the first administrator lock to be in the ready state, and storing the administrator lock core data in the first administrator lock in the ready state.
In the method for backing up an administrator lock of a crypto machine according to the third aspect, the crypto machine may further include an encryption module, and the administrator lock core data may include: a user ID, a seed code for generating an application key, and a seed code for generating a symmetric key for encryption that the encryption module shares with the administrator lock and a key for computing a message authentication code that the encryption module shares with the administrator lock.
In the method of backing up an administrator lock of an encryption machine according to the third aspect, sending the backup command packet to the first administrator lock to put the first administrator lock in a ready state may include the first administrator lock decrypting the backup command packet and verifying a signature.
According to a fourth aspect of the present disclosure, there is provided an encryption apparatus device that may include: a first interface to communicatively couple with at least one first administrator lock in a factory state; a second interface to communicatively couple with a second administrator lock in a ready state; a memory having computer program instructions stored therein; a processor configured to implement the method of the third aspect when executing the computer program instructions.
According to another aspect of the present disclosure, a non-transitory computer-readable storage medium may be provided, in which computer program instructions may be stored, which, when executed, enable implementation of the steps of the method described in the above embodiments.
According to the embodiments of the schemes, the invention can perform redundancy backup on the existing administrator of the encryption machine in a safe manner, the administrator lock in the factory state and the administrator lock to be backed up in the ready state are used for backup, and the administrator lock in the factory state after backup is also in the ready state, namely the ready state. In this way, in the case that the existing administrator lock in the ready state is damaged, lost or in an unavailable state for other reasons, the backup administrator lock can be used instead of the original administrator lock.
Drawings
These and other aspects of the disclosure, as well as the above and other objects, advantages and features, will become apparent from the following description of the embodiments with reference to the accompanying drawings, in which:
FIG. 1 is a block diagram showing the constituent components of an encryptor device architecture according to an embodiment of the present disclosure;
FIG. 2 is a diagram illustrating a certificate chain architecture including an administrator lock certificate chain in accordance with an embodiment of the present disclosure;
FIG. 3 is a flowchart of steps of a method for backing up an encryption engine administrator lock, according to another embodiment of the present disclosure;
FIG. 4 is a flowchart of steps of a method for backing up an encryption engine administrator lock, according to yet another embodiment of the present disclosure.
Detailed Description
According to various embodiments of the present disclosure, a method for backing up an administrator lock for use on an encryption machine is described, as well as an encryption machine apparatus. The administrator lock in the factory state (hereinafter, simply referred to as a factory administrator lock) is put in a ready state, which is a state that can be used, by performing a series of operations on the administrator lock in the factory state (hereinafter, simply referred to as a factory administrator lock). In an embodiment, the copying process can be completed by means of a cloud, and the cloud verifies the action of the operation process by using an administrator lock certificate chain to ensure that the backup process is safe and effective.
The embodiments and figures presented herein illustrate various principles of the invention. It will be appreciated that those skilled in the art will be able to devise various arrangements and implementations that, although not explicitly described or shown herein, embody the principles of the invention and are included within the scope of the disclosure. In addition, the various embodiments described herein are not necessarily mutually exclusive, but rather the various embodiments can be combined to produce further embodiments incorporating the principles of the present invention.
Fig. 1 is a block diagram of the constituent components of the architecture of an encryptor device 10. In at least some embodiments, the encryptor device 10 includes a memory 101, a processor 102, an encryption module 103, a user interface 104 and a built-in management tool 105. The application aspects of the encryptor device 10 are mainly password protection/verification and data encryption/decryption, which use two different service keys in the encryption module.
In one embodiment, memory 101 is used to store operating system, other applications, and program data and application data used during operation of the operating system and applications, such as built-in management tool 105. The processor 102 is used to perform various processes that need to be performed in the encryption engine. In various embodiments, processor 102 may include one or more processing cores or processing units.
The encryption module 103 is a secure chip in the encryptor device 10, and is a main cryptographic operation unit. The encryption module 103 stores data such as core service keys and seed codes, the service keys are invisible to the outside, and all cryptographic operations related to services are completed inside the encryption module 103, so that the data security is ensured to the maximum extent. Generally, to improve performance, one encryptor device 10 may have multiple encryption modules 103 embedded therein.
In an embodiment, the user interface 104 may be an interface for inserting an administrator lock equipped for the encryption equipment device 10, and may include a first interface 1041 and a second interface 1042 for plugging a first administrator lock 1001 in a factory state and an administrator lock 1002 in a ready state, respectively. In other embodiments, the user interface 104 may also include more than two interfaces for other purposes, and the disclosure is not limited in the number of interfaces.
The built-in management tool 105 may be an internal module of the encryption device 10, and the built-in management tool 105 may be an application program implemented by software, and mainly provides the following functions: registration initialization, management functions (copy administrator lock, system settings), key recovery, and the like of the encryptor device 10. In other embodiments, the built-in management tool 105 may also be implemented by firmware.
Normally, one encryption equipment 10 is equipped with several administrator locks, which are also a kind of security chip in nature and represent the identity of the administrator, and when the equipment is managed, the identity of the administrator needs to be authenticated for security.
Generally, each administrator can configure an administrator lock corresponding to the administrator lock, and if the administrator lock of the administrator needs to be returned to the factory and re-bound with the device and initialized due to loss or damage, the administrator lock is troublesome for the administrator to use, and the work of the administrator is likely to be affected. For this purpose, redundant backup of the administrator lock may be implemented by copying one or more administrator locks in the factory state into exactly the same lock as the original administrator lock through a series of operations for each administrator based on his/her original administrator lock.
During backup, two administrator locks may be inserted into the encryption equipment 10, one is an administrator lock in a factory state, and the other is an administrator lock ready to be copied; the factory administrator lock can send a request packet to the ready administrator lock, and then the ready administrator lock can extract information and send a request to the cloud; the cloud end receives the request and sends a command for verification and backup, and a ready administrator lock generates a backup package; then, the factory lock performs related data copying, the built-in management tool 105 can send related factory information to the cloud and store the related factory information, and finally, success of copying is prompted. Similarly, more than two administrator locks may be inserted into the encryption device 10, one of the administrator locks is an administrator lock ready to be copied, and the other two or more administrator locks are administrator locks in a factory state.
FIG. 2 is a diagram illustrating a certificate chain architecture including an administrator lock certificate chain according to an embodiment of the present disclosure. As shown in FIG. 2, each link may constitute a chain of valid certificates, e.g., a root CA certificate, a device CA certificate, and an administrator lock public key certificate may constitute a chain of administrator lock public key certificates. In addition, the root CA certificate, the device CA certificate, and the cryptographic module public key certificate may form a cryptographic module public key certificate chain. In addition, the root CA certificate, the system CA certificate and the engineering mode control lock public key certificate can form an engineering mode control lock public key certificate chain.
According to other embodiments of the present disclosure, a first backup request package may be generated by a factory administrator lock, the first backup request package including information such as an administrator lock ID, and the first backup request package may be signed using an administrator lock private key. The factory administrator lock may send the first backup request packet and the factory administrator lock certificate chain to the ready administrator lock through the built-in management tool 105. The ready administrator lock is stored with a root certificate, the root certificate is used for verifying the certificate chain of the factory administrator lock, and after the verification is passed, the public key in the public key certificate of the factory administrator lock can be used for verifying the signature of the first backup request packet; and after the verification and the signing pass, the ready administrator lock generates a second backup request packet which comprises information such as a factory lock ID and a ready lock ID, and the second backup request packet can be signed by using a ready administrator lock private key.
The built-in management tool 105 may send the second backup request package and the certificate chain of the ready administrator lock to the cloud. The cloud end can store a root certificate, the root certificate is used for verifying a certificate chain of the ready administrator lock, a public key of the ready administrator lock is used for checking the signature after the verification is passed, and a first backup command packet is generated after the signature is checked to be passed and contains ID information of the factory administrator lock and the ready administrator lock; the first backup command packet is signed by a cloud server private key and can also be encrypted by a ready administrator public key.
The cloud end can send the first backup command packet and the certificate chain of the cloud end server to the built-in management tool 105, the built-in management tool 105 can send the first backup command packet to the ready administrator lock, the ready administrator lock decrypts the first backup command packet by using the private key of the ready administrator lock, then the cloud end service certificate chain is verified by using the root certificate preset by the ready administrator lock, after the verification is passed, the signature in the first backup command packet is verified by using the certificate chain, after the verification is passed, the first backup command packet is analyzed to obtain the delivery administrator lock ID and the ready administrator lock ID, and the ready administrator lock compares whether the ready administrator lock ID in the first backup command packet is equal to the ID of the ready administrator lock ID, and if the two IDs are not equal, the command packet 1 is illegal; if equal, the ready administrator lock may generate a second backup command packet, which may contain core data, such as a user ID, a cryptographic module group ID, a seed code (KeySeed) for generating an application key, seed codes (Kseed) for generating Kenc and Kmac, a factory administrator lock ID, where Kenc is a symmetric key shared by the cryptographic module and the administrator lock for encryption, and Kmac is a key shared by the cryptographic module and the administrator lock for calculating a message authentication code. The ready administrator lock signs the second backup command packet by using the ready administrator lock private key, and sends the ciphertext of the second backup command packet to the factory administrator lock after the second backup command packet is encrypted by using the factory administrator lock public key certificate. The factory administrator lock decrypts the second backup command packet by using a factory administrator lock private key, verifies a ready administrator lock certificate chain by using a root certificate preset by the factory administrator lock, verifies a signature in the second backup command packet by using the ready administrator lock certificate chain after the verification is passed, verifies whether the factory administrator lock ID in the second backup command packet is equal to the self ID after the verification of the signature is passed, stores the administrator lock core data comprising the user ID, the encryption module group ID, the KeySeed, the Kseed and the like in the administrator lock if the factory administrator lock ID in the second backup command packet is equal to the self ID, executes initialization operations of generating the Kenc, the Kmac and the like, and enters a ready state after the initialization is completed.
FIG. 3 is a flow diagram of steps in a method for backing up an encryption engine administrator lock according to another embodiment of the present disclosure.
According to this embodiment, an administrator may initiate a copy process through the built-in management tool 105; the built-in management tool 105 checks whether two administrator locks have been inserted. If not, prompting the administrator, and rechecking after the administrator confirms. Then, the built-in management tool 105 may acquire the status of each administrator lock, and check whether one administrator lock is in a factory state and one lock is in a ready state. If not, prompting an error, and ending the process; otherwise, the built-in management tool 105 executes the backup request subprotocol, which may cause the ready state administrator lock to enter the backup mode.
According to the embodiment of the invention, the method for backing up the lock of the administrator of the encryption machine can comprise the following steps:
step S310: sending a backup request packet to the cloud, wherein the backup request packet comprises a first administrator lock ID of a first administrator lock 1001 in a factory state and a second administrator lock ID of a second administrator lock 1002 in a ready state;
step S320: receiving a first backup command packet which is generated according to the backup request packet after the backup request packet is successfully verified from the cloud, wherein the first backup command packet comprises a first administrator lock ID and a second administrator lock ID;
step S330: sending the first backup command package to second administrator lock 1002 and receiving a second backup command package generated by second administrator lock 1002 that contains the first administrator lock ID, the second administrator lock ID, and administrator lock core data; and
step S340: the second backup command packet is sent to the first administrator lock 1001 to place the first administrator lock 1001 in a ready state in which the administrator lock core data is stored in the first administrator lock 1001.
According to the embodiment of the disclosure, the backup process of the administrator lock of the encryption machine can be completed by means of the management service of the cloud, and the cloud can verify the validity of the operation by utilizing the certificate chain so as to ensure safety. According to one embodiment, after the first administrator lock 1001 is in the ready state, a hash value of the initialization data may be calculated and returned; the built-in management tool 105 may return administrator lock information and a hash value of the initialization data to the cloud management service. The cloud management service may save the hash value of the initialization information, and then the built-in management tool 105 may prompt the administrator that the lock copy is successful.
According to one embodiment, the backup request package may be generated by second administrator lock 1002 and generating the backup request package may include: obtain an initial backup request package generated by first administrator lock 1001 containing a first administrator lock ID, and send the initial backup request package to second administrator lock 1002 to obtain a backup request package generated by second administrator lock 1002.
According to one embodiment, obtaining the initial backup request package generated by the first administrator lock 1001 may further include obtaining the initial backup request package generated by the first administrator lock 1001 that includes the first administrator lock ID and the first administrator lock certificate chain.
According to an embodiment of the present disclosure, sending the initial backup request packet to second administrator lock 1002 to obtain the backup request packet generated by the second administrator lock may include sending the initial backup request packet and the first administrator lock certificate chain to second administrator lock 1002 to obtain the backup request packet containing the first administrator lock ID and the second administrator lock certificate chain generated by second administrator lock 1002 upon successful verification of the first administrator lock certificate chain.
According to an embodiment of the present disclosure, sending the backup request packet including the first administrator lock ID and the second administrator lock ID to the cloud may include sending the backup request packet and the second administrator lock certificate chain to the cloud. According to one embodiment, the cloud verifying the backup request packet includes the cloud verifying the second administrator lock certificate chain.
According to an embodiment of the present disclosure, the administrator lock core data may include: a user ID, a seed code for generating an application key, and a seed code for generating a symmetric key for encryption that the encryption module 103 shares with the administrator locks 1001 and 1002, and a key for calculating a message authentication code that the encryption module 103 shares with the administrator locks 1001 and 1002.
According to an embodiment of the present disclosure, the administrator lock core data may include: a user ID, a seed code KeySeed for generating an application key, and a seed code Kseed for generating Kenc, which is a symmetric key for encryption shared by the encryption module 103 and the administrator locks 1001 and 1002, and Kmac, which is a seed code of a key shared by the encryption module 103 and the administrator locks 1001 and 1002 for calculating a message authentication code.
According to embodiments of the present disclosure, the second backup command package may be sent to the first administrator lock to place the first administrator lock in a ready state including the first administrator lock 1001 may decrypt the second backup command package and verify the signature.
According to an embodiment of the present invention, there is provided an encryptor device 10, the encryptor device 10 may include: a first interface 1041 for communicatively coupling with at least one first administrator lock in a factory state; a second interface 1042 for communicatively coupling with a second administrator lock in a ready state; a memory 101 having computer program instructions stored therein; the processor 102, when executing the computer program instructions, is configured to implement the methods described in the above embodiments.
Fig. 4 is a flowchart of steps of a method for backing up a crypto-administrator lock of the crypto device 10 according to yet another embodiment of the present disclosure.
According to this embodiment, an administrator may initiate a copy process through the built-in management tool 105; the built-in management tool 105 checks whether two administrator locks have been inserted. If not, prompting the administrator, and rechecking after the administrator confirms. Then, the built-in management tool 105 may acquire the status of each administrator lock, and check whether one administrator lock is in a factory state and one lock is in a ready state. If not, prompting an error, and ending the process; otherwise, the built-in management tool 105 executes the backup request subprotocol, which may cause the ready state administrator lock to enter the backup mode.
According to the embodiment of the present invention, the built-in management tool 105 may call the ready state administrator lock to generate a backup command packet, where the backup command packet may include information such as a factory state administrator lock ID, a user ID, an encryption module group ID, KeySeed, and Kseed, and the backup command packet may be signed by using the ready state administrator lock certificate and then may be encrypted by using the factory state administrator lock certificate.
Then, the built-in management tool 105 may send the backup command packet to the factory state administrator lock, the factory state administrator lock decrypts the backup command packet and verifies the signature, and after the verification is passed, checks whether the administrator lock IDs match, and stores the user ID, the cryptographic module group ID, the KeySeed, and the Kseed in the lock.
According to this embodiment of the present invention, the method of backing up the crypto manager lock of the crypto device 10 may include the steps of:
step S410: receiving a backup request packet from a first administrator lock 1001 in a factory state, wherein the backup request packet includes a first administrator lock ID;
step S420: send the backup request package to the second administrator lock 1002 that is in a ready state;
step S430: receiving a backup command packet from the second administrator lock 1002 that is generated from the backup request packet by successfully verifying the backup request packet, the backup command packet including a first administrator lock ID, a second administrator lock ID, and administrator lock core data;
step S440: the backup command package is sent to the first administrator lock 1001 to put the first administrator lock in a ready state in which the first administrator lock 1001 has the administrator lock core data stored therein.
According to the embodiment, the backup of the administrator lock of the encryption machine can be completed without the help of cloud management service, and the administrator lock to be copied is used for generating the backup command packet.
According to one embodiment, after the first administrator lock 1001 is in the ready state, a hash value of the initialization data may be calculated and returned; the built-in management tool 105 may return administrator lock information and a hash value of the initialization data to the cloud management service. The cloud management service may save the hash value of the initialization information, and then the built-in management tool 105 may prompt the administrator that the lock copy is successful.
According to an embodiment of the present disclosure, the administrator lock core data may include: a user ID, a seed code for generating an application key, and a seed code for generating a symmetric key for encryption that the encryption module 103 shares with the administrator locks 1001 and 1002, and a key for calculating a message authentication code that the encryption module 103 shares with the administrator locks 1001 and 1002.
According to embodiments of the present disclosure, the sending of the backup command package to the first administrator lock 1001 such that the first administrator lock 1001 is in the ready state may include the first administrator lock 1001 may decrypt the backup command package and verify the signature.
An embodiment of the present invention further provides an encryption apparatus 10, where the encryption apparatus 10 may include: a first interface 1041 for communicatively coupling with at least one first administrator lock in a factory state; a second interface 1042 for communicatively coupling with a second administrator lock in a ready state; a memory 101 having computer program instructions stored therein; the processor 102, when executing the computer program instructions, is configured to implement the methods described in the above embodiments.
The flow diagrams illustrated herein provide examples of sequences of various process actions. Although shown in a particular order or sequence, the order of the acts may be modified unless otherwise indicated. Thus, the illustrated embodiments are provided for illustrative purposes only, the processes may be performed in a different order, and some of the processes may be performed in parallel. In addition, one or more steps may be omitted as desired in various embodiments.
The software of the embodiments described herein may be provided via a computer-readable storage medium or any article of manufacture in which software content is stored, or via a communications interface. The computer-readable storage media may cause a machine to perform the described functions or operations, including any mechanism for storing program modules or data content in a form accessible by a computing device, such as read-only memory, random-access memory, magnetic disk storage media, optical disk storage media, flash memory devices, and so forth. A communication interface includes any mechanism for interfacing with any of a hardwired, wireless, optical, etc. medium to communicate with another device, such as a memory bus interface, a processor bus interface, an internet connection, a disk controller, etc.
The various components described herein may be modules for performing the described operations or functions. Each component described herein includes software, hardware, firmware, or a combination thereof. These components may be implemented as software modules, hardware modules, dedicated hardware (e.g., application specific integrated circuits, digital signal processors, etc.), embedded controllers, etc.
References in the specification to "one embodiment," "an embodiment," "various embodiments," etc., indicate that the embodiment described may include a particular feature or structure. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature or structure is described in connection with an embodiment, it is submitted that it is within the knowledge and skill of one skilled in the art to effect such feature or structure in connection with other embodiments whether or not explicitly described.
Various modifications, in addition to those described herein, may be made to the disclosed embodiments without departing from the scope of the present disclosure. Accordingly, the specification and examples herein are to be regarded in an illustrative rather than a restrictive sense. The scope of the present disclosure should be limited only by reference to the appended claims, along with the equivalents thereof, and arrangements of the same.
Claims (17)
1. A method of backing up an encryptor administrator lock, the method comprising:
sending a backup request packet to a cloud, the backup request packet including a first administrator lock ID of a first administrator lock in a factory state and a second administrator lock ID of a second administrator lock in a ready state,
receiving a first backup command packet from a cloud, wherein the first backup command packet is generated according to the backup request packet after the backup request packet is successfully verified, the first backup command packet comprises a first administrator lock ID and a second administrator lock ID,
sending the first backup command packet to a second administrator lock and receiving a second backup command packet generated by the second administrator lock that includes the first administrator lock ID, the second administrator lock ID, and administrator lock core data,
and sending a second backup command packet to a first administrator lock to enable the first administrator lock to be in a ready state, wherein the first administrator lock stores the administrator lock core data in the ready state.
2. The method of claim 1, wherein the backup request package is generated by the second administrator lock and generating the backup request package comprises:
obtain an initial backup request packet generated by the first administrator lock that includes a first administrator lock ID,
sending the initial backup request package to the second administrator lock to obtain a backup request package generated by the second administrator lock.
3. The method of claim 2, wherein obtaining the initial backup request package generated by the first administrator lock further comprises obtaining the initial backup request package generated by the first administrator lock that includes a first administrator lock ID and a first administrator lock certificate chain.
4. The method of claim 2 or 3, wherein sending the initial backup request packet to the second administrator lock to obtain the backup request packet generated by the second administrator lock comprises sending the initial backup request packet and a first administrator lock certificate chain to the second administrator lock to obtain the backup request packet including the first administrator lock ID and a second administrator lock certificate chain generated by the second administrator lock successfully authenticated to the first administrator lock certificate chain.
5. The method of any of claims 1-3, wherein sending the backup request package including the first administrator lock ID and the second administrator lock ID to the cloud comprises sending the backup request package and the second administrator lock certificate chain to the cloud.
6. The method of claim 4, wherein sending a backup request package including the first administrator lock ID and the second administrator lock ID to the cloud comprises sending the backup request package and the second administrator lock certificate chain to the cloud.
7. The method of any of claims 1 to 3, wherein cloud authentication of the backup request package comprises the cloud authenticating a second administrator lock certificate chain.
8. The method of claim 4, wherein cloud authentication of the backup request package comprises the cloud authenticating a second administrator lock certificate chain.
9. The method of claim 5, wherein cloud authentication of the backup request package comprises the cloud authenticating a second administrator lock certificate chain.
10. The method of claim 6, wherein cloud authentication of the backup request package comprises the cloud authenticating a second administrator lock certificate chain.
11. The method of claim 1, wherein the encryption machine further comprises an encryption module, the administrator lock core data comprising: a user ID, a seed code for generating an application key, and a seed code for generating a symmetric key for encryption that the encryption module shares with the administrator lock and a key for computing a message authentication code that the encryption module shares with the administrator lock.
12. The method of claim 1, wherein sending a second backup command package to a first administrator lock to put the first administrator lock in a ready state comprises the first administrator lock decrypting the second backup command package and verifying a signature.
13. An encryptor device comprising:
a first interface to communicatively couple with at least one first administrator lock in a factory state;
a second interface to communicatively couple with a second administrator lock in a ready state;
a memory having computer program instructions stored therein;
a processor configured to implement the method of any one of claims 1 to 12 when executing computer program instructions.
14. A method of backing up an encryptor administrator lock, the method comprising:
receiving a backup request packet from a first administrator lock in a factory state, the backup request packet including a first administrator lock ID,
sending the backup request package to a second administrator lock in a ready state,
receiving a backup command packet from a second administrator lock generated from a backup request packet via successful authentication of the backup request packet, the backup command packet including a first administrator lock ID, a second administrator lock ID, and administrator lock core data,
and sending a backup command packet to a first administrator lock to enable the first administrator lock to be in a ready state, wherein the first administrator lock stores the administrator lock core data in the ready state.
15. The method of claim 14, wherein the encryption machine further comprises an encryption module, the administrator lock core data comprising: a user ID, a seed code for generating an application key, and a seed code for generating a symmetric key for encryption that the encryption module shares with the administrator lock and a key for computing a message authentication code that the encryption module shares with the administrator lock.
16. The method of claim 14, wherein sending a backup command package to a first administrator lock to put the first administrator lock in a ready state comprises the first administrator lock decrypting the backup command package and verifying a signature.
17. An encryptor device comprising:
a first interface to communicatively couple with at least one first administrator lock in a factory state;
a second interface to communicatively couple with a second administrator lock in a ready state;
a memory having computer program instructions stored therein;
a processor configured, when executing computer program instructions, to implement the method of any of claims 14 to 16.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910135319.8A CN109951319B (en) | 2019-02-22 | 2019-02-22 | Method for backing up lock of manager of encryption equipment and encryption equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910135319.8A CN109951319B (en) | 2019-02-22 | 2019-02-22 | Method for backing up lock of manager of encryption equipment and encryption equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109951319A CN109951319A (en) | 2019-06-28 |
| CN109951319B true CN109951319B (en) | 2020-11-13 |
Family
ID=67007984
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910135319.8A Active CN109951319B (en) | 2019-02-22 | 2019-02-22 | Method for backing up lock of manager of encryption equipment and encryption equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109951319B (en) |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2003005247A2 (en) * | 2001-07-06 | 2003-01-16 | Computer Associates Think, Inc. | Systems and methods of information backup |
| GB0308991D0 (en) * | 2003-04-17 | 2003-05-28 | Psion Digital Ltd | A data access replication or communication system comprising a distributed software application |
| CN101639882B (en) * | 2009-08-28 | 2011-09-21 | 华中科技大学 | Database security system based on storage encryption |
| CN101969391B (en) * | 2010-10-27 | 2012-08-01 | 北京邮电大学 | Cloud platform supporting fusion network service and operating method thereof |
| EP3284003B1 (en) * | 2015-04-14 | 2021-02-24 | Gigavation, Inc. | Paravirtualized security threat protection of a computer-driven system with networked devices |
| CN106055978A (en) * | 2016-05-03 | 2016-10-26 | 武珍珍 | Novel computer information safety protection lock |
| CN107221061A (en) * | 2017-06-16 | 2017-09-29 | 北京摇光智能科技有限公司 | A kind of cipher management method of smart lock |
| CN109286502B (en) * | 2018-11-13 | 2021-06-11 | 北京深思数盾科技股份有限公司 | Method for recovering manager lock of encryption machine and encryption machine |
-
2019
- 2019-02-22 CN CN201910135319.8A patent/CN109951319B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN109951319A (en) | 2019-06-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112000975B (en) | Key management system | |
| CN102508791B (en) | Method and device for encrypting hard disk partition | |
| JP4410821B2 (en) | Verifying the binding of the initial trusted device to the protected processing system | |
| CN110990827A (en) | Identity information verification method, server and storage medium | |
| CN110688660B (en) | Method and device for safely starting terminal and storage medium | |
| CN106452764B (en) | Method for automatically updating identification private key and password system | |
| CN105915338B (en) | Generate the method and system of key | |
| US11831753B2 (en) | Secure distributed key management system | |
| CN106936588B (en) | Hosting method, device and system of hardware control lock | |
| CN109981562B (en) | Software development kit authorization method and device | |
| KR20140126787A (en) | Puf-based hardware device for providing one time password, and method for 2-factor authenticating using thereof | |
| US20140006781A1 (en) | Encapsulating the complexity of cryptographic authentication in black-boxes | |
| CN107920052B (en) | Encryption method and intelligent device | |
| CN103138939A (en) | Secret key use time management method based on credible platform module under cloud storage mode | |
| KR102137122B1 (en) | Security check method, device, terminal and server | |
| CN110414248B (en) | Method for debugging microprocessor and microprocessor | |
| CN109286502B (en) | Method for recovering manager lock of encryption machine and encryption machine | |
| CN111159656A (en) | Method, device, equipment and storage medium for preventing software from being used without authorization | |
| CN110362984B (en) | Method and device for operating service system by multiple devices | |
| JP2007280393A (en) | Device and method for controlling computer login | |
| CN110445774B (en) | Security protection method, device and equipment for IoT (Internet of things) equipment | |
| JP2014022920A (en) | Electronic signature system, electronic signature method, and electronic signature program | |
| CN109951319B (en) | Method for backing up lock of manager of encryption equipment and encryption equipment | |
| CN104899480A (en) | Software copyright protection and management method based on combined public key identity authentication technology | |
| US11601285B2 (en) | Securely authorizing service level access to a backup system using a specialized access key |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing Patentee after: Beijing Shendun Technology Co.,Ltd. Address before: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing Patentee before: BEIJING SENSESHIELD TECHNOLOGY Co.,Ltd. |