CN106682459A - Information safety device production method, information safety device production equipment and information safety device production system - Google Patents

Information safety device production method, information safety device production equipment and information safety device production system Download PDF

Info

Publication number
CN106682459A
CN106682459A CN201710114184.8A CN201710114184A CN106682459A CN 106682459 A CN106682459 A CN 106682459A CN 201710114184 A CN201710114184 A CN 201710114184A CN 106682459 A CN106682459 A CN 106682459A
Authority
CN
China
Prior art keywords
safety device
information safety
data bag
encryption data
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710114184.8A
Other languages
Chinese (zh)
Other versions
CN106682459B (en
Inventor
孙吉平
钟灵剑
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Senseshield Technology Co Ltd
Original Assignee
Beijing Senseshield Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Senseshield Technology Co Ltd filed Critical Beijing Senseshield Technology Co Ltd
Priority to CN201710114184.8A priority Critical patent/CN106682459B/en
Publication of CN106682459A publication Critical patent/CN106682459A/en
Application granted granted Critical
Publication of CN106682459B publication Critical patent/CN106682459B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs
    • G06F21/123Restricting unauthorised execution of programs by using dedicated hardware, e.g. dongles, smart cards, cryptographic processors, global positioning systems [GPS] devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • Technology Law (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Multimedia (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Radar, Positioning & Navigation (AREA)
  • Remote Sensing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses an information safety device production method. An information safety device manufacturer and a software developer are united online to produce information safety devices. The method includes steps carried out on an information safety device manufacturer side: generating an encrypted data packet P1 which includes request data, and sending the encrypted data packet P1 to a software developer side through a network; receiving an encrypted data packet S1 from the software developer side, wherein the encrypted data packet S1 includes information safety device initialization data issued by the software developer according to the request data; decrypting the encrypted data packet S1 to obtain the information safety device initialization data, and writing the information safety device initialization data into the information safety devices. The invention further discloses an information safety device production system. The information safety devices can be encryption locks, for example. A step of secondary setup of the information safety devices leaving factories can be saved, and security of the initialization data in the information safety devices is improved.

Description

The method of production information safety device, production equipment and system
Technical field
The present invention relates to field of industrial production, more particularly to the encryption lock life for producing the method for encryption lock, production encryption lock The system of business men side production equipment, the software developer side production equipment of production encryption lock and production encryption lock.
Background technology
Information safety device is the device that a kind of software product of the conventional software developer to selling is protected, typical case Information safety device be, for example, encryption lock.Usually, the production of encryption lock is solely responsible for by encryption lock manufacturer, and encryption lock out After factory, software developer carries out secondary setting to corresponding information safety device again when software product is sold.
By encryption lock, manufacturer is solely responsible for, then it is to be set by manufacturer completely inevitably to lock interior data;Software Developer carries out secondary setting, then software developer inevitably needs to increase the input of soft hardware equipment and manpower.
The content of the invention
It is an object of the invention to provide a kind of method of online Joint Production information safety device, production equipment and System, can save the secondary setting steps after information safety device dispatches from the factory, and/or improve initial in information safety device Change the confidentiality of data.
To achieve these goals, in a scheme of the invention, there is provided a kind of method of production information safety device, by Information safety device manufacturer and the online Joint Production information safety device of software developer, methods described are included in information security The following steps that device manufacturer side is carried out:
Generation includes the encryption data bag P1 of request data, and the encryption data bag P1 is sent into software by network opens Hair business side;
Receiving encryption data bag S1, the encryption data bag S1 from software developer side includes software developer's root The information safety device initialization data issued according to the request data;
Described information safety device initialization data is obtained to encryption data bag S1 decryption, described information is filled safely Put initialization data write-in information safety device in.
Preferably, the first signed data is also included in the encryption data bag P1.
Preferably, first signed data is the signature private key using information safety device manufacturer to the number of request Obtained according to signature.
Preferably, public key in lock is also included in the encryption data bag P1, public key is by information safety device in the lock Public key in a pair of secret keys pair that manufacturer generates in information safety device, first signed data is filled with information security The signature private key for putting manufacturer is signed and is generated to public key in the lock and the request data.
Preferably, the second signed data is also included in the encryption data bag S1, and
Methods described also includes:
Sign test is carried out to the corresponding data in the encryption data bag S1 in described information safety device manufacturer side.
Preferably, second signed data is the signature private key using software developer at the beginning of described information safety device Beginningization data signature is obtained, and wherein
The described information safety device in the encryption data bag S1 is initialized using the sign test certificate of software developer Data carry out sign test.
Preferably, public key and the first signed data in lock are also included in the encryption data bag P1, wherein public in the lock Key is the public key in a pair of secret keys pair generated in information safety device, and first signed data is that use information is filled safely The signature private key for putting manufacturer is signed and is generated to public key in the lock and the request data, also,
The encryption data bag S1 is further configured to include encryption data bag S10 and encryption data bag S11 and described Two signed datas, the encryption data bag S10 is to described information safety device with the first key generated by software developer Initialization data is encrypted and generates, and the encryption data bag S11 is that the first key is entered with public key in the lock Row encryption and generate, second signed data be with the signature private key of software developer to the encryption data bag S10, What S11 signed and generated, and wherein
Sign test is carried out to described encryption data bag S10, S11 using the sign test certificate of software developer.
Preferably, methods described also includes:
The software and hardware information of information safety device is collected in described information safety device manufacturer side, generation includes described soft The encryption data bag P2 of hardware information, software developer side is sent to by the encryption data bag P2 by network.
Preferably, the 3rd signed data is also included in the encryption data bag P2, the 3rd signed data is to utilize The signature private key of information safety device manufacturer is generated to the software and hardware Information Signature.
Another scheme of the invention additionally provides a kind of method of production information safety device, it is characterised in that by information Safety device manufacturer and the online Joint Production information safety device of software developer, methods described are included in software developer side The following steps for carrying out:
Receive the encryption data bag P1 including request data from information safety device manufacturer side;
To encryption data bag P1 decryption to obtain the request data, information security is issued according to the request data Device initialization data, generation includes the encryption data bag S1 of described information safety device initialization data and is sent to information peace Full device manufacturer side.
Preferably, the first signed data is also included in the encryption data bag P1, and
Methods described also includes:
Sign test is carried out to the corresponding data in the encryption data bag P1 in the software developer side.
Preferably, first signed data is the signature private key using information safety device manufacturer to the number of request Obtained according to signature, and wherein
Sign test certificate using information safety device manufacturer enters to the request data in the encryption data bag P1 Row sign test.
Preferably, public key in lock is also included in the encryption data bag P1, public key is by information safety device in the lock Public key in a pair of secret keys pair that manufacturer generates in information safety device, first signed data is filled with information security The signature private key for putting manufacturer is signed and is generated to public key in the lock and the request data, and wherein
Sign test is carried out to public key in the lock and the request data using the sign test certificate of information safety device manufacturer.
Preferably, the second signed data is also included in the encryption data bag S1.
Preferably, second signed data is the signature private key using software developer at the beginning of described information safety device Beginningization data signature is obtained.
Preferably, public key and the first signed data in lock are also included in the encryption data bag P1, wherein public in the lock Key is the public key in a pair of secret keys pair generated in information safety device, and first signed data is that use information is filled safely The signature private key for putting manufacturer is signed and is generated to public key in the lock and the request data, also,
The encryption data bag S1 is further configured to include encryption data bag S10 and encryption data bag S11 and described Two signed datas, the encryption data bag S10 is to described information safety device with the first key generated by software developer Initialization data is encrypted and generates, and the encryption data bag S11 is that the first key is entered with public key in the lock Row encryption and generate, second signed data be with the signature private key of software developer to the encryption data bag S10, What S11 signed and generated.
Preferably, methods described also includes:
Received from information safety device manufacturer side including the soft of information safety device in software developer's side joint The encryption data bag P2 of hardware information, decrypts to determine whether corresponding information safety device is produced into the encryption data bag P2 Work(.
Preferably, in the encryption data bag P2 also using information safety device manufacturer signature private key to letter The 3rd signed data that the software and hardware Information Signature of safety device is obtained is ceased, and the method also includes
In software developer side using the sign test certificate of information safety device manufacturer in the encryption data bag P2 The software and hardware information carries out sign test.
A kind of information safety device manufacturer side of production information safety device is additionally provided in another scheme of the invention Production equipment, for the online Joint Production information safety device of software developer side production equipment, described information safety device Manufacturer side production equipment includes:
Encryption data bag P1 generates and sends unit, and it is configured to generation includes the encryption data bag P1 of request data, and The encryption data bag P1 is sent to software developer side production equipment by network;
Encryption data bag S1 receiving units, it is configured to receive the encryption data bag from software developer side production equipment S1, the encryption data bag S1 include that the information safety device that software developer issues according to the request data initializes number According to;
Encryption data bag S1 decryption units, it is configured to obtain the encryption data bag S1 decryption described information dress safely Put initialization data;With
Information safety device initialization data writing unit, it is configured to write described information safety device initialization data In entering information safety device.
Preferably, the encryption data bag P1 generates and sends unit and is further configured to generation and includes request data and the The encryption data bag P1 of one signed data.
Preferably, the second signed data is also included in the encryption data bag S1, and
Described information safety device manufacturer side production equipment also includes:
Encryption data bag S1 sign test units, it is configured to carry out sign test to the corresponding data in the encryption data bag S1.
Preferably, described information safety device manufacturer side production equipment also includes:
Encryption data bag P2 generates and sends unit, its software and hardware information for being configured to collect information safety device, generation Encryption data bag P2 including the software and hardware information, and the encryption data bag P2 is sent to software development by network Business side production equipment.
Preferably, the encryption data bag P2 generates and sends unit and is further configured to generate includes the software and hardware letter The encryption data bag P2 of breath and the 3rd signed data, the 3rd signed data is using the signature of information safety device manufacturer Private key is generated to the software and hardware Information Signature.
Preferably, described information safety device includes encryption lock.
A kind of software developer side production equipment of production information safety device is provided in another scheme of the invention, is used In with the information safety device manufacturer side online Joint Production information safety device of production equipment, software developer side production Equipment includes:
Encryption data bag P1 receiving units, it is configured to receive the bag from information safety device manufacturer side production equipment Include the encryption data bag P1 of request data;
Encryption data bag P1 decryption units, it is configured to encryption data bag P1 decryption to obtain the number of request According to;
Encryption data bag S1 generates and sends unit, and it is configured to according at the beginning of the request data issues information safety device Beginningization data, generation includes the encryption data bag S1 of described information safety device initialization data and is sent to information safety device Manufacturer side production equipment.
Preferably, the first signed data is also included in the encryption data bag P1, and
Software developer side production equipment also includes:
Encryption data bag P1 sign test units, it is configured to carry out sign test to the corresponding data in the encryption data bag P1.
Preferably, the encryption data bag S1 generates and sends unit and is further configured to generate includes described information safety The encryption data bag S1 of device initialization data and the second signed data.
Preferably, software developer side production equipment also includes:
Encryption data bag P2 receiving units, it is configured to receive the bag from information safety device manufacturer side production equipment Include the encryption data bag P2 of the software and hardware information of information safety device;With
Encryption data bag P2 decryption units, it is configured to encryption data bag P2 decryption to determine corresponding information safety Whether device produces successfully.
Preferably, in the encryption data bag P2 also using the signature private key of information safety device manufacturer to institute The 3rd signed data stated software and hardware Information Signature and generate, and the equipment also includes:
Encryption data bag P2 sign test units, it is configured to add to described using the sign test certificate of information safety device manufacturer The software and hardware information in ciphertext data bag P2 carries out sign test.
Preferably, described information safety device includes encryption lock.
A kind of system of production information safety device, including above-mentioned production letter are additionally provided in a present invention also scheme Cease the information safety device manufacturer side production equipment of safety device and the software developer of above-mentioned production information safety device Side production equipment.
The method of the production information safety device provided using the solution of the present invention, production equipment and/or system, can Improve the production efficiency of information safety device, additionally it is possible to the confidentiality for ensuring production process and the information safety device produced Information Security.
Brief description of the drawings
Fig. 1 is pacified for the embodiment of the present invention by information safety device manufacturer and the online Joint Production information of software developer The flow chart of the method for full device.
Fig. 2 is believed for another embodiment of the present invention by information safety device manufacturer and the online Joint Production of software developer Cease the flow chart of the method for safety device.
Fig. 3 is believed for yet another embodiment of the invention by information safety device manufacturer and the online Joint Production of software developer Cease the flow chart of the method for safety device.
Fig. 4 is the block diagram of the system of the production information safety device of the embodiment of the present invention.
Specific embodiment
To make those skilled in the art more fully understand the present invention, embodiments of the invention are carried out in detail with reference to the accompanying drawings Describe in detail bright.Identical reference represents same or analogous element/step in the accompanying drawings.
Fig. 1 is believed for a kind of of the embodiment of the present invention by information safety device manufacturer and the online Joint Production of software developer The flow chart of the method for safety device is ceased, the method is comprised the following steps:
A1:In information safety device manufacturer side, generation includes the encryption data bag P1 of request data, by encryption data bag P1 is sent to software developer side by network;
A2:In software developer side, the encryption number including request data from information safety device manufacturer side is received According to bag P1;
A3:In software developer side, to encryption data bag P1 decryption to obtain request data, letter is issued according to request data Breath safety device initialization data, generation includes the encryption data bag S1 of information safety device initialization data and is sent to information Safety device manufacturer side;
A4:In information safety device manufacturer side, the encryption data bag S1 from software developer side, encryption data are received Bag S1 includes the information safety device initialization data that software developer issues according to request data;
A5:In information safety device manufacturer side, information safety device initialization number is obtained to encryption data bag S1 decryption According to by information safety device initialization data write-in information safety device.
Afterwards, follow-up production process is carried out in information safety device manufacturer side, completes the production of information safety device. Thus, using the present embodiment online Joint Production information safety device method, software developer need not carry out secondary setting, Desired information safety device can be directly produced out in information safety device manufacturer side.
Additionally, illustrating, " network " is not limited to any specific network herein.Information safety device manufacturer Can be connected by cable network (such as optical fiber) or wireless network (such as infrared, bluetooth, wifi) between software developer, or it is logical Dedicated network (such as VPN) connection is crossed, the data transfer between information safety device manufacturer and software developer can be using each Planting real-time or non real-time data transfer mode is carried out.
In embodiments of the present invention, information safety device includes but is not limited to encryption lock, for example can also include encrypted card, Encryption equipment etc..
Fig. 2 show another embodiment of the present invention by information safety device manufacturer and the online Joint Production of software developer The flow chart of the method for information safety device.In the present embodiment, information safety device manufacturer is, for example, encryption lock manufacturer.
In this embodiment, encryption lock manufacturer generates in step A1 not only includes request data, is also signed including first The encryption data bag P1 of name data, the first signed data can be the signature private key using encryption lock manufacturer to request data label What name was obtained, in this way, after software developer receives encryption data bag P1, first entering to encryption data bag P1 in step A3 Row decryption, can then utilize the sign test certificate of encryption lock manufacturer to request data sign test, thereby, it is possible to confirm the packet Whether P1 is sent by encryption lock manufacturer, enhances the security of production encryption lock process.
The detailed process of sign test can be that software developer is using the sign test certificate of its encryption lock manufacturer for holding to One signed data is decrypted, and obtains eap-message digest, then regenerates eap-message digest to request data, and the two eap-message digests are entered Row is compared, and confirms that sign test is errorless if consistent.The specific algorithm used during signature and sign test can utilize any existing Rivest, shamir, adelman, such as RSA Algorithm, D-H algorithms, ECC algorithm.
Additionally, software developer's generation includes the encryption data bag S1 of the second signed data, the second signed data can be Encryption lock initialization data signature is obtained using the signature private key of software developer, then, encryption lock manufacturer receive After packet S1, S1 is decrypted in step A5, obtain the second signed data and initialization data, and can be held using it The sign test certificate of some software developers carries out sign test, to confirm the source of encryption data bag S1.The detailed process of sign test can be with It is:Encryption lock manufacturer after being decrypted to S1, using the sign test certificate of its software developer for holding to the second signed data solution It is close, eap-message digest is obtained, eap-message digest then is regenerated to encryption lock initialization data, the two eap-message digests are compared It is right, confirm that sign test is errorless if consistent.Thus, the security of the process of production encryption lock is further increased.
Fig. 3 is believed for yet another embodiment of the invention by information safety device manufacturer and the online Joint Production of software developer Cease the flow chart of the method for safety device.In the present embodiment, information safety device manufacturer is, for example, encryption lock manufacturer.This The difference of the embodiment in embodiment and Fig. 2 is that in this embodiment, encryption lock manufacturer completes the production of encryption lock Afterwards, the software and hardware information of encryption lock is collected in step A6, and generation includes the encryption data bag P2 of software and hardware information, will add Ciphertext data bag P2 is sent to software developer side by network;Then, software developer receives encryption data in step A7 After bag P2, P2 is decrypted, whereby it was confirmed that simultaneously storing the software and hardware information for meeting its desired encryption lock for being produced.
The present embodiment can make whether the production of software developer's online verification encryption lock succeeds, and improve the life of encryption lock Produce efficiency, it is ensured that the reliability of the encryption lock produced.
The following is a specific embodiment of the invention.In the present embodiment, information safety device is specially encryption lock, That is, present embodiments provide a kind of by encryption lock manufacturer and the method for the online Joint Production encryption lock of software developer.This reality Apply the precondition of example:1st, encryption lock manufacturer holds:The encrypted certificate of software developer, the sign test certificate of software developer, The decrypted private key of encryption lock manufacturer, the signature private key of encryption lock manufacturer.2nd, software developer holds:Encryption lock manufacturer's Encrypted certificate, the sign test certificate of encryption lock manufacturer, the decrypted private key of software developer, the signature private key of software developer.Its In all kinds of private keys be the keeping of respective secret data, can not reveal.
The specific steps of the method include:
A101, encryption lock manufacturer generate a pair of RSA keys pair in blank encryption lock, and the RSA key is to including in lock Private key in public key and lock.Private key is resided in lock in lock, and the software and hardware of encryption lock ensures that private key does not go out lock in lock, it is ensured that private in lock The safety of key.
A102, encryption lock manufacturer take out public key and other some request datas in lock, use encryption lock manufacturer Signature private key public key in the lock and request data are signed, obtain signed data m1, reuse software developer plus Close certificate is encrypted to public key, request data and signed data m1 in lock, encryption data bag p1 is obtained, then by encryption data Bag p1 is sent in the docking system of software developer by network.
After A103, software developer receive encryption data bag p1, the decrypted private key ciphertext data of software developer is used Bag p1, the sign test certificate for then reusing encryption lock manufacturer carries out sign test to public key in lock and request data.Sign test it is specific Method can be:Using the sign test certificate of encryption lock developer, (it includes public affairs corresponding with the signature private key of encryption lock manufacturer Key) signed data m1 is decrypted, resulting data (eap-message digest) with regenerated according to public key in lock and request data Eap-message digest is compared, and determines that sign test is errorless if consistent.After sign test is errorless, then according at the beginning of request data issues encryption lock Beginningization data, and an AES key is generated, encryption data bag s10 is obtained using the AES key encrypted initialization data, use Public key encryption AES key obtains encryption data bag s11 in lock, using the signature private key of software developer to packet s10 and s11 Signature obtains signed data m2, and s10, s11 and signed data m2 are encrypted using the encrypted certificate of encryption lock manufacturer, obtains To encryption data bag s1, and s1 is sent in the production system of encryption lock manufacturer by network.Specifically, initialization data Can for example include:The certificate dcert of the pkcs7 standards that software developer is signed and issued using oneself CA (certificate authority).This Outward, initialization data can also include the data of the secure communication for ensureing encryption lock, such as kind subcode, the salt figure of ECC algorithm Etc..
After A104, encryption lock manufacturer receive encryption data bag s1, using the decryption certificate of encryption lock manufacturer to s1 Decryption, obtains packet s10, s11 and signed data m2, and s10 and s11 are tested using the sign test certificate of software developer Sign, the specific method of sign test can be:Signed data m2 is decrypted using the sign test certificate of software developer, by resulting number Compare with the eap-message digest regenerated according to s10 and s11 according to (eap-message digest), determine that sign test is errorless if consistent. After sign test is errorless, by the incoming encryption locks of s11, encryption lock decrypts s11 and obtains AES key and return to production using private key in lock System, production system is decrypted s10 and obtains initialization data using AES key, and by initialization data write-in encryption lock.Specifically Ground, in the case that initialization data includes the certificate dcert of above-mentioned pkcs12 standards, encryption lock manufacturer side production system makes Decrypt s10 with AES key and obtain the certificate dcert of the pkcs12 standards, isolate that CA signs and issues from dcert to respective encrypted The private key of lock and the certificate comprising the public key corresponding to the private key, and the invisible area in private key write-in encryption lock (is only limited Used in encryption lock), while the read-only region in certificate write-in encryption lock.
A105, encryption lock manufacturer carry out follow-up production process, complete the production of encryption lock.Now deposited in encryption lock Private key and certificate that a pair above-mentioned CA for having software developer oneself key code system are signed and issued, the wherein certificate can only by it oneself Ca authentication passes through.After production terminates, the software and hardware information of encryption lock is collected, using the signature private key of encryption lock manufacturer to soft or hard Part information sign obtaining signed data, and software and hardware information and signed data are carried out using the encrypted certificate of software developer Signature obtains encryption data bag p2, and p2 is sent in the docking system of software developer by network.
After A106, software developer receive encryption data bag p2, p2 is carried out using the decrypted private key of software developer Decryption obtains encryption lock software and hardware information and signed data, and software and hardware information is carried out using the sign test certificate of encryption lock manufacturer Sign test, the mode of sign test is similar with the mode of the sign test provided in step A103, A104.After sign test is errorless, corresponding adding is confirmed Close lock is produced successfully.
This preferred embodiment not only facilitates the production of encryption lock, and can ensure to produce security well high Encryption lock.
Next, in fig. 4, one kind of the description embodiment of the present invention is by information safety device manufacturer and software developer The system 200 of online Joint Production information safety device, it includes information safety device manufacturer side production equipment 201 and software Developer side production equipment 202.
Wherein, information safety device manufacturer side production equipment 201 includes:
Encryption data bag P1 generates and sends unit, and its generation includes the encryption data bag P1 of request data, and will encryption Packet P1 is sent to software developer side production equipment 202 by network;
Encryption data bag S1 receiving units, it receives the encryption data bag S1 from software developer side production equipment 202, Wherein encryption data bag S1 includes the information safety device initialization data that software developer issues according to request data;
Encryption data bag S1 decryption units, it obtains information safety device initialization data to encryption data bag S1 decryption; With
Information safety device initialization data writing unit, information safety device initialization data is write information security by it In device.
Wherein, software developer side production equipment 202 includes:
Encryption data bag P1 receiving units, it is configured to receive from information safety device manufacturer side production equipment 201 The encryption data bag P1 including request data;
Encryption data bag P1 decryption units, it is configured to encryption data bag P1 decryption to obtain request data;
Encryption data bag S1 generates and sends unit, and it is configured to issue information safety device initialization according to request data Data, generation includes the encryption data bag S1 of information safety device initialization data and is sent to information safety device manufacturer side Production equipment 201.
Typically, information safety device includes but is not limited to encryption lock.
In an alternative embodiment of the invention, the encryption data bag P1 generations in the production equipment of information safety device manufacturer side And transmitting element generation not only includes request data but also the encryption data bag P1 including the first signed data.Accordingly, soft Also include being tested for carrying out the data in encryption data bag P1 the encryption data bag P1 of sign test in the production equipment of part developer side Sign a bill unit.The detailed process of sign test can be that software developer is demonstrate,proved using the sign test of its information safety device manufacturer for holding Book is decrypted to the first signed data, obtains eap-message digest, then regenerates eap-message digest to public key in lock and request data, will The two eap-message digests are compared, and confirm that sign test is errorless if consistent.So as to the embodiment being capable of enhancement information safety dress Put the security of production process.
In yet another embodiment of the invention, the encryption data bag S1 in the production equipment of software developer side generates and sends Unit, its generation not only includes above-mentioned initialization data but also the encryption data bag S1 including the second signed data;Correspondingly, In the production equipment of information safety device manufacturer side, also including for carrying out sign test to the corresponding data in encryption data bag S1 Encryption data bag S1 sign test units.The detailed process of sign test is referred to foregoing embodiment.By the embodiment, there is provided The information safety device manufacturer side production equipment of the security of information safety device production process and soft can be further enhanced Part developer side production equipment.
In some embodiments of the invention, information safety device manufacturer side production equipment is also given birth to including encryption data bag P2 Into simultaneously transmitting element, its software and hardware information for being used to collect information safety device, generation includes the encryption data of software and hardware information Bag P2, and encryption data bag P2 is sent to software developer side production equipment by network.Also, correspondingly, software is opened Hair business side production equipment also includes:Encryption data bag P2 receiving units, it is used to receive from information safety device manufacturer side The encryption data bag P2 of the software and hardware information including information safety device of production equipment;With encryption data bag P2 decryption units, It is used for encryption data bag P2 decryption to determine whether corresponding information safety device produces successfully.
Thus, software developer side production equipment is able to confirm that corresponding information safety device has been produced successfully.
In still another embodiment of the process, in the production equipment of information safety device manufacturer side, encryption data bag P2 lifes Into simultaneously transmitting element generation encryption data bag P2 not only including software and hardware information but also including the 3rd signed data, wherein the 3rd Signed data can utilize the signature private key of information safety device manufacturer to generate software and hardware Information Signature.Also, software Correspondingly include encryption data bag P2 sign test units in the production equipment of developer side, for using information safety device manufacturer's Sign test certificate carries out sign test to the software and hardware information in encryption data bag P2.Thereby, it is possible to further enhance the production process Security.
The present invention is not limited to above-mentioned specific embodiment, under without departing substantially from spirit of the invention and its real situation, is familiar with this The technical staff in field can make various corresponding changes and deformation according to the present invention, but these corresponding changes and deformation should all belong to Within the protection domain of appended claims of the present invention.

Claims (31)

1. a kind of method of production information safety device, it is characterised in that by information safety device manufacturer and software developer Online Joint Production information safety device, methods described is included in the following steps that information safety device manufacturer side is carried out:
Generation includes the encryption data bag P1 of request data, and the encryption data bag P1 is sent into software developer by network Side;
Receiving encryption data bag S1, the encryption data bag S1 from software developer side includes software developer according to institute State the information safety device initialization data that request data is issued;
Described information safety device initialization data is obtained to encryption data bag S1 decryption, by the beginning of described information safety device In beginningization data write information safety device.
2. method according to claim 1, wherein:
Also include the first signed data in the encryption data bag P1.
3. method according to claim 2, wherein:
First signed data is that request data signature is obtained using the signature private key of information safety device manufacturer 's.
4. method according to claim 2, wherein:
Also include public key in lock in the encryption data bag P1, public key is in information by information safety device manufacturer in the lock The public key of a pair of secret keys centering of generation in safety device, first signed data is with the label of information safety device manufacturer Name private key is signed and is generated to public key in the lock and the request data.
5. method according to claim 1, wherein:
Also include the second signed data in the encryption data bag S1, and
Methods described also includes:
Sign test is carried out to the corresponding data in the encryption data bag S1 in described information safety device manufacturer side.
6. method according to claim 5, wherein:
Second signed data is the signature private key using software developer to described information safety device initialization data label What name was obtained, and wherein
Using the sign test certificate of software developer to the described information safety device initialization data in the encryption data bag S1 Carry out sign test.
7. method according to claim 5, wherein,
Also include public key and the first signed data in lock in the encryption data bag P1, wherein public key is in information peace in the lock The public key of a pair of secret keys centering of generation in full device, first signed data is the label of use information safety device manufacturer Name private key is signed and is generated to public key in the lock and the request data, also,
The encryption data bag S1 is further configured to include that encryption data bag S10 and encryption data bag S11 and described second are signed Name data, the encryption data bag S10 is initial to described information safety device with the first key generated by software developer Change data to be encrypted and generate, the encryption data bag S11 is to add the first key with public key in the lock Close and generate, second signed data is that described encryption data bag S10, S11 are signed with the signature private key of software developer Name and generate, and wherein
Sign test is carried out to described encryption data bag S10, S11 using the sign test certificate of software developer.
8. the method according to any one of claim 1~7, also includes:
The software and hardware information of information safety device is collected in described information safety device manufacturer side, generation includes the software and hardware The encryption data bag P2 of information, software developer side is sent to by the encryption data bag P2 by network.
9. method according to claim 8, wherein:
Also include the 3rd signed data in the encryption data bag P2, the 3rd signed data is to utilize information safety device The signature private key of manufacturer is generated to the software and hardware Information Signature.
10. a kind of method of production information safety device, it is characterised in that by information safety device manufacturer and software developer Online Joint Production information safety device, methods described is included in the following steps that software developer side is carried out:
Receive the encryption data bag P1 including request data from information safety device manufacturer side;
To encryption data bag P1 decryption to obtain the request data, information safety device is issued according to the request data Initialization data, generation includes the encryption data bag S1 of described information safety device initialization data and is sent to information security dress Put manufacturer side.
11. methods according to claim 10, wherein:
Also include the first signed data in the encryption data bag P1, and
Methods described also includes:
Sign test is carried out to the corresponding data in the encryption data bag P1 in the software developer side.
12. methods according to claim 11, wherein
First signed data is that request data signature is obtained using the signature private key of information safety device manufacturer , and wherein
The request data in the encryption data bag P1 is tested using the sign test certificate of information safety device manufacturer Sign.
13. methods according to claim 11, wherein
Also include public key in lock in the encryption data bag P1, public key is in information by information safety device manufacturer in the lock The public key of a pair of secret keys centering of generation in safety device, first signed data is with the label of information safety device manufacturer Name private key is signed and is generated to public key in the lock and the request data, and wherein
Sign test is carried out to public key in the lock and the request data using the sign test certificate of information safety device manufacturer.
14. methods according to claim 10, wherein:
Also include the second signed data in the encryption data bag S1.
15. methods according to claim 14, wherein:
Second signed data is the signature private key using software developer to described information safety device initialization data label What name was obtained.
16. methods according to claim 14, wherein:
Also include public key and the first signed data in lock in the encryption data bag P1, wherein public key is in information peace in the lock The public key of a pair of secret keys centering of generation in full device, first signed data is the label of use information safety device manufacturer Name private key is signed and is generated to public key in the lock and the request data, also,
The encryption data bag S1 is further configured to include that encryption data bag S10 and encryption data bag S11 and described second are signed Name data, the encryption data bag S10 is initial to described information safety device with the first key generated by software developer Change data to be encrypted and generate, the encryption data bag S11 is to add the first key with public key in the lock Close and generate, second signed data is that described encryption data bag S10, S11 are signed with the signature private key of software developer Name and generate.
17. method according to any one of claim 10~16, also includes:
The software and hardware including information safety device from information safety device manufacturer side is received in software developer's side joint The encryption data bag P2 of information, decrypts to determine whether corresponding information safety device produces successfully to the encryption data bag P2.
18. methods according to claim 17, wherein:
Also using the signature private key of information safety device manufacturer to information safety device in the encryption data bag P2 The 3rd signed data that obtains of software and hardware Information Signature, and the method also includes
Software developer side using information safety device manufacturer sign test certificate to the encryption data bag P2 in described in Software and hardware information carries out sign test.
A kind of information safety device manufacturer side production equipment of 19. production information safety devices, for software developer side The online Joint Production information safety device of production equipment, described information safety device manufacturer side production equipment includes:
Encryption data bag P1 generates and sends unit, and it is configured to generation includes the encryption data bag P1 of request data, and by institute State encryption data bag P1 and software developer side production equipment is sent to by network;
Encryption data bag S1 receiving units, it is configured to receive the encryption data bag S1 from software developer side production equipment, The encryption data bag S1 includes the information safety device initialization data that software developer issues according to the request data;
Encryption data bag S1 decryption units, at the beginning of it is configured to obtain described information safety device to encryption data bag S1 decryption Beginningization data;With
Information safety device initialization data writing unit, it is configured to write described information safety device initialization data believes In breath safety device.
20. information safety device manufacturer side production equipments as claimed in claim 19, wherein:
The encryption data bag P1 generates and sends unit and is further configured to generate includes request data and the first signed data Encryption data bag P1.
21. information safety device manufacturer side production equipments as claimed in claim 19, wherein:
Also include the second signed data in the encryption data bag S1, and
Described information safety device manufacturer side production equipment also includes:
Encryption data bag S1 sign test units, it is configured to carry out sign test to the corresponding data in the encryption data bag S1.
22. information safety device manufacturer side production equipments as claimed in claim 19, also include:
Encryption data bag P2 generates and sends unit, and its software and hardware information for being configured to collect information safety device, generation includes The encryption data bag P2 of the software and hardware information, and the encryption data bag P2 is sent to software developer side by network Production equipment.
23. information safety device manufacturer side production equipments as claimed in claim 22, wherein:
The encryption data bag P2 generates and sends unit and is further configured to generate includes the software and hardware information and the 3rd label The encryption data bag P2 of name data, the 3rd signed data is the signature private key using information safety device manufacturer to described Software and hardware Information Signature and generate.
The 24. information safety device manufacturer side production equipment as any one of claim 19~23, wherein:
Described information safety device includes encryption lock.
A kind of software developer side production equipment of 25. production information safety devices, for information safety device manufacturer side The online Joint Production information safety device of production equipment, software developer side production equipment includes:
Encryption data bag P1 receiving units, it is configured to receive from information safety device manufacturer side production equipment including asking Seek the encryption data bag P1 of data;
Encryption data bag P1 decryption units, it is configured to encryption data bag P1 decryption to obtain the request data;
Encryption data bag S1 generates and sends unit, and it is configured to issue information safety device initialization according to the request data Data, generation includes the encryption data bag S1 of described information safety device initialization data and is sent to information safety device production Business side production equipment.
26. software developer side as claimed in claim 25 production equipments, wherein:
Also include the first signed data in the encryption data bag P1, and
Software developer side production equipment also includes:
Encryption data bag P1 sign test units, it is configured to carry out sign test to the corresponding data in the encryption data bag P1.
27. software developer side according to claim 25 production equipments, wherein:
The encryption data bag S1 generates and sends unit and is further configured to generate includes that described information safety device is initialized The encryption data bag S1 of data and the second signed data.
28. software developer side according to claim 25 production equipments, also include:
Encryption data bag P2 receiving units, it is configured to receive includes letter from information safety device manufacturer side production equipment Cease the encryption data bag P2 of the software and hardware information of safety device;With
Encryption data bag P2 decryption units, it is configured to encryption data bag P2 decryption to determine corresponding information safety device Whether production is successful.
29. software developer side as claimed in claim 28 production equipments, wherein:
The software and hardware is believed using the signature private key of information safety device manufacturer also in the encryption data bag P2 Breath is signed and the 3rd signed data of generation, and the equipment also includes:
Encryption data bag P2 sign test units, it is configured to the sign test certificate using information safety device manufacturer to the encryption number Sign test is carried out according to the software and hardware information in bag P2.
The 30. information safety device manufacturer side production equipment as any one of claim 25~29, wherein:
Described information safety device includes encryption lock.
31. a kind of systems of production information safety device, it is characterised in that including as any one of claim 19~24 Production information safety device information safety device manufacturer side production equipment and such as any one of claim 25~30 institute The software developer side production equipment of the production information safety device stated.
CN201710114184.8A 2017-02-28 2017-02-28 Method for producing information security device, production equipment and system Active CN106682459B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710114184.8A CN106682459B (en) 2017-02-28 2017-02-28 Method for producing information security device, production equipment and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710114184.8A CN106682459B (en) 2017-02-28 2017-02-28 Method for producing information security device, production equipment and system

Publications (2)

Publication Number Publication Date
CN106682459A true CN106682459A (en) 2017-05-17
CN106682459B CN106682459B (en) 2023-04-14

Family

ID=58862096

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710114184.8A Active CN106682459B (en) 2017-02-28 2017-02-28 Method for producing information security device, production equipment and system

Country Status (1)

Country Link
CN (1) CN106682459B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110032831A (en) * 2018-01-11 2019-07-19 上海有云信息技术有限公司 The generation method of software certificate, apparatus and system
CN110322600A (en) * 2019-06-05 2019-10-11 北京深思数盾科技股份有限公司 The control method and electronic lock of electronic lock
CN111104647A (en) * 2019-12-19 2020-05-05 北京深思数盾科技股份有限公司 Initialization method and device
CN111295654A (en) * 2017-09-05 2020-06-16 爱存储有限公司 Method and system for securely transferring data

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101989991A (en) * 2010-11-24 2011-03-23 北京天地融科技有限公司 Method for importing secret keys safely, electronic signature tool, authentication device and system
CN104700002A (en) * 2013-12-05 2015-06-10 航天信息软件技术有限公司 Software protecting, authorizing and registering method
CN105760193A (en) * 2016-02-05 2016-07-13 飞天诚信科技股份有限公司 Production method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101989991A (en) * 2010-11-24 2011-03-23 北京天地融科技有限公司 Method for importing secret keys safely, electronic signature tool, authentication device and system
CN104700002A (en) * 2013-12-05 2015-06-10 航天信息软件技术有限公司 Software protecting, authorizing and registering method
CN105760193A (en) * 2016-02-05 2016-07-13 飞天诚信科技股份有限公司 Production method and device

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111295654A (en) * 2017-09-05 2020-06-16 爱存储有限公司 Method and system for securely transferring data
CN111295654B (en) * 2017-09-05 2023-07-18 爱存储有限公司 Method and system for securely transferring data
CN110032831A (en) * 2018-01-11 2019-07-19 上海有云信息技术有限公司 The generation method of software certificate, apparatus and system
CN110322600A (en) * 2019-06-05 2019-10-11 北京深思数盾科技股份有限公司 The control method and electronic lock of electronic lock
CN110322600B (en) * 2019-06-05 2021-02-26 北京深思数盾科技股份有限公司 Control method of electronic lock and electronic lock
CN111104647A (en) * 2019-12-19 2020-05-05 北京深思数盾科技股份有限公司 Initialization method and device

Also Published As

Publication number Publication date
CN106682459B (en) 2023-04-14

Similar Documents

Publication Publication Date Title
CN110519260B (en) Information processing method and information processing device
EP3286867B1 (en) Method, apparatus, and system for cloud-based encryption machine key injection
US9223994B2 (en) Secure transaction method from a non-secure terminal
CN104580208B (en) A kind of identity identifying method and device
CN107358441A (en) Method, system and the mobile device and safety certificate equipment of payment verification
CN103914913B (en) A kind of application of IC cards scene recognition method and system
CN103118027A (en) Transport layer security (TLS) channel constructing method based on cryptographic algorithm
CN103905204B (en) The transmission method and Transmission system of data
CN104639516A (en) Method, equipment and system for authenticating identities
CN106682459A (en) Information safety device production method, information safety device production equipment and information safety device production system
CN108366069A (en) A kind of mutual authentication method and system
CN106571911A (en) Data cipher and decipher based on device and data authentication
CN106656510A (en) Encryption key acquisition method and system
CN102801730A (en) Information protection method and device for communication and portable devices
CN104243162B (en) A kind of information interacting method, system and intelligent cipher key equipment
CN106060073B (en) Channel key machinery of consultation
CN107016291A (en) Computer testing instrument and the system and method based on secure communication between Cloud Server
CN105592071A (en) Method and device for authorization between devices
CN108229220A (en) For the system and method for the credible presentation of the information on insincere user equipment
CN116232593B (en) Multi-password module sensitive data classification and protection method, equipment and system
CN108199847A (en) Security processing method, computer equipment and storage medium
CN107391232A (en) A kind of system level chip SOC and SOC systems
CN106056419A (en) Method, system and device for realizing independent transaction by using electronic signature equipment
CN106599697B (en) A kind of method and system of safety upgrade PCI cipher card card internal program
CN115664659A (en) Method, device, equipment and medium for supervising blockchain transaction data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing

Applicant after: Beijing Shendun Technology Co.,Ltd.

Address before: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing

Applicant before: BEIJING SENSESHIELD TECHNOLOGY Co.,Ltd.

GR01 Patent grant
GR01 Patent grant