CN109981612B - Method and system for preventing cipher machine equipment from being illegally copied and cipher machine equipment - Google Patents

Method and system for preventing cipher machine equipment from being illegally copied and cipher machine equipment Download PDF

Info

Publication number
CN109981612B
CN109981612B CN201910180758.0A CN201910180758A CN109981612B CN 109981612 B CN109981612 B CN 109981612B CN 201910180758 A CN201910180758 A CN 201910180758A CN 109981612 B CN109981612 B CN 109981612B
Authority
CN
China
Prior art keywords
user
key
cipher machine
encryption module
cryptographic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910180758.0A
Other languages
Chinese (zh)
Other versions
CN109981612A (en
Inventor
孙吉平
陈文静
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Wikipedia Technology Co Ltd
Original Assignee
Beijing Wikipedia Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Wikipedia Technology Co Ltd filed Critical Beijing Wikipedia Technology Co Ltd
Priority to CN201910180758.0A priority Critical patent/CN109981612B/en
Publication of CN109981612A publication Critical patent/CN109981612A/en
Application granted granted Critical
Publication of CN109981612B publication Critical patent/CN109981612B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Abstract

The invention discloses a method and a system for preventing cipher machine equipment from being illegally copied and the cipher machine equipment. The method comprises the following steps: obtaining a registration command packet from a cloud server through a management module in first cipher machine equipment, and writing a first user ID corresponding to the first cipher machine equipment in the registration command packet into an encryption module in the first cipher machine equipment; before copying the second cipher machine device to the first cipher machine device, the encryption module verifies the first verification data based on the first user ID, when the verification result shows that the first user ID is the same as the second user ID, the copying is allowed, otherwise, the copying is prohibited. The invention can effectively prevent the illegal copying of the cipher machine equipment.

Description

Method and system for preventing cipher machine equipment from being illegally copied and cipher machine equipment
Technical Field
The invention relates to the technical field of information security, in particular to a method and a system for preventing cipher machine equipment from being illegally copied and the cipher machine equipment.
Background
The server cipher machine equipment has the functions of data encryption and decryption, signature verification, MAC, hashing and the like, so that the security problems of confidentiality, integrity, effectiveness, non-repudiation and the like of sensitive information can be solved for a user. During the use process, the server cipher machine device utilizes an administrator lock to manage the device, such as administrator identity authentication, or utilizes the administrator lock to complete the operations of initialization, key recovery and the like of the device.
Further, in order to meet the requirement of service expansion, the server cryptographic machine device also supports horizontal expansion, that is, the server cryptographic machine device with the same core data can be copied by using an administrator lock and using an existing server cryptographic machine device as a template, so as to implement load balancing or distributed deployment.
However, since the administrator lock may be stolen or lost, an authentication means is needed to solve the problem of illegal copying of the server crypto machine device.
Disclosure of Invention
In view of the above, an object of the present invention is to provide a method and a system for preventing illegal copying of a cryptographic machine device, and a cryptographic machine device, which can effectively prevent illegal copying of the cryptographic machine device.
One aspect of the present invention provides a method for preventing illegal copying of a cryptographic machine device, applied to a first cryptographic machine device, the method comprising: obtaining a registration command packet from a cloud server through a management module in first cipher machine equipment, and writing a first user ID corresponding to the first cipher machine equipment in the registration command packet into an encryption module in the first cipher machine equipment; before copying the second cipher machine device to the first cipher machine device, the encryption module verifies the first verification data based on the first user ID, when the verification result shows that the first user ID is the same as the second user ID, the copying is allowed, otherwise, the copying is prohibited, and the first verification data is generated by the administrator lock of the second cipher machine device based on the second user ID corresponding to the second cipher machine device.
In one embodiment of the invention, before copying the second cryptographic engine device to the first cryptographic engine device, the method further comprises: the encryption module obtains the seed code from the administrator lock of the second cryptographic machine device, and correspondingly, the first verification data is verified through the encryption module based on the first user ID, including: and verifying the first verification data based on the first user ID and the seed code through the encryption module, wherein the first verification data is generated by the administrator lock of the second cipher machine equipment based on the second user ID and the seed code.
In one embodiment of the present invention, the encryption module obtains the seed code from an administrator lock of the second cryptographic engine device, including: the encryption module obtains a seed code ciphertext and a key ciphertext from an administrator lock of the second cryptographic apparatus, the seed code ciphertext is generated by the administrator lock encrypting data including the seed code by using the first symmetric key, and the key ciphertext is generated by the administrator lock encrypting the first symmetric key by using a public key of the encryption module.
In one embodiment of the invention, the encryption module further obtains a first digital signature from an administrator lock of the second cryptographic engine device, and verifies the first digital signature based on the seed code using a public key of the administrator lock.
In an embodiment of the present invention, before obtaining the registration command packet from the cloud server through the management module in the cryptographic machine device, the method further includes: the management module sends a registration request packet to the cloud server so that the cloud server can verify the registration request packet, wherein the registration request packet comprises a device ID of the first cipher machine device and an encryption chip ID of the encryption module, and therefore the cloud server can verify a first belonging relationship between the first cipher machine device and a user of the first cipher machine device and a second belonging relationship between the first cipher machine device and the encryption module.
In one embodiment of the invention, the method further comprises: the method comprises the following steps that the equipment ID of the first cipher machine equipment is sent to an administrator lock through a management module, correspondingly, first check data are checked through an encryption module based on the first user ID, and the method comprises the following steps: and verifying the first verification data based on the first user ID and the equipment ID through the encryption module, wherein the first verification data is generated by the administrator lock of the second cipher machine equipment based on the second user ID and the equipment ID.
In one embodiment of the present invention, the first verification data includes: the administrator lock generates a check code for the first data using a first key generated based on the second user ID.
In one embodiment of the present invention, the first verification data includes: after the administrator lock generates a check code for the first data using the first key generated based on the second user ID, the administrator lock encrypts the generated ciphertext data for the first data and the check code using the second key generated based on the second user ID.
In one embodiment of the invention, the first data is an application key seed, which is used by the encryption module to generate an application key.
In one embodiment of the invention, the encryption module generates the application key based on the application key seed and at least one of a first user ID, a device ID of the first cryptographic device, and a pre-stored key factor.
In one embodiment of the invention, the first key is generated using a first algorithm based on the second user ID, and the second key is generated using a second algorithm based on the second user ID.
In one embodiment of the invention, the first key is generated using the second user ID and the first key factor, and the second key is generated using the second user ID and the second key factor.
In one embodiment of the invention, the method further comprises: and the administrator lock of the second cipher machine device sends a seed code to the encryption module, wherein the first secret key is generated based on the seed code, the second user ID and the first secret key factor, and the second secret key is generated by utilizing the seed code, the second user ID and the second secret key factor.
In another embodiment of the present invention, the method further comprises: and sending the device ID of the first cipher machine device to the administrator lock through the management module, wherein the first secret key is generated based on the device ID, the second user ID and the first secret key factor, and the second secret key is generated by utilizing the device ID, the second user ID and the second secret key factor.
Another aspect of the present invention provides a cryptographic engine apparatus comprising: the management module is configured to obtain a registration command packet from the cloud server, and write a first user ID corresponding to the first cipher machine device in the registration command packet into the encryption module; the encryption module is configured to verify first verification data based on a first user ID before copying another cryptographic machine device to the cryptographic machine device, and allow copying when a verification result indicates that the first user ID is the same as a second user ID, otherwise prohibit copying, the first verification data being generated by an administrator lock of the another cryptographic machine device based on the second user ID corresponding to the another cryptographic machine device.
In one embodiment of the present invention, the management module copies the seed code in the administrator lock of the other cryptographic device into the encryption module, and the encryption module verifies the first verification data based on the first user ID and the seed code, where the first verification data is generated by the administrator lock of the other cryptographic device based on the second user ID and the seed code.
In an embodiment of the present invention, the management module sends a registration request packet to the cloud server, so that the cloud server verifies the registration request packet, where the registration request packet includes a device ID of the cryptographic machine device and an encryption chip ID of the encryption module, so that the cloud server verifies a first relationship between the cryptographic machine device and a user thereof and a second relationship between the cryptographic machine device and the encryption module.
In one embodiment of the invention, the management module sends the device ID of the cryptographic device to the administrator lock, and the encryption module verifies first verification data based on the first user ID and the device ID, the first verification data being generated by the administrator lock of another cryptographic device based on the second user ID and the device ID.
Yet another aspect of the present invention provides a system for preventing illegal copying of crypto-mechanical devices, comprising: a cryptographic engine apparatus as described above; and the cloud server is used for sending the registration command packet to the cipher machine equipment based on the request of the cipher machine equipment.
According to the technical scheme provided by the embodiment of the invention, a registration command packet is obtained from a cloud server through a management module in first cipher machine equipment, and a first user ID corresponding to the first cipher machine equipment in the registration command packet is written into an encryption module in the first cipher machine equipment; before the second cipher machine equipment is copied to the first cipher machine equipment, the encryption module verifies the first verification data based on the first user ID, when the verification result shows that the first user ID is the same as the second user ID, the copying is allowed, otherwise, the copying is prohibited, and the illegal copying of the cipher machine equipment can be effectively prevented.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.
Fig. 1 is a flowchart illustrating a method for preventing illegal copying of a crypto-engine device according to an exemplary embodiment of the present invention.
Fig. 2 is a flowchart illustrating a method of preventing illegal copying of a crypto-engine device according to another exemplary embodiment of the present invention.
Fig. 3 is a block diagram illustrating a cryptographic engine apparatus in accordance with an exemplary embodiment of the present invention.
Fig. 4 is a block diagram illustrating a system for preventing illegal copying of a crypto-engine device according to an exemplary embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings of the present invention. It is to be understood that the embodiments described are only a few embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the described embodiments of the invention without any inventive step, are within the scope of protection of the invention.
Unless defined otherwise, technical or scientific terms used herein shall have the ordinary meaning as understood by one of ordinary skill in the art to which this invention belongs. The use of "first," "second," and similar terms in the present application do not denote any order, quantity, or importance, but rather the terms are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that the element or item listed before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items. The terms "connected" or "coupled" and the like are not restricted to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", and the like are used merely to indicate relative positional relationships, and when the absolute position of the object being described is changed, the relative positional relationships may also be changed accordingly.
To maintain the following description of the present invention clear and concise, detailed descriptions of known functions and components are omitted.
Fig. 1 is a flowchart illustrating a method for preventing illegal copying of a crypto-engine device according to an exemplary embodiment of the present invention. The method of fig. 1 may be performed by a first cryptographic engine device, as shown in fig. 1, the method comprising:
110: and obtaining a registration command packet from the cloud server through a management module in the first cipher machine device, and writing a first user ID corresponding to the first cipher machine device in the registration command packet into an encryption module in the first cipher machine device.
In the embodiment of the present invention, when the first cryptographic machine device is to be registered, the management module in the first cryptographic machine device receives a registration command packet sent by the cloud server, and writes a first user ID corresponding to the first cryptographic machine device in the registration command packet into the encryption module in the first cryptographic machine device.
Specifically, the first cryptographic machine device may be a server cryptographic machine device having functions of encryption and decryption, digital signature, identity authentication, random number generation, and the like, and is configured to encrypt and decrypt sensitive service data of the application system.
The first cipher machine device can comprise a management module and an encryption module, wherein the management module is provided with a management program, and the first cipher machine device can be registered, bound, initialized, copied, initialized by a key of an administrator lock and the like through the management program; the encryption module is a security chip integrated with a cryptography algorithm in the first cipher machine device and used for encrypting and decrypting data. Further, the first cryptographic engine device may further include a device identification module, where the device identification module is a security chip integrated with a cryptographic algorithm in the first cryptographic engine device, and is used to identify the identity of the first cryptographic engine device.
The cloud Server, also called as a cloud computing Server or a cloud host, is a host product in a cloud computing service system, and effectively solves the defects of high management difficulty and weak service expansibility in the conventional physical host and Virtual Private Server (VPS) service. Further, the cloud server may be one or more, and is installed with a management program for managing the first cryptographic machine device.
The registration command packet includes, but is not limited to, one or more of the first user ID, the device ID of the device identification module, and the cryptographic chip ID of the cryptographic module, etc. Here, the first user ID may be generated by the first cryptographic engine device prior to sale to the first user; the device ID and the encryption chip ID are unique IDs randomly assigned to the device identification module and the encryption module by the first cryptographic machine device during production, and are used for identifying the device identification module and the encryption module respectively. For example, when a first user orders a predetermined number of cryptographic engine devices, first user IDs are generated for these cryptographic engine devices and stored in the cloud server in association with the device IDs and/or cryptographic chip IDs of the cryptographic engine devices.
120: before copying the second cipher machine device to the first cipher machine device, the encryption module verifies the first verification data based on the first user ID, when the verification result shows that the first user ID is the same as the second user ID, the copying is allowed, otherwise, the copying is prohibited, and the first verification data is generated by the administrator lock of the second cipher machine device based on the second user ID corresponding to the second cipher machine device.
In the embodiment of the invention, before copying the second cryptographic machine device to the first cryptographic machine device, the first cryptographic machine device verifies the first verification data through the encryption module based on the first user ID, if the verification result shows that the first user ID is the same as the second user ID, the second cryptographic machine device is allowed to be copied to the first cryptographic machine device, and if the verification result shows that the first user ID is different from the second user ID, the second cryptographic machine device is prohibited to be copied to the first cryptographic machine device.
Specifically, the second cryptographic machine device is also a server cryptographic machine device having functions of encryption and decryption, digital signature, identity authentication, random number generation, and the like, and is used for encrypting and decrypting sensitive service data of the application system.
The manager lock is a hardware Key (Key) for managing the first cryptographic machine device or the second cryptographic machine device, and when the first cryptographic machine device or the second cryptographic machine device is managed, the manager lock is inserted to execute management operation. A pair of key pairs, namely a public key and a private key, can be generated by the administrator lock during production; the public key is stored in the administrator lock certificate and used for signature verification; the private key is stored in the administrator lock and used for data signature.
It should be noted that if the administrator lock of the second cryptographic engine device and the administrator lock of the first cryptographic engine device have the same user ID, it indicates that the second cryptographic engine device and the first cryptographic engine device are purchased by the same user, and therefore, the copy between the second cryptographic engine device and the first cryptographic engine device is allowed, otherwise, the copy between the cryptographic engine devices is prohibited.
According to the technical scheme provided by the embodiment of the invention, a registration command packet is obtained from a cloud server through a management module in first cipher machine equipment, and a first user ID corresponding to the first cipher machine equipment in the registration command packet is written into an encryption module in the first cipher machine equipment; before the second cipher machine equipment is copied to the first cipher machine equipment, the encryption module verifies the first verification data based on the first user ID, when the verification result shows that the first user ID is the same as the second user ID, the copying is allowed, otherwise, the copying is prohibited, and the illegal copying of the cipher machine equipment can be effectively prevented.
In another embodiment of the invention, before copying the second cryptographic engine device to the first cryptographic engine device, the method further comprises: the cryptographic module obtains a seed code (kseed) from an administrator lock of the second cryptographic machine device, and correspondingly, the first verification data is verified by the cryptographic module of the first cryptographic machine device based on the first user ID, including: the encryption module of the first cipher machine device verifies the first verification data based on the first user ID and the seed code, and the first verification data is generated by the administrator lock of the second cipher machine device based on the second user ID and the seed code.
Specifically, after the first cryptographic engine device is successfully registered (the registration process will be described in detail later), the first cryptographic engine device copies kseed in the administrator lock of the second cryptographic engine device to the encryption module of the first cryptographic engine device through the management module, so that the encryption module of the first cryptographic engine device and the administrator lock of the second cryptographic engine device are bound. Here, kseed is generated at initialization by the administrator lock of the second cryptographic device for generating the key for authentication.
In an embodiment of the present invention, the process of copying kseed to the encryption module may specifically include, for example: and the administrator lock of the second cipher machine equipment encrypts the seed code kseed by using the public key in the certificate of the encryption module of the first cipher machine equipment to obtain a seed code ciphertext, and sends the seed code ciphertext to the encryption module of the first cipher machine equipment through the management module of the first cipher machine equipment. And the encryption module of the first cipher machine equipment decrypts the seed code ciphertext by using the private key of the first cipher machine equipment to obtain the seed code kseed and stores the seed code kseed into the encryption module, and if decryption fails, the first cipher machine equipment directly exits abnormally.
In another embodiment of the present invention, the process of copying kseed to the encryption module may specifically include: and the administrator lock of the second cipher machine device performs signature operation on the seed code kseed by using an administrator lock private key to obtain a digital signature, encrypts the seed code kseed and the digital signature thereof by using a public key in a certificate of the encryption module of the first cipher machine device to obtain a seed code ciphertext, and sends the seed code ciphertext to the encryption module of the first cipher machine device through the management module of the first cipher machine device. And the encryption module of the first cipher machine equipment decrypts the seed code ciphertext by using the private key of the first cipher machine equipment to obtain the seed code kseed and a digital signature of the seed code kseed, verifies the digital signature by using the administrator lock public key, stores the seed code kseed into the encryption module if decryption and signature verification are successful, and directly exits abnormally if decryption or signature verification fails.
In another embodiment of the present invention, the process of copying kseed to the encryption module may specifically include, for example: the administrator lock of the second cipher machine device encrypts the seed code kseed by using the temporarily generated or prestored first symmetric key to obtain a seed code ciphertext, encrypts the first symmetric key by using a public key in the certificate of the encryption module of the first cipher machine device to obtain a key ciphertext, and sends the seed code ciphertext and the key ciphertext to the encryption module of the first cipher machine device through the management module of the first cipher machine device. And the encryption module of the first cipher machine equipment decrypts the key ciphertext by using the private key to obtain a first symmetric key, decrypts the seed code ciphertext by using the first symmetric key obtained by decryption to obtain a seed code kseed, and stores the seed code kseed into the encryption module, and if decryption fails, the first cipher machine equipment directly exits in an abnormal mode.
In still another embodiment of the present invention, the process of copying kseed to the encryption module may specifically include, for example: the administrator lock of the second cipher machine device signs the kseed by using a private key of the administrator lock, generates a temporary first symmetric key, and encrypts the kseed and a signature result by using a symmetric encryption algorithm by using the first symmetric key as the key to obtain a first cipher text C1; then, the administrator lock extracts the public key of the encryption module, and encrypts the first symmetric key according to the asymmetric encryption algorithm by using the public key of the encryption module to obtain a second ciphertext C2; finally, the administrator lock packages the C1, the C2 and the administrator lock certificate chain and sends the packages to the encryption module of the first cipher machine device through the management module of the first cipher machine device; further, an encryption module of the first cryptographic machine device decrypts the C2 by using a private key thereof to obtain a first symmetric key, decrypts the C1 by using the first symmetric key to obtain kseed and a digital signature thereof, verifies the digital signature by using an administrator lock public key in an administrator lock certificate, stores the kseed in the encryption module if decryption is successful and the signature verification passes, and otherwise directly exits abnormally. Here, the symmetric encryption algorithm may include, but is not limited to, AES, DES, RC2, RC4, RC5, Blowfish, and the like; asymmetric encryption algorithms may include, but are not limited to, RSA, Elgamal, knapsack Algorithm, Rabin, D-H, Elliptic Curve Cryptography (ECC), and the like.
For example, when the symmetric encryption algorithm is an AES algorithm with a key length of 256(AES-256-ECB) bits, and the asymmetric encryption algorithm is an RSA algorithm with 2048 bits, that is, an RSA2048 algorithm, the decryption and signature verification process of the encryption module may specifically include: the encryption module unpacks the C1, the C2 and the administrator lock certificate chain, verifies the administrator lock certificate chain by using a root certificate, and decrypts the C2 by using an RSA2048 algorithm through an encryption module private key to obtain a first symmetric key; further, the encryption module uses an AES-256-ECB algorithm to decrypt the C1 by taking the first symmetric key as a key to obtain kseed and a signature result; and finally, the encryption module extracts the public key of the administrator lock from the administrator lock certificate chain, verifies the signature result through the public key and kseed of the administrator lock by using an RSA2048 algorithm, and completes the binding between the encryption module of the first cipher machine device and the administrator lock of the second cipher machine device after the verification is passed.
After the binding is completed, the administrator lock of the second cryptographic engine device performs a key initialization operation for obtaining the device ID of the first cryptographic engine device from the device identification module of the first cryptographic engine device, so that the administrator lock of the second cryptographic engine device can recalculate the authentication key using the device ID and the like.
In another embodiment of the present invention, before obtaining the registration command packet from the cloud server through the management module in the cryptographic machine device, the method further includes: the management module sends a registration request packet to the cloud server so that the cloud server can verify the registration request packet, wherein the registration request packet comprises a device ID of the first cipher machine device and an encryption chip ID of the encryption module, and therefore the cloud server can verify a first belonging relationship between the first cipher machine device and a user of the first cipher machine device and a second belonging relationship between the first cipher machine device and the encryption module.
Specifically, before using any new first cryptographic engine device, the user needs to register the new first cryptographic engine device, and at this time, the encryption module of the first cryptographic engine device generates a registration request packet, which may include, but is not limited to, the device ID of the first cryptographic engine device and the encryption chip ID of the encryption module. In order to ensure the integrity and privacy of data, before the registration request packet is sent to the cloud server, the first cryptographic machine device may sign the registration request packet through the encryption module, and encrypt the registration request packet using a certificate of the cloud server.
Further, the first cipher machine device sends the registration request packet to the cloud server through the management module; after receiving the registration request packet, the cloud server decrypts and verifies the signature of the registration request packet; and if the decryption is successful and the signature verification is passed, the cloud server verifies a first belonging relationship between the first cipher machine equipment and the user thereof and a second belonging relationship between the first cipher machine equipment and the encryption module.
The purpose of checking the first relationship between the first cryptographic engine device and its user is to verify the identity of the first cryptographic engine device, so that unauthorized copying of the first cryptographic engine device is prevented. The verification process specifically comprises the following steps: the cloud server searches user information corresponding to the equipment ID of the first cipher machine equipment in the database according to prestored recording information, and if the user information corresponding to the equipment ID of the first cipher machine equipment is found, the first cipher machine equipment belongs to the user and the subsequent process is continuously executed; otherwise, the direct exception exits.
The purpose of checking the second relationship between the first cryptographic engine device and the encryption module is to verify whether the first cryptographic engine device and the encryption module are matched, thereby preventing the encryption module from being illegally replaced. The verification process specifically comprises the following steps: the cloud server searches for the encrypted chip information corresponding to the equipment ID of the first cipher machine equipment in the database according to the prestored recording information, and if the encrypted chip information corresponding to the equipment ID of the first cipher machine equipment is found and is matched with the encrypted chip ID in the registration request packet, the cloud server indicates that the first cipher machine equipment is matched with the encryption module, namely the encryption module is not illegally replaced, and continues to execute the subsequent flow; otherwise, the direct exception exits.
After the verification is completed, the cloud server generates a registration command packet of the first cipher machine device, and returns the registration command packet to the encryption module of the first cipher machine device. Similarly, in order to ensure the integrity and security of the data, before sending the registration request packet to the encryption module, the cloud server may sign the registration request packet and encrypt the registration request packet using the certificate of the encryption module; after the first cipher machine device receives the registration request packet through the encryption module, the first cipher machine device decrypts and verifies the signature of the registration request packet, if the decryption is successful and the signature verification passes, the device ID of the first cipher machine device is matched with the encryption module, and at the moment, the first user ID corresponding to the first cipher machine device is written into the encryption module in the first cipher machine device, so that the registration of the first cipher machine device is completed.
In another embodiment of the present invention, the method further comprises: the first cryptographic machine device sends the device ID of the first cryptographic machine device to the administrator lock through the management module, and correspondingly, the first cryptographic machine device verifies the first verification data based on the first user ID through the encryption module includes: the first cipher machine device verifies data generated by the administrator lock of the second cipher machine device based on the second user ID and the device ID through the encryption module based on the first user ID and the device ID, and in the embodiment of the invention, the first verification data is generated by the administrator lock of the second cipher machine device based on the second user ID corresponding to the second cipher machine device.
In one embodiment of the present invention, the first verification data may include: the administrator lock generates a check code for the first data using a first key generated based on the second user ID.
Specifically, in this embodiment, the first data may be appointment data stored in the administrator lock of the second cryptographic machine device, and the encryption module or the device identification module of the first cryptographic machine device also stores the appointment data. For example, the first data may be a device ID of the first cryptographic machine device, the first cryptographic machine device may send the device ID of the first cryptographic machine device to the administrator lock through the management module, the administrator lock generates a first key based on the second user ID, processes the received device ID of the first cryptographic machine device using the first key to generate a check code, and sends the generated check code to the first cryptographic machine device as first check data, the encryption module of the first cryptographic machine device processes the device ID of the first cryptographic machine device using an algorithm used when the first key is generated by the administrator lock and generates a key based on the first user ID, generates a check code as second check data using the generated key, and compares and verifies the generated second check data with the first check data received from the administrator lock, if both check data are consistent, it indicates that the first user ID is the same as the second user ID. Similarly, the first data may be other agreed data that the first cryptographic engine device has previously sent to the administrator lock of the second cryptographic engine, such as a random number for authentication.
In another embodiment of the present invention, the first verification data may include: after the administrator lock generates a check code for the first data using the first key generated based on the second user ID, the administrator lock encrypts the generated ciphertext data for the first data and the check code using the second key generated based on the second user ID.
Specifically, in the present embodiment, the first data may be any data stored in the administrator lock. For example, the first data may be a random number for authentication stored in the administrator lock, and the first cryptographic device may or may not have the random number for authentication stored therein. When the random number for verification is also stored in the first cipher machine device, the administrator lock generates a first key based on the second user ID, then processes the first data to generate a check code by using the first key, generates a second key based on the second user ID, encrypts the first data and the check code by using the second key to generate ciphertext data, and sends the generated ciphertext data to the first cipher machine device as the first check data. After receiving the ciphertext data, the first cipher machine device uses an algorithm used when the administrator lock generates the first key and the second key and generates a third key and a fourth key based on the first user ID, decrypts the ciphertext data by using the fourth key to obtain data and a check code, processes the data by using the third key to generate a check code, and compares and verifies the generated check code and the check code obtained by decrypting the ciphertext data, and if the first cipher machine device and the administrator lock are consistent, the first user ID is identical to the second user ID.
In another embodiment of the present invention, the first data may also be data that the administrator lock needs to send to the first cryptographic engine device for use, such as the application key seed, so that when the authentication is passed, the encryption module of the first cryptographic engine may generate the application key kappa using the application key seed.
In the embodiment of the present invention, when the encryption module generates the application key kappa, an arbitrary key generation algorithm may be used, and the application key kappa may be generated based on the application key seed and at least one of the first user ID, the device ID of the first cryptographic device, and the pre-stored key factor.
In one embodiment of the invention, the first key is generated using a first algorithm based on the second user ID, and the second key is generated using a second algorithm based on the second user ID.
Specifically, the administrator lock may use two different key generation algorithms to respectively operate on the second user ID to obtain a first key and a second key that are different from each other. Alternatively, the administrator lock may use one key generation algorithm to operate on data consisting of the second user ID and the device ID to obtain the first key, and another key generation algorithm to operate on data consisting of the second user ID and the device ID to obtain the second key. Correspondingly, the first cryptographic engine device also uses a corresponding algorithm to operate on the first user ID or on data consisting of the first user ID and the device ID to obtain a third key and a fourth key.
In another embodiment of the invention, the first key is generated using the second user ID and the first key factor, and the second key is generated using the second user ID and the second key factor. In the embodiment of the present invention, the first key may be generated by using a predetermined key generation algorithm with the second user ID and the first key factor as parameters, or may be generated by using a predetermined key generation algorithm with the second user ID and the first key factor and other data as parameters, and the same holds true for the second key.
For example, in the case where the administrator lock of the second cryptographic engine device sends the seed code kseed to the cryptographic module of the first cryptographic engine device, the first key may be generated based on the seed code kseed, the second user ID, and the first key factor and using a predetermined key generation algorithm, and the second key may be generated based on the seed code kseed, the second user ID, and the second key factor and using a predetermined key generation algorithm.
For another example, where the device ID of the first cryptographic engine device is sent to the administrator lock, the first key may be generated based on the device ID, the second user ID, and the first key factor and using a predetermined key generation algorithm, and the second key may be generated based on the device ID, the second user ID, and the second key factor and using a predetermined key generation algorithm.
In a specific embodiment of the present invention, when the first data is the application key seed, the first key may be a verification key Kmac, the second key may be a symmetric key Kenc, and the verification key Kmac and the symmetric key Kenc may be generated using the first user ID, the device ID, and the kseed and the key factor. The verification key Kmac is used for generating a verification code for the application key seed keyseed, and the symmetric key Kenc is used for encrypting and decrypting the application key seed keyseed and the verification code thereof.
In the present embodiment, the generation rules of Kenc and Kmac may be, for example:
kmac ═ H (user ID | | device ID | | | kseed | | | | fixed seed 1) (rule 1);
kenc ═ H (user ID | | | device ID | | | kseed | | | | fixed seed 2) (rule 2);
wherein, H is SHA512 algorithm, and the first 32 bytes of the operation result are taken as a key; "|" represents data splicing; the fixed seed code 1 is a fixed 32-byte random number which is solidified in an encryption module and an administrator lock and is used as a first key factor to calculate a data verification key; fixed seed code 2 is a fixed 32-byte random number that is fixed in the encryption module and administrator lock, and is used as a second key factor to calculate the data protection key.
In this embodiment, the generation rule of the application key (kappa) may be, for example:
kappa key ═ H (user ID | | | keyseed | | | fixed seed 3) (rule 3);
the fixed seed code 3 is a fixed 32-byte random number solidified in the security chip and used as a key factor calculation application key.
In this embodiment, the key seed encryption and integrity protection rule may be applied as follows:
AES (Kenc, keyseed | | | MAC (Kmac, keyseed)) (rule 4)
Wherein, AES is AES-ECB-256 encryption mode; the MAC is an HMAC-SHA256 algorithm; "| |" represents data splicing.
Further, a keyspeed result encrypted by using AES in the administrator lock of the second cipher machine device is sent to an encryption module of the first cipher machine device, and the encryption module decrypts and verifies the integrity of the received keyspeed ciphertext result; if the devices are the same user (i.e. have the same user ID), the verification passes and keyspeed is obtained, and kappa is calculated by using keyspeed and the rule 3 to complete the copying of the devices; if the device is a device of a different user, the verification fails, and the copy is abnormally exited.
All the above-mentioned optional technical solutions can be combined arbitrarily to form the optional embodiments of the present invention, and are not described herein again.
Fig. 2 is a flowchart illustrating a method of preventing illegal copying of a crypto-engine device according to another exemplary embodiment of the present invention. As shown in fig. 2, the method includes:
210: sending a registration request packet to a cloud server through a management module in the first cipher machine device so that the cloud server can verify the registration request packet;
220: obtaining a registration command packet from a cloud server through a management module;
230: writing a first user ID corresponding to the first cipher machine equipment in the registration command packet into an encryption module in the first cipher machine equipment;
240: verifying the first verification data based on the first user ID through the encryption module, wherein the first verification data is generated by an administrator lock of the second cipher machine device based on the second user ID corresponding to the second cipher machine device;
250: judging whether the first user ID is the same as the second user ID;
260: if the first user ID and the second user ID are the same, allowing the second cryptographic engine device to be copied to the first cryptographic engine device;
270: if the first user ID and the second user ID are different, copying of the second cryptographic engine device to the first cryptographic engine device is prohibited.
According to the technical scheme provided by the embodiment of the invention, the management module in the first cipher machine device sends the registration request packet to the cloud server so that the cloud server can verify the registration request packet; obtaining a registration command packet from a cloud server through a management module; writing a first user ID corresponding to the first cipher machine equipment in the registration command packet into an encryption module in the first cipher machine equipment; verifying the first verification data based on the first user ID through an encryption module; judging whether the first user ID is the same as the second user ID; if the first user ID and the second user ID are the same, allowing the copying; if the first user ID is different from the second user ID, the copying is prohibited, and the illegal copying of the cipher machine equipment can be effectively prevented.
The above-described method for preventing illegal copying of a cryptographic machine apparatus will be described in detail below by two specific examples.
Example 1
Assuming that a user a needs to purchase a new cryptographic engine device 1, the device provider first generates a user ID for the user a, and records the user ID, the device ID of the cryptographic engine device 1, and the corresponding cryptographic chip ID to the cloud server.
Then, after purchasing the cipher machine device 1, the user a needs to perform device registration, that is, a registration request packet is generated by the encryption module and sent to the cloud server; the cloud server carries out validity check on the registration request packet, generates a registration command packet after the check is passed, and sends the registration command packet to the encryption module; the encryption module verifies the registration command packet, and records the user ID as a key factor into the encryption module after the verification is passed so as to complete the device registration.
Further, if the user a needs to purchase another new cryptographic machine device 2, the device provider needs to record the user ID, the device ID of the cryptographic machine device 2, and the corresponding encryption chip ID to the cloud server for the user a, and perform device registration, as in the above process; if user a needs to copy the cryptographic engine device 1 to the cryptographic engine device 2, the device copy can be done using the administrator lock of the cryptographic engine device 1, since the cryptographic engine device 2 and the administrator lock of the cryptographic engine device 1 have the same user ID, the same shared key can be generated, i.e. the copy from cryptographic engine device 1 to cryptographic engine device 2 can be done.
Example two
Assuming that a user a needs to purchase a new cryptographic engine device 1, the device provider first generates a user ID for the user a, and records the user ID, the device ID of the cryptographic engine device 1, and the corresponding cryptographic chip ID to the cloud server.
Then, after purchasing the cipher machine device 1, the user a needs to perform device registration, that is, a registration request packet is generated by the encryption module and sent to the cloud server; the cloud server carries out validity check on the registration request packet, generates a registration command packet after the check is passed, and sends the registration command packet to the encryption module; the encryption module verifies the registration command packet, and records the user ID as a key factor into the encryption module after the verification is passed so as to complete the device registration.
Further, if the user B needs to purchase a new cryptographic machine device 3, the device provider generates a user ID for the user B, records the user ID, the device ID of the cryptographic machine device 3, and the corresponding encryption chip ID in the cloud server, and performs device registration, as in the above process; if user B obtains the administrator lock of cipher machine apparatus 1 of user a and wishes to copy one cipher machine apparatus 1 through the administrator lock, since the user ID (user ID of user B) written in the encryption module of cipher machine apparatus 3 when user B registers cipher machine apparatus 3 and the user ID (user ID of user a) in the administrator lock of cipher machine apparatus 1 are not consistent, the shared keys respectively generated by the encryption module of cipher machine apparatus 3 and the administrator lock of cipher machine apparatus 1 are not consistent, resulting in apparatus copy failure, i.e. copy from cipher machine apparatus 1 to cipher machine apparatus 3 cannot be completed.
The following are embodiments of the apparatus of the present invention that may be used to perform embodiments of the method of the present invention. For details which are not disclosed in the embodiments of the apparatus of the present invention, reference is made to the embodiments of the method of the present invention.
Fig. 3 is a block diagram illustrating a cryptographic engine apparatus in accordance with an exemplary embodiment of the present invention. As shown in fig. 3, the cipher machine apparatus includes: the management module 310 is configured to obtain a registration command packet from the cloud server, and write a first user ID corresponding to the first cryptographic machine device in the registration command packet into the encryption module 320; the encryption module 320 is configured to, before copying another cryptographic apparatus to the cryptographic apparatus, verify first verification data based on the first user ID, and allow copying when the verification result indicates that the first user ID is the same as the second user ID, otherwise prohibit copying, where the first verification data is generated by an administrator lock of the another cryptographic apparatus based on the second user ID corresponding to the another cryptographic apparatus.
According to the technical scheme provided by the embodiment of the invention, a registration command packet is obtained from a cloud server through a management module in first cipher machine equipment, and a first user ID corresponding to the first cipher machine equipment in the registration command packet is written into an encryption module in the first cipher machine equipment; before the second cipher machine equipment is copied to the first cipher machine equipment, the encryption module verifies the first verification data based on the first user ID, when the verification result shows that the first user ID is the same as the second user ID, the copying is allowed, otherwise, the copying is prohibited, and the illegal copying of the cipher machine equipment can be effectively prevented.
In another embodiment of the present invention, the management module 310 copies the seed code in the administrator lock of another cryptographic machine device into the encryption module 320, and the encryption module 320 checks the first check data based on the first user ID and the seed code, and in this embodiment of the present invention, the first check data is generated by the administrator lock of another cryptographic machine device based on the second user ID and the seed code.
In another embodiment of the present invention, the management module 310 sends a registration request packet to the cloud server, so that the cloud server verifies the registration request packet, where the registration request packet includes the device ID of the cryptographic engine device and the cryptographic chip ID of the encryption module 320, so that the cloud server verifies a first relationship between the cryptographic engine device and the user thereof and a second relationship between the cryptographic engine device and the encryption module 320.
In another embodiment of the present invention, the management module 310 sends the device ID of the cryptographic machine device to the administrator lock, and the encryption module 320 verifies the first verification data based on the first user ID and the device ID, where the first verification data is generated by the administrator lock of another cryptographic machine device based on the second user ID and the device ID.
In another embodiment of the present invention, the first verification data may include: the administrator lock generates a check code for the first data using a first key generated based on the second user ID.
In another embodiment of the present invention, the first verification data may also include: the administrator lock encrypts the generated ciphertext data with the check code using a second key generated based on the second user ID.
In another embodiment of the invention, the first key is generated using a first algorithm based on the second user ID, and the second key is generated using a second algorithm based on the second user ID.
In another embodiment of the invention, the first key is generated using the second user ID and the first key factor, and the second key is generated using the second user ID and the second key factor.
The implementation process of the functions and actions of each module in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
Fig. 4 is a block diagram illustrating a system 400 for preventing illegal copying of crypto-mechanical devices according to an exemplary embodiment of the present invention. As shown in fig. 4, the system 400 includes: the cryptographic engine apparatus 410 as described above; and the cloud server 420 sends the registration command packet to the cryptographic machine device 410 based on the request of the cryptographic machine device 410.
Specifically, the cryptographic engine apparatus 410 includes: the management module is configured to obtain a registration command packet from the cloud server, and write a first user ID corresponding to the first cipher machine device in the registration command packet into the encryption module; the encryption module is configured to verify first verification data based on a first user ID before copying another cryptographic machine device to the cryptographic machine device, and allow copying when a verification result indicates that the first user ID is the same as a second user ID, otherwise prohibit copying, the first verification data being generated by an administrator lock of the another cryptographic machine device based on the second user ID corresponding to the another cryptographic machine device.
The processing functions of the modules of the cryptographic engine device 410 in the embodiment of the present invention specifically refer to the embodiment shown in fig. 3 and the related description, and detailed descriptions are omitted here.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
Moreover, although exemplary embodiments have been described herein, the scope thereof includes any and all embodiments based on the present invention with equivalent elements, modifications, omissions, combinations (e.g., of various embodiments across), adaptations or alterations. The elements of the claims are to be interpreted broadly based on the language employed in the claims and not limited to examples described in the present specification or during the prosecution of the application, which examples are to be construed as non-exclusive. It is intended, therefore, that the specification and examples be considered as exemplary only, with a true scope and spirit being indicated by the following claims and their full scope of equivalents.
While the embodiments of the present invention have been described in detail, the present invention is not limited to these specific embodiments, and those skilled in the art can make various modifications and modifications of the embodiments based on the concept of the present invention, which fall within the scope of the present invention as claimed.

Claims (16)

1. A method for preventing illegal copying of cipher machine equipment is applied to first cipher machine equipment, and is characterized in that the method comprises the following steps:
obtaining a registration command packet from a cloud server through a management module in the first cipher machine device, and writing a first user ID corresponding to the first cipher machine device in the registration command packet into an encryption module in the first cipher machine device;
before copying the second cipher machine device to the first cipher machine device, verifying first verification data based on a first user ID through the encryption module, and when a verification result shows that the first user ID is the same as a second user ID, allowing the copying, otherwise forbidding the copying, wherein the first verification data is generated by an administrator lock of the second cipher machine device based on the second user ID corresponding to the second cipher machine device; the administrator lock is a hardware key used for managing the first cipher machine device or the second cipher machine device.
2. The method of claim 1, wherein prior to copying the second cryptographic engine device to the first cryptographic engine device, the method further comprises: the encryption module obtains the seed code from the administrator lock of the second cryptographic engine device,
correspondingly, the verifying the first verification data based on the first user ID by the encryption module includes: and verifying first verification data based on a first user ID and the seed code through the encryption module, wherein the first verification data is generated by an administrator lock of the second cipher machine equipment based on the second user ID and the seed code.
3. The method of claim 2, wherein the cryptographic module obtains the seed code from an administrator lock of the second cryptographic engine device, comprising:
the encryption module obtains a seed code ciphertext and a key ciphertext from an administrator lock of the second cipher machine device, the seed code ciphertext is generated by the administrator lock encrypting the seed code or data including the seed code by using the first symmetric key, and the key ciphertext is generated by the administrator lock encrypting the first symmetric key by using a public key of the encryption module.
4. A method as claimed in claim 2 or 3, wherein the cryptographic module further obtains the first digital signature from an administrator lock of the second cryptographic engine device and verifies the first digital signature based on the seed code using a public key of the administrator lock.
5. The method of claim 1, wherein prior to obtaining the registration command packet from a cloud server via a management module in the first cryptographic engine device, the method further comprises:
the management module sends a registration request packet to the cloud server so that the cloud server can verify the registration request packet, wherein the registration request packet comprises a device ID of the first cipher machine device and an encryption chip ID of the encryption module, and therefore the cloud server can verify a first affiliation relationship between the first cipher machine device and a user of the first cipher machine device and a second affiliation relationship between the first cipher machine device and the encryption module.
6. The method of claim 1, further comprising: sending the device ID of the first cryptographic engine device to the administrator lock via the management module,
correspondingly, the verifying the first verification data based on the first user ID by the encryption module includes: and verifying first verification data by the encryption module based on the first user ID and the equipment ID, wherein the first verification data is generated by the administrator lock of the second cipher machine equipment based on the second user ID and the equipment ID.
7. The method of claim 1, wherein the first verification data comprises: the administrator lock processes the first data using a first key generated based on the second user ID to generate a check code.
8. The method of claim 1, wherein the first verification data comprises: after the administrator lock processes the first data to generate a check code by using a first secret key generated based on the second user ID, the administrator lock encrypts the first data and ciphertext data generated by the check code by using a second secret key generated based on the second user ID.
9. The method of claim 8, wherein the first data is an application key seed, and wherein the application key seed is used by the encryption module to generate an application key.
10. The method of claim 9, wherein the encryption module generates the application key based on the application key seed and at least one of a first user ID, a device ID of the first cryptographic engine device, and a pre-stored key factor.
11. The method of any of claims 8-10, wherein the first key is generated using a first algorithm based on a second user ID, and wherein the second key is generated using a second algorithm based on the second user ID.
12. The method according to any of claims 8-10, wherein the first key is generated using a second user ID and a first key factor, and wherein the second key is generated using the second user ID and a second key factor.
13. The method of claim 12, further comprising:
the administrator lock of the second cryptographic engine device sends the seed code to the encryption module,
wherein the first key is generated based on the seed code, the second user ID, and the first key factor, and the second key is generated based on the seed code, the second user ID, and the second key factor.
14. The method of claim 12, further comprising:
sending the device ID of the first cryptographic engine device to the administrator lock via the management module,
wherein the first key is generated based on the device ID, a second user ID, and a first key factor, and the second key is generated based on the device ID, a second user ID, and a second key factor.
15. A cryptographic engine apparatus, comprising: a management module and an encryption module, wherein,
the management module is configured to obtain a registration command packet from a cloud server, and write a first user ID corresponding to first cipher machine equipment in the registration command packet into the encryption module;
the encryption module is configured to verify first verification data based on a first user ID before copying another cryptographic machine device to the cryptographic machine device, and allow the copying when a verification result indicates that the first user ID is the same as a second user ID, otherwise prohibit the copying, the first verification data being generated by an administrator lock of the another cryptographic machine device based on the second user ID corresponding to the another cryptographic machine device; the administrator lock is a hardware key used for managing the first cipher machine device or the second cipher machine device.
16. A system for preventing illegal copying of crypto-mechanical devices, comprising:
the cryptographic engine apparatus of claim 15;
and the cloud server is used for sending the registration command packet to the cipher machine equipment based on the request of the cipher machine equipment.
CN201910180758.0A 2019-03-11 2019-03-11 Method and system for preventing cipher machine equipment from being illegally copied and cipher machine equipment Active CN109981612B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910180758.0A CN109981612B (en) 2019-03-11 2019-03-11 Method and system for preventing cipher machine equipment from being illegally copied and cipher machine equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910180758.0A CN109981612B (en) 2019-03-11 2019-03-11 Method and system for preventing cipher machine equipment from being illegally copied and cipher machine equipment

Publications (2)

Publication Number Publication Date
CN109981612A CN109981612A (en) 2019-07-05
CN109981612B true CN109981612B (en) 2020-02-21

Family

ID=67078359

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910180758.0A Active CN109981612B (en) 2019-03-11 2019-03-11 Method and system for preventing cipher machine equipment from being illegally copied and cipher machine equipment

Country Status (1)

Country Link
CN (1) CN109981612B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103684745A (en) * 2013-12-12 2014-03-26 康佳集团股份有限公司 Set top box anti-copying method, set top box system and set top box
CN109286502A (en) * 2018-11-13 2019-01-29 北京深思数盾科技股份有限公司 Restore the method and encryption equipment of encryption equipment administrator lock

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999063429A1 (en) * 1998-06-04 1999-12-09 Namco Limited Security device, key device, and program protection system and method
GB0220907D0 (en) * 2002-09-10 2002-10-16 Ingenia Holdings Ltd Security device and system
CN100462992C (en) * 2007-04-30 2009-02-18 北京飞天诚信科技有限公司 Method and system for producing information safety device
CN106022169A (en) * 2016-06-30 2016-10-12 北京三未信安科技发展有限公司 Encryption protection method based on ZYNQ small-size cipher machine and device for realizing method
CN108400875B (en) * 2018-03-21 2021-03-12 苏州科达科技股份有限公司 Key value-based authorization authentication method, system, electronic device and storage medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103684745A (en) * 2013-12-12 2014-03-26 康佳集团股份有限公司 Set top box anti-copying method, set top box system and set top box
CN109286502A (en) * 2018-11-13 2019-01-29 北京深思数盾科技股份有限公司 Restore the method and encryption equipment of encryption equipment administrator lock

Also Published As

Publication number Publication date
CN109981612A (en) 2019-07-05

Similar Documents

Publication Publication Date Title
CN112260826B (en) Method for secure credential provisioning
US20220191012A1 (en) Methods For Splitting and Recovering Key, Program Product, Storage Medium, and System
CN110519260B (en) Information processing method and information processing device
US7925023B2 (en) Method and apparatus for managing cryptographic keys
CN111756533B (en) System, method and storage medium for secure password generation
WO2021073170A1 (en) Method and apparatus for data provision and fusion
RU2584500C2 (en) Cryptographic authentication and identification method with real-time encryption
WO2014139343A1 (en) Key downloading method, management method, downloading management method, apparatus and system
US20060095769A1 (en) System and method for initializing operation for an information security operation
US11831753B2 (en) Secure distributed key management system
CN110855426B (en) Method for software use authorization
CN106953732B (en) Key management system and method for chip card
US9647842B2 (en) Dual-party session key derivation
JP2010514000A (en) Method for securely storing program state data in an electronic device
CN116232593B (en) Multi-password module sensitive data classification and protection method, equipment and system
CN109905384B (en) Data migration method and system
US20100031045A1 (en) Methods and system and computer medium for loading a set of keys
US11711213B2 (en) Master key escrow process
US20170330177A1 (en) Payment terminal authentication
JP2004140636A (en) System, server, and program for sign entrustment of electronic document
CN109981612B (en) Method and system for preventing cipher machine equipment from being illegally copied and cipher machine equipment
CN111541708B (en) Identity authentication method based on power distribution
CN109981264B (en) Application key generation method and cipher machine equipment assembly
CN107070648A (en) A kind of cryptographic key protection method and PKI system
CN112528269B (en) Method and device for realizing kernel cipher machine and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP02 Change in the address of a patent holder

Address after: Room 124, 1 / F, building 2, yard 9, jiaogezhuang street, Nanfaxin Town, Shunyi District, Beijing

Patentee after: Beijing Wikipedia Technology Co.,Ltd.

Address before: 102200 No. 1, 120, Area C, 23 Qianqian Road, Changping Science and Technology Park, Beijing

Patentee before: Beijing Wikipedia Technology Co.,Ltd.

CP02 Change in the address of a patent holder