CN111144885B - Digital asset hosting method and system - Google Patents

Digital asset hosting method and system Download PDF

Info

Publication number
CN111144885B
CN111144885B CN201911290904.1A CN201911290904A CN111144885B CN 111144885 B CN111144885 B CN 111144885B CN 201911290904 A CN201911290904 A CN 201911290904A CN 111144885 B CN111144885 B CN 111144885B
Authority
CN
China
Prior art keywords
key
dimensional code
management server
server
signed
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911290904.1A
Other languages
Chinese (zh)
Other versions
CN111144885A (en
Inventor
杜晓楠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201911290904.1A priority Critical patent/CN111144885B/en
Priority to PCT/CN2020/070536 priority patent/WO2021114446A1/en
Priority to US17/050,909 priority patent/US20220129886A1/en
Publication of CN111144885A publication Critical patent/CN111144885A/en
Application granted granted Critical
Publication of CN111144885B publication Critical patent/CN111144885B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/04Payment circuits
    • G06Q20/06Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme
    • G06Q20/065Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme using e-cash
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3825Use of electronic signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/04Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Computer Security & Cryptography (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Development Economics (AREA)
  • Economics (AREA)
  • Marketing (AREA)
  • Technology Law (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a digital asset hosting method, comprising the following steps: a step of constructing an asset hosting system, a key application step and a signature step. The invention also relates to a digital asset hosting system. The asset hosting system includes a financial management server in communication with an external network, a management server in communication with the financial management server via a first communication channel, a key server in communication with the management server via a second communication channel, and an offline encryptor in communication with the key server via a third communication channel. By implementing the digital asset hosting method and the digital asset hosting system, the private key is stored in the offline encryption machine, and the signature is also carried out in the offline encryption machine, so that the security of the key is ensured, and the defects of network attack, large potential safety hazard and information leakage risk are avoided through multi-layer network isolation.

Description

Digital asset hosting method and system
Technical Field
The present invention relates to the field of asset hosting, and more particularly, to a digital asset hosting method and system.
Background
Digital assets (Digital assets) refer to non-monetary assets that are owned or controlled by an enterprise or individual, exist in electronic data form, and are held in daily activities for sale or in the process of production. Such as software, firmware, executable instructions, digital certificates (e.g., public key certificates), cryptographic keys, etc., of the computerized device. While these digital assets are typically stored in some digital asset hosting platforms.
Because digital assets are often of high value, many hackers employ various techniques to attack digital asset hosting platforms to steal digital assets therein. The digital asset hosting platform in the prior art is easy to attack by a network, and has larger potential safety hazard and information leakage risk.
Disclosure of Invention
Aiming at the defects that a digital asset hosting platform in the prior art is easy to be attacked by a network and has larger potential safety hazard and information leakage risk, the invention provides the digital asset hosting method and the digital asset hosting system, which can safely and efficiently protect a secret key and further ensure the safety of digital assets.
The technical scheme adopted by the invention for solving the technical problems is that a digital asset hosting method is constructed, which comprises the following steps:
s1, constructing an asset hosting system, wherein the asset hosting system comprises a financial management server communicated with an external network, a management server communicated with the financial management server through a first communication channel, a key server communicated with the management server through a second communication channel and an offline encryptor communicated with the key server through a third communication channel;
s2, the financial management server receives a key application and transmits the key application to the key server through the management server, and the key server generates a key and transmits the key to the offline encryption machine; the off-line encryptor encrypts the key to generate an encrypted private key and a public key, stores the encrypted private key internally and returns the public key to the key server, and the key server returns the public key to the financial management server;
s3, the financial management server receives transaction data needing to be signed and transmits the transaction data to the key server through the management server, the key server encrypts the transaction data by adopting a public key and then transmits the encrypted data to the offline encryptor, the offline encryptor signs the encrypted data by adopting the encrypted private key and then returns the signed data to the key server, and the key server returns the original path of the signed data to the financial management server.
In the digital asset hosting method of the present invention, a first firewall is set in the first communication channel, and the management server is set in an internal network; and a second firewall is arranged in the second communication channel, the key server is arranged in an isolation network, and the key server is physically isolated from the offline encryptor.
In the digital asset hosting method of the present invention, a scanning device and a display device are respectively disposed on the key server and the offline encryption machine.
In the digital asset hosting method according to the present invention, the step S3 further includes:
s31, the financial management server receives the transaction data needing to be signed from the external network and transmits the transaction data to the key server through the management server,
s32, the key server encodes the transaction data needing to be signed by the two-dimension code, encrypts the obtained two-dimension code by adopting a public key, and displays the encrypted two-dimension code on a display device of the two-dimension code;
s33, a scanning device on the off-line encryptor scans and acquires the encrypted two-dimensional code, decrypts the encrypted two-dimensional code by adopting a local encryption private key to obtain the transaction data, signs by adopting the local encryption private key, performs two-dimensional code encoding on the signed data to generate a signed two-dimensional code, and then displays the signed two-dimensional code by adopting a display device of the signed two-dimensional code;
s34, a scanning device on the key server scans and acquires the signature two-dimensional code to obtain the signature data, and the signature data is returned to the financial management server.
In the digital asset hosting method of the present invention, the asset hosting system includes a plurality of offline encryptors, and the key server and each encryptor are provided with a scanning device and a display device.
In the digital asset hosting method according to the present invention, the step S3 further includes:
s3a, the financial management server receives the transaction data needing to be signed from the external network and transmits the transaction data to the key server through the management server, and the management server selects at least two of the plurality of offline encryptors to sign;
s3b, the key server encodes the transaction data needing to be signed with the two-dimension code, encrypts the obtained two-dimension code with a public key, and displays the encrypted two-dimension code on a display device of the two-dimension code;
s3c, scanning by a scanning device on a first encryption machine selected by the management server to obtain the encrypted two-dimensional code, decrypting the encrypted two-dimensional code by adopting a local encryption private key to obtain the transaction data, signing by adopting the local encryption private key, and carrying out two-dimensional code encoding on the signed data to generate a primary signed two-dimensional code, and then displaying the primary signed two-dimensional code by adopting a display device of the primary signed two-dimensional code;
s3d, scanning by a scanning device on a second encryption machine selected by the management server to obtain the primary signature two-dimensional code, decrypting the primary signature two-dimensional code by adopting a local encryption private key to obtain the transaction data, carrying out secondary signature by adopting the local encryption private key, carrying out two-dimensional code encoding on the secondary signature data to generate a secondary signature two-dimensional code, and then displaying the secondary signature two-dimensional code by adopting a display device of the secondary signature two-dimensional code;
s3e, a scanning device on the key server scans and acquires the secondary signature two-dimensional code to obtain the signature data, and the signature data is returned to the financial management server in an original way.
The technical scheme adopted by the invention for solving the technical problems is that a digital asset hosting system is constructed, comprising: a financial management server in communication with an external network, a management server in communication with the financial management server via a first communication channel, a key server in communication with the management server via a second communication channel, and an offline encryptor in communication with the key server via a third communication channel;
the financial management server receives a key application and transmits the key application to the key server through the management server, and the key server generates a key and transmits the key to the offline encryptor; the off-line encryptor encrypts the key to generate an encrypted private key and a public key, stores the encrypted private key internally and returns the public key to the key server, and the key server returns the public key to the financial management server;
the financial management server receives transaction data needing to be signed and transmits the transaction data to the key server through the management server, the key server encrypts the transaction data by adopting a public key and then transmits the encrypted data to the offline encryptor, the offline encryptor signs the encrypted data by adopting the encrypted private key and then returns the signed data to the key server, and the key server returns the original path of the signed data to the financial management server.
In the digital asset hosting system of the present invention, a first firewall is set in the first communication channel, and the management server is set in an internal network; and a second firewall is arranged in the second communication channel, the key server is arranged in an isolation network, and the key server is physically isolated from the offline encryptor.
In the digital asset hosting system of the present invention, a scanning device and a display device are respectively arranged on the key server and the offline encryption machine; the financial management server receives the transaction data needing to be signed from the external network and transmits the transaction data to the key server through the management server, the key server carries out two-dimensional code encoding on the transaction data needing to be signed, then the obtained two-dimensional code is encrypted by adopting a public key, and the encrypted two-dimensional code is displayed on a display device of the encrypted two-dimensional code; the scanning device on the offline encryption machine scans and acquires the encrypted two-dimensional code, decrypts the encrypted two-dimensional code by adopting a local encryption private key to obtain the transaction data, signs by adopting the local encryption private key, carries out two-dimensional code encoding on the signed data to generate a signed two-dimensional code, and then displays the signed two-dimensional code by adopting a display device of the signed two-dimensional code; and a scanning device on the key server scans and acquires the signature two-dimensional code to obtain the signature data, and returns the signature data to the financial management server.
In the digital asset hosting system of the invention, the asset hosting system comprises a plurality of offline encryptors, and a scanning device and a display device are arranged on the key server and each encryptor; the financial management server receives the transaction data needing to be signed from the external network and transmits the transaction data to the key server through the management server, and the management server selects at least two of the plurality of offline encryptors to sign; the key server encodes the transaction data needing to be signed with the two-dimension code, encrypts the obtained two-dimension code with a public key, and displays the encrypted two-dimension code on a display device of the two-dimension code; the method comprises the steps that a scanning device on a first encryption machine selected by a management server scans and acquires an encrypted two-dimensional code, a local encryption private key is adopted to decrypt the encrypted two-dimensional code to obtain transaction data, the local encryption private key is adopted to sign, two-dimensional code encoding is carried out on the signed data to generate a primary signed two-dimensional code, and a display device is adopted to display the primary signed two-dimensional code; the scanning device on the second encryption machine selected by the management server scans and acquires the primary signature two-dimensional code, decrypts the primary signature two-dimensional code by adopting a local encryption private key to acquire the transaction data, carries out secondary signature by adopting the local encryption private key, carries out two-dimensional code encoding on the secondary signature data to generate a secondary signature two-dimensional code, and then adopts a display device to display the secondary signature two-dimensional code; and a scanning device on the key server scans and acquires the secondary signature two-dimensional code to obtain the signature data, and returns the signature data to the financial management server.
By implementing the digital asset hosting method and the digital asset hosting system, the private key is stored in the offline encryption machine, and the signature is also carried out in the offline encryption machine, so that the security of the key is ensured, and the defects of network attack, large potential safety hazard and information leakage risk are avoided through multi-layer network isolation. Further, through multilayer firewall isolation, potential safety hazards are further avoided. Further, the plurality of signature transactions further enhance the security of the transactions.
Drawings
The invention will be further described with reference to the accompanying drawings and examples, in which:
FIG. 1 is a method flow diagram of a first embodiment of a digital asset hosting method of the present invention;
FIG. 2 is a flow diagram illustration of a one-time signature of the digital asset hosting method of the present invention;
FIG. 3 is a flow chart illustration of a secondary signature of the digital asset hosting method of the present invention;
fig. 4 is a functional block diagram of a digital asset hosting system of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
FIG. 1 is a method flow diagram of a first embodiment of a digital asset hosting method of the present invention. As shown in fig. 1, in step S1, an asset hosting system is constructed. Fig. 4 shows a functional block diagram of an asset hosting system according to the present invention. As shown in fig. 4, the asset hosting system of the present invention includes a financial management server 100 communicating with an external network, a management server 300 communicating with the financial management server 100 via a first communication channel 200, a key server 500 communicating with the management server 300 via a second communication channel 400, and an offline encryptor 700 communicating with the key server 500 via a third communication channel 600. As shown in fig. 4, a first firewall is disposed in the first communication channel 200, and the management server 300 is disposed in an internal network; a second firewall is disposed in the second communication channel 400, the key server 500 is disposed in an isolated network, and the key server 500 is physically isolated from the offline encryptor 700. Offline in the present invention means not being connected to any network.
In step S2, a key application step is performed. In this step, the financial management server 100 receives a key application, and then transmits the key application to the management server 300 in the intranet via the first communication channel 200. The management server 300 transmits the key application to the key server 500 in the quarantine network via the second communication channel 300. The key server 500 generates a key and communicates the key to the offline encryptor 700. The offline encryptor 700 encrypts the key to generate an encrypted private key and a public key and stores the encrypted private key internally and returns the public key to the key server 500, and the key server 500 returns the public key to the financial management server 100. Since firewalls are respectively provided in the first communication channel 200 and the second communication channel 400, security assurance capability can be enhanced. Furthermore, through the isolation of the external network and the internal network, the internal network is isolated from the isolation network, and the isolation network is physically isolated from the off-line encryption machine, multiple isolation can be realized, and the safety guarantee capability is further enhanced. And the encryption private key can only be stored in the encryption machine in an off-line manner, so that the security of the private key is further ensured, and network attacks can be avoided.
In step S3, a signing step is performed. When there is transaction data to be signed, the financial management server 100 similarly receives the transaction data to be signed through an external network. The transaction data requiring signature is then transmitted via the first communication channel 200 to said management server 300 in the intranet. The management server 300 transmits the transaction data requiring signature to the key server 500 in the isolated network through the second communication channel 300. The key server 500 encrypts the encrypted data with the public key and sends the encrypted data to the offline encryptor 700, the offline encryptor 700 signs the encrypted data with the encrypted private key stored by itself, and then returns the signed data to the key server 500, and the key server 500 returns the signed data to the financial management server 100. Therefore, the whole signing process can be only executed in the off-line encryptor, so that the security of the private key is further ensured, and network attacks can be avoided.
Therefore, the private key of the digital asset hosting method is stored in the offline encryption machine, and the signature is also carried out in the offline encryption machine, so that the security of the key is ensured, and the defects of network attack, large potential safety hazard and information leakage risk are avoided through multi-layer network isolation. Further, through multilayer firewall isolation, potential safety hazards are further avoided.
In the preferred embodiment of the invention, there are a variety of ways to sign. Figure 2 shows a flow chart diagram illustration of a one-time signature of the digital asset hosting method of the present invention. As shown in fig. 2, in this embodiment, only one signature is required for each transaction data. And in the preferred embodiment at least one offline encryptor 700 may be provided. The key server 500 and the offline encryption machine 700 are respectively provided with a scanning device and a display device. The scanning device can be a code scanning gun, and the display device can be a liquid crystal display screen. The key server 500 and the offline encryption engine 700 are located in close physical proximity. The scanning device of the key server 500 is disposed opposite to the display device of the offline encryption machine 700. Similarly, the display device of the key server 500 is disposed opposite to the scanning device of the offline encryption machine 700.
In step S1, the financial management server 100 receives the transaction data requiring signature from the external network and transmits the transaction data to the key server 500 through the management server 300. That is, as described above, the financial management server 100 receives the transaction data requiring signature from the external network and transmits the transaction data requiring signature to the management server 300 in the internal network via the first communication channel 200. The management server 300 transmits the transaction data requiring signature to the key server 500 in the isolated network through the second communication channel 300.
In step S2, the key server 500 encodes the transaction data to be signed with a two-dimensional code, encrypts the obtained two-dimensional code with a public key, and displays the encrypted two-dimensional code on a display device thereof. In a preferred embodiment of the present invention, any known encoding method may be used to encode the transaction data obtained into a two-dimensional code that may be displayed by a display device. Further, any encryption method may be used to encrypt the obtained two-dimensional code. For example, a common DES and RSA hybrid encryption algorithm may be employed. Preferably, the encrypted two-dimensional code is updated and displayed at intervals of a set time, for example.
In step S3, the scanning device on the offline encryption machine 700 scans and obtains the encrypted two-dimensional code, decrypts the encrypted two-dimensional code by using the local encryption private key to obtain the transaction data, signs by using the local encryption private key, and encodes the signed data with the two-dimensional code to generate a signed two-dimensional code, and then displays the signed two-dimensional code by using the display device thereof. Preferably, the scanning device may scan and acquire the two-dimensional code in a timing polling manner. Of course, in another preferred embodiment of the present invention, the scanning device may also keep scanning all the time, so as to acquire the two-dimensional code at the first time.
In step S4, the scanning device on the key server 500 scans and acquires the signature two-dimensional code to obtain the signature data, and returns the signature data to the financial management server 100. In this embodiment, the communication between the key server 500 and the offline encryption machine 700 can only be performed by two-dimension code scanning, so that the security of the whole process is ensured.
Fig. 3 is a flow chart diagram illustration of a secondary signature of the digital asset hosting method of the present invention. In the embodiment shown in fig. 3, transaction data requiring signature requires at least two offline encryptors 700 to sign. The number of offline encryptors 700 specifically requiring signing may be selected by the management server 300 according to set rules. For example, the whole system may include a plurality of offline encryptors, and the management server 300 may select at least two of them, or a plurality of them to sign in sequence, and all the signatures must be completed to effect the transaction. In other preferred embodiments of the invention, the order may not be established. In this embodiment, the asset hosting system includes a plurality of offline encryption machines, and the key server 500 and each encryption machine are provided with a scanning device and a display device. The key server 500 and the offline encryption engine 700 are located in close physical proximity. The scanning device of the key server 500 is arranged opposite to the display device of at least one offline encryption machine 700. Similarly, the display device of the key server 500 is disposed opposite to the scanning device of at least one of the offline encryptors 700. As will be appreciated by those skilled in the art, the key server 500 and the scanning means and display means provided on each encryption machine are located so as to be able to perform the following scanning operations. Of course, these scanning means and display means may be arranged to be manually adjustable to achieve different facing settings to meet the requirements of the management server 300.
As shown in fig. 3, in step S1, the financial management server 100 receives the transaction data requiring signature from the external network and transmits the transaction data to the key server 500 through the management server 300, and the management server 300 selects at least two of the plurality of offline encryptors to sign. For example, in this embodiment, the management server 300 selects a first offline encryptor and a second offline encryptor to sign. In step S2, the key server 500 encodes the transaction data to be signed with a two-dimensional code, encrypts the obtained two-dimensional code with a public key, and displays the encrypted two-dimensional code on a display device thereof. In step S3, the scanning device on the first encryption machine selected by the management server 300 scans to obtain the encrypted two-dimensional code, decrypts the encrypted two-dimensional code by using the local encryption private key to obtain the transaction data, signs the transaction data by using the local encryption private key, and encodes the signed data in two-dimensional code to generate a primary signed two-dimensional code, and then displays the primary signed two-dimensional code by using the display device thereof. In step S4, the scanning device on the second encryption machine selected by the management server 300 scans and obtains the primary signature two-dimensional code, decrypts the primary signature two-dimensional code by using the local encryption private key to obtain the transaction data, performs secondary signature by using the local encryption private key, performs two-dimensional code encoding on the secondary signature data to generate a secondary signature two-dimensional code, and then displays the secondary signature two-dimensional code by using the display device thereof. In step S4, the scanning device on the key server 500 scans and acquires the two-dimensional code with the secondary signature to obtain the signature data, and returns the signature data to the financial management server 100.
In this embodiment, the specific encryption and signature process is similar to the embodiment shown in fig. 2. The difference is that two signatures are required. The two-time signature mode is adopted, so that the security of the whole system is guaranteed. In other preferred embodiments of the invention, multiple signatures may be provided to further increase security.
The invention also relates to a digital asset hosting system. As shown in fig. 4, the asset hosting system of the present invention includes a financial management server 100 communicating with an external network, a management server 300 communicating with the financial management server 100 via a first communication channel 200, a key server 500 communicating with the management server 300 via a second communication channel 400, and an offline encryptor 700 communicating with the key server 500 via a third communication channel 600. As shown in fig. 4, a first firewall is disposed in the first communication channel 200, and the management server 300 is disposed in an internal network; a second firewall is disposed in the second communication channel 400, the key server 500 is disposed in an isolated network, and the key server 500 is physically isolated from the offline encryptor 700. The construction and function of the asset hosting system of the present invention may refer to the embodiments shown in fig. 1-3 and will not be further elaborated herein.
By implementing the digital asset hosting method and the digital asset hosting system, the private key is stored in the offline encryption machine, and the signature is also carried out in the offline encryption machine, so that the security of the key is ensured, and the defects of network attack, large potential safety hazard and information leakage risk are avoided through multi-layer network isolation. Further, through multilayer firewall isolation, potential safety hazards are further avoided. Further, the plurality of signature transactions further enhance the security of the transactions.
Thus, the present invention may be realized in hardware, software, or a combination of hardware and software. The invention may be implemented in a centralized fashion in at least one computer system or in a distributed fashion where different elements are spread across several interconnected computer systems. Any kind of computer system or other apparatus adapted for carrying out the methods of the invention is suited. The combination of hardware and software may be a general-purpose computer system with a computer program installed thereon, which, when executed, controls the computer system such that it carries out the methods of the present invention.
The present invention can also be realized by a computer program product, which comprises all the features enabling the implementation of the methods described herein, and which when installed in a computer system is able to carry out these methods. The computer program in this document refers to: any expression, in any programming language, code or notation, of a set of instructions intended to cause a system having an information processing capability to perform a particular function either directly or after either or both of the following: a) Conversion to other languages, codes or symbols; b) Reproduced in a different format.
While the invention has been described with reference to specific embodiments, it will be understood by those skilled in the art that various changes may be made and equivalents may be substituted without departing from the scope of the invention. In addition, many modifications may be made to adapt a particular situation or material to the teachings of the invention without departing from its scope. Therefore, it is intended that the invention not be limited to the particular embodiment disclosed, but that the invention will include all embodiments falling within the scope of the appended claims.
The foregoing description of the preferred embodiments of the invention is not intended to be limiting, but rather is intended to cover all modifications, equivalents, and alternatives falling within the spirit and principles of the invention.

Claims (10)

1. A digital asset hosting method, comprising:
s1, constructing an asset hosting system, wherein the asset hosting system comprises a financial management server communicated with an external network, a management server communicated with the financial management server through a first communication channel, a key server communicated with the management server through a second communication channel and an offline encryptor communicated with the key server through a third communication channel;
s2, the financial management server receives a key application and transmits the key application to the key server through the management server, and the key server generates a key and transmits the key to the offline encryption machine; the off-line encryptor encrypts the key to generate an encrypted private key and a public key, stores the encrypted private key internally and returns the public key to the key server, and the key server returns the public key to the financial management server;
s3, the financial management server receives transaction data needing to be signed and transmits the transaction data to the key server through the management server, the key server encrypts the transaction data by adopting a public key and then transmits the encrypted data to the offline encryptor, the offline encryptor signs the encrypted data by adopting the encrypted private key and then returns the signed data to the key server, and the key server returns the original path of the signed data to the financial management server.
2. The digital asset hosting method of claim 1, wherein a first firewall is disposed in the first communication channel, and the management server is disposed in an internal network; and a second firewall is arranged in the second communication channel, the key server is arranged in an isolation network, and the key server is physically isolated from the offline encryptor.
3. The digital asset hosting method of claim 2, wherein a scanning device and a display device are provided on the key server and the offline encryption machine, respectively.
4. A digital asset hosting method as defined in claim 3, wherein step S3 further comprises:
s31, the financial management server receives the transaction data needing to be signed from the external network and transmits the transaction data to the key server through the management server,
s32, the key server encodes the transaction data needing to be signed by the two-dimension code, encrypts the obtained two-dimension code by adopting a public key, and displays the encrypted two-dimension code on a display device of the two-dimension code;
s33, a scanning device on the off-line encryptor scans and acquires the encrypted two-dimensional code, decrypts the encrypted two-dimensional code by adopting a local encryption private key to obtain the transaction data, signs by adopting the local encryption private key, performs two-dimensional code encoding on the signed data to generate a signed two-dimensional code, and then displays the signed two-dimensional code by adopting a display device of the signed two-dimensional code;
s34, a scanning device on the key server scans and acquires the signature two-dimensional code to obtain the signature data, and the signature data is returned to the financial management server.
5. The digital asset hosting method of claim 2, wherein the asset hosting system comprises a plurality of offline encryptors, the key server and each encryptor having a scanning device and a display device disposed thereon.
6. The digital asset hosting method of claim 5, wherein step S3 further comprises:
s3a, the financial management server receives the transaction data needing to be signed from the external network and transmits the transaction data to the key server through the management server, and the management server selects at least two of the plurality of offline encryptors to sign;
s3b, the key server encodes the transaction data needing to be signed with the two-dimension code, encrypts the obtained two-dimension code with a public key, and displays the encrypted two-dimension code on a display device of the two-dimension code;
s3c, scanning by a scanning device on a first encryption machine selected by the management server to obtain the encrypted two-dimensional code, decrypting the encrypted two-dimensional code by adopting a local encryption private key to obtain the transaction data, signing by adopting the local encryption private key, and carrying out two-dimensional code encoding on the signed data to generate a primary signed two-dimensional code, and then displaying the primary signed two-dimensional code by adopting a display device of the primary signed two-dimensional code;
s3d, scanning by a scanning device on a second encryption machine selected by the management server to obtain the primary signature two-dimensional code, decrypting the primary signature two-dimensional code by adopting a local encryption private key to obtain the transaction data, carrying out secondary signature by adopting the local encryption private key, carrying out two-dimensional code encoding on the secondary signature data to generate a secondary signature two-dimensional code, and then displaying the secondary signature two-dimensional code by adopting a display device of the secondary signature two-dimensional code;
s3e, a scanning device on the key server scans and acquires the secondary signature two-dimensional code to obtain the signature data, and the signature data is returned to the financial management server in an original way.
7. A digital asset hosting system, comprising: a financial management server in communication with an external network, a management server in communication with the financial management server via a first communication channel, a key server in communication with the management server via a second communication channel, and an offline encryptor in communication with the key server via a third communication channel;
the financial management server receives a key application and transmits the key application to the key server through the management server, and the key server generates a key and transmits the key to the offline encryptor; the off-line encryptor encrypts the key to generate an encrypted private key and a public key, stores the encrypted private key internally and returns the public key to the key server, and the key server returns the public key to the financial management server;
the financial management server receives transaction data needing to be signed and transmits the transaction data to the key server through the management server, the key server encrypts the transaction data by adopting a public key and then transmits the encrypted data to the offline encryptor, the offline encryptor signs the encrypted data by adopting the encrypted private key and then returns the signed data to the key server, and the key server returns the original path of the signed data to the financial management server.
8. The digital asset hosting system of claim 7, wherein a first firewall is disposed in the first communication channel, and wherein the management server is disposed in an internal network; and a second firewall is arranged in the second communication channel, the key server is arranged in an isolation network, and the key server is physically isolated from the offline encryptor.
9. The digital asset hosting system of claim 7, wherein the key server and the offline encryptor are provided with a scanning device and a display device, respectively; the financial management server receives the transaction data needing to be signed from the external network and transmits the transaction data to the key server through the management server, the key server carries out two-dimensional code encoding on the transaction data needing to be signed, then the obtained two-dimensional code is encrypted by adopting a public key, and the encrypted two-dimensional code is displayed on a display device of the encrypted two-dimensional code; the scanning device on the offline encryption machine scans and acquires the encrypted two-dimensional code, decrypts the encrypted two-dimensional code by adopting a local encryption private key to obtain the transaction data, signs by adopting the local encryption private key, carries out two-dimensional code encoding on the signed data to generate a signed two-dimensional code, and then displays the signed two-dimensional code by adopting a display device of the signed two-dimensional code; and a scanning device on the key server scans and acquires the signature two-dimensional code to obtain the signature data, and returns the signature data to the financial management server.
10. The digital asset hosting system of claim 7, wherein the asset hosting system comprises a plurality of offline encryptors, the key server and each encryptor having disposed thereon a scanning device and a display device; the financial management server receives the transaction data needing to be signed from the external network and transmits the transaction data to the key server through the management server, and the management server selects at least two of the plurality of offline encryptors to sign; the key server encodes the transaction data needing to be signed with the two-dimension code, encrypts the obtained two-dimension code with a public key, and displays the encrypted two-dimension code on a display device of the two-dimension code; the method comprises the steps that a scanning device on a first encryption machine selected by a management server scans and acquires an encrypted two-dimensional code, a local encryption private key is adopted to decrypt the encrypted two-dimensional code to obtain transaction data, the local encryption private key is adopted to sign, two-dimensional code encoding is carried out on the signed data to generate a primary signed two-dimensional code, and a display device is adopted to display the primary signed two-dimensional code; the scanning device on the second encryption machine selected by the management server scans and acquires the primary signature two-dimensional code, decrypts the primary signature two-dimensional code by adopting a local encryption private key to acquire the transaction data, carries out secondary signature by adopting the local encryption private key, carries out two-dimensional code encoding on the secondary signature data to generate a secondary signature two-dimensional code, and then adopts a display device to display the secondary signature two-dimensional code; and a scanning device on the key server scans and acquires the secondary signature two-dimensional code to obtain the signature data, and returns the signature data to the financial management server.
CN201911290904.1A 2019-12-13 2019-12-13 Digital asset hosting method and system Active CN111144885B (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN201911290904.1A CN111144885B (en) 2019-12-13 2019-12-13 Digital asset hosting method and system
PCT/CN2020/070536 WO2021114446A1 (en) 2019-12-13 2020-01-06 Digital asset isolation management system and method
US17/050,909 US20220129886A1 (en) 2019-12-13 2020-01-06 System and method for isolated management of digital assets

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911290904.1A CN111144885B (en) 2019-12-13 2019-12-13 Digital asset hosting method and system

Publications (2)

Publication Number Publication Date
CN111144885A CN111144885A (en) 2020-05-12
CN111144885B true CN111144885B (en) 2023-06-06

Family

ID=70518268

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911290904.1A Active CN111144885B (en) 2019-12-13 2019-12-13 Digital asset hosting method and system

Country Status (1)

Country Link
CN (1) CN111144885B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111510306B (en) * 2020-06-30 2021-02-19 吕晟珉 Offline signature method and device based on block chain

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6098056A (en) * 1997-11-24 2000-08-01 International Business Machines Corporation System and method for controlling access rights to and security of digital content in a distributed information system, e.g., Internet
WO2001095545A2 (en) * 2000-06-05 2001-12-13 Phoenix Technologies Ltd. Systems, methods and software for remote password authentication using multiple servers
WO2019043466A1 (en) * 2018-06-12 2019-03-07 フレセッツ株式会社 Wallet device for cryptocurrency, and signature method using said device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10498705B2 (en) * 2017-11-15 2019-12-03 Visa International Service Association Dynamic offline encryption

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6098056A (en) * 1997-11-24 2000-08-01 International Business Machines Corporation System and method for controlling access rights to and security of digital content in a distributed information system, e.g., Internet
WO2001095545A2 (en) * 2000-06-05 2001-12-13 Phoenix Technologies Ltd. Systems, methods and software for remote password authentication using multiple servers
WO2019043466A1 (en) * 2018-06-12 2019-03-07 フレセッツ株式会社 Wallet device for cryptocurrency, and signature method using said device

Also Published As

Publication number Publication date
CN111144885A (en) 2020-05-12

Similar Documents

Publication Publication Date Title
CN104717198B (en) Oftware updating method and equipment on safety element
US20130028419A1 (en) System and a method for use in a symmetric key cryptographic communications
US20210357914A1 (en) Constructing a Distributed Ledger Transaction on a Cold Hardware Wallet
CN113162752B (en) Data processing method and device based on hybrid homomorphic encryption
CN107948152A (en) Information storage means, acquisition methods, device and equipment
CN109766134A (en) System start method, device, electronic equipment and storage medium
AU2021271512A1 (en) Constructing a distributed ledger transaction on a cold hardware wallet
CN107204846B (en) Digital signature generation method, system and node module
CN111144885B (en) Digital asset hosting method and system
CN111178874A (en) Transaction method and system based on block chain cold wallet
KR20180096887A (en) Method for Generating Dynamic Code Which Varies Periodically and Method for Authenticating the Dynamic Code
US20220129886A1 (en) System and method for isolated management of digital assets
CN107342862B (en) Method and system for realizing key generation and protection by cloud plus-end triple-authority separation
US20220122066A1 (en) System and method for remote management of digital assets
JP2015037298A (en) Terminal, id-type signature ciphering method, and program
CN106953917B (en) Method of data synchronization and system
CN111178882B (en) Digital asset safety hosting system and method
Bu et al. Every step you take, i’ll be watching you: Practical stepauth-entication of RFID paths
CN111507707B (en) Digital asset isolation and sub-management system and method
CN107689867B (en) Key protection method and system under open environment
CN111523879B (en) Digital asset security isolation hosting system and method
CN112861156B (en) Secure communication method and device for display data, electronic equipment and storage medium
KR102067065B1 (en) A matrix-vector multiplication apparatus based on message randomization which is safe for power analysis and electromagnetic analysis, and an encryption apparatus and method using the same
Grimm PKI: crumbling under the pressure
CN111523881B (en) Digital asset management system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40028335

Country of ref document: HK

GR01 Patent grant
GR01 Patent grant