[0039] It should be understood that the specific embodiments described herein are only used to explain the present invention, but not to limit the present invention.
[0040] The invention provides an encryption device.
[0041] Reference figure 1 , figure 1 It is a functional block diagram of the first embodiment of the encryption device of the present invention.
[0042] In this embodiment, the encryption device includes:
[0043] The processing module 10 is configured to generate a license according to the license private key when the license private key is obtained;
[0044] When a production license is required, assign the corresponding MAC (Media Access Control) address for the license to be generated, and then fill in the relevant information of the generated license on the license production page, such as filling in the MAC address corresponding to the license, the license corresponds to Identification number and so on. During the license production process, the license server obtains the license private key, and generates the license from the license private key obtained by the license server. Wherein, the license private key is generated by the SM2 encryption algorithm. When the SM2 encryption algorithm generates the license private key, the license public key is generated, the license public key is an asymmetric public key, and the license private key is asymmetric Private key. The SM2 is an elliptic curve public key cryptographic algorithm issued by the State Cryptography Administration, with an encryption strength of 256 bits. The SM2 algorithm can complete signature, key exchange and encryption applications. Further, a PCI (Peripheral Component Interconnect, Peripheral Component Interconnect) encryption card can be installed in the license server. The PCI encryption card is a type of PCI bus interface applied to a computer terminal to provide file encryption and decryption functions. Hardware equipment. In order to ensure that the license private key in the license server will not be lost due to damage to the PCI encryption card, it is recommended that the license be encrypted and backed up and stored properly. To ensure that the license private key will not be leaked due to backup storage, it is recommended to learn from finance According to industry experience, two employees are responsible for encrypting and backing up the password of the license private key. They enter the first half and the second half of the password respectively. When the license key is restored, two people must be present at the same time to complete.
[0045] Further, the processing module 10 includes:
[0046] The first processing unit is configured to obtain the media access control MAC address and generate a set of random numbers when the license private key is obtained;
[0047] The second processing unit is configured to use the license private key to digitally sign the MAC address and the random number to obtain a signature result, and generate a license according to the signature result.
[0048] When the license server obtains the license private key, the license server obtains the MAC address and generates a set of random numbers. When the license server generates a random number, the license server combines the random number with the MAC address, and uses the license private key to sign the combined random number with the MAC address To obtain the signature result, and generate a license according to the signature result, that is, use the signature result as the license. The random number is a group of irregular random numbers, that is, a true random number, a total of 256-bit true random numbers, a total of 32 bytes. The digital signature is a digital string that can only be generated by the sender of the information and that others cannot forge. This digital string is also an effective proof of the authenticity of the information sent by the sender of the information. The digital signature is an application of asymmetric key encryption technology and digital digest technology.
[0049] The first encryption module 20 is configured to obtain relevant data generated by the license server after generating the license, encrypt the relevant data using an encryption algorithm, and generate an encryption key;
[0050] After the license is generated, the license server generates relevant data, and uses an encryption algorithm to encrypt the relevant data to generate an encryption key. The related data includes, but is not limited to, the MAC address, the random number, the private key of the household electrical appliance, the public key of the household electrical appliance, the session key, and the license. The public key of the household electrical appliance and the private key of the household electrical appliance are generated by the SM2 encryption algorithm, and are asymmetric public and private keys. It should be noted that, in this embodiment, the home appliance asymmetric public key is 64 bytes, and the home appliance asymmetric private key is 32 bytes. The session key is 32 bytes, and the session key is an encryption key and a decryption key randomly generated to ensure a secure communication session between the user and another computer or two computers. The license is 64 bytes. The encryption algorithm for encrypting the related data is the SM4 algorithm. The SM4 algorithm is a block symmetric key algorithm, the plaintext, key, and ciphertext are all 16 bytes, and the encryption and decryption keys are the same. Encryption and decryption are realized through a non-linear iterative round function of 32 cycles. Including non-linear transformation S-box and linear transformation composed of shifted exclusive OR; the basic process is to first divide the 16-byte key into 4 groups according to a group of 4 bytes, and then generate 32 groups of 4 according to the key expansion algorithm. Byte round key; then divide the input 16-byte data into 4 groups according to a group of 4 bytes, and then perform circular operation.
[0051] The second encryption module 30 is configured to obtain a USB-Shield public key, and encrypt the encryption key with the USB-Shield public key.
[0052] The license server obtains the pre-stored USB-Shield public key, and uses the USB-Shield public key to re-encrypt the encryption key obtained by the SM4 algorithm. The USB-Shield is a tool for electronic signature and digital authentication of online banking. It has a built-in micro smart card processor and uses a 1024-bit asymmetric key algorithm to encrypt, decrypt and digitally sign online data to ensure the confidentiality of online transactions. Authenticity, completeness and non-repudiation.
[0053] In this embodiment, a license is generated according to the license private key. After the license is generated, the relevant data generated by the license server is obtained, and the relevant data is encrypted using an encryption algorithm to generate an encryption key, and the USB shield public key is obtained through U The shield public key encrypts the encryption key. Improved the security in the process of license production, and increased the difficulty of forging the license.
[0054] Reference figure 2 , figure 2 It is a schematic diagram of the functional modules of the second embodiment of the encryption device of the present invention. Based on the first embodiment of the encryption device of the present invention, the second embodiment of the encryption device of the present invention is proposed.
[0055] In this embodiment, the encryption device further includes:
[0056] The first storage module 40 is configured to store the encryption key in a comma separated value CSV file;
[0057] When the encryption key is obtained through the SM4 algorithm, the license server stores the encryption key in a CSV (Comma-Separated Values) file, that is, writes the encryption key into the CSV file. When writing the encryption key into the CSV file, the license server simultaneously writes the MAC address into the CSV file. Further, in the process of writing the MAC address and the encryption key into the CSV file, the MAC address and the encryption key are divided into two columns and written into the CSV file to It is convenient to find data later.
[0058] The second storage module 50 is configured to store the encryption key encrypted by the U-Shield public key in the authorization file.
[0059] When the license server obtains the encryption key encrypted by the USB-Shield public key, the license server stores the encrypted encryption key in an authorization file, that is, a key file. When the manufacturer inserts the USB-shield in the terminal of the tooling, that is, when the terminal detects the USB-shield, it obtains the USB-shield private key, the USB-shield private key and the USB-shield public key. The key is generated by the SM2 algorithm. When the terminal detects a start instruction for starting the tooling software, it starts the tooling software according to the start instruction, and obtains the CSV file and the key file. The terminal decrypts the authorization file using the USB shield private key to obtain the encryption key, and decrypts the CSV file using the encryption key to obtain the relevant data, that is, the MAC address, Random number, home appliance private key, home appliance public key, session key and license. The terminal includes, but is not limited to, a personal computer and the like.
[0060] In this embodiment, the encryption key is stored in a CSV file, and the encryption key encrypted by the USB-Shield public key is stored in an authorization file, so that subsequent manufacturers can burn and write the license. In the process, the encryption key is obtained in the authorization file through the USB-Shield public key, and the relevant data of the license is obtained through the encryption key. Only the user who wants to obtain the USB-Shield private key can obtain the relevant data of the license, which further improves the security of the license.
[0061] Reference image 3 , image 3 It is a schematic diagram of the functional modules of the third embodiment of the encryption device of the present invention. Based on the first embodiment of the encryption device of the present invention, the third embodiment of the encryption device of the present invention is proposed.
[0062] In this embodiment, the encryption device further includes:
[0063] The sending module 60 is configured to send the MAC address, the random number, the public key of the household appliance, the session key, and the license to the cloud, so that the cloud can back up the MAC address, the A random number, the public key of the household electrical appliance, the session key, and the license.
[0064] When the license server obtains the relevant data generated by the license server, that is, when the license server obtains the MAC address, the random number, the public key of the home appliance, the private key of the home appliance, and the session key And the license, send the MAC address, the random number, the public key of the home appliance, the session key, and the license to the cloud, so that the cloud can back up the MAC address, the A random number, the public key of the household electrical appliance, the session key, and the license. When the relevant data is lost during the software upgrade process due to the WiFi module in the home appliance, the MAC address, the random number, the public key of the home appliance, and the home appliance can be retrieved from the cloud. The session key and the license. Further, the license server sends data such as the MAC address, the random number, the public key of the home appliance, the private key of the home appliance, the session key, and the license to the WiFi module of the home appliance Wherein, the security of the WiFi module is verified by data such as the MAC address, the random number, the public key of the household electrical appliance, the private key of the household electrical appliance, the session key, and the license. It should be noted that the step S60 does not have to be after the step S20, and can also be performed simultaneously with the step S20.
[0065] In this embodiment, the MAC address, the random number, the home appliance public key, the session key, and the license are sent to the cloud, so that the cloud can back up the MAC address and the random number. , The public key of the household electrical appliance, the session key, and the license. Prevent home appliances from losing data such as the MAC address, the random number, the home appliance public key, the session key, and the license from the cloud. Data such as the public key of the household electrical appliance, the session key, and the license.
[0066] The present invention further provides an encryption method.
[0067] Reference Figure 4 , Figure 4 It is a schematic flowchart of the first embodiment of the encryption method of the present invention.
[0068] In this embodiment, the encryption method includes:
[0069] Step S10, when the license private key is obtained, a license is generated according to the license private key;
[0070] When a production license is required, assign the corresponding MAC (Media Access Control) address for the license to be generated, and then fill in the relevant information of the generated license on the license production page, such as filling in the MAC address corresponding to the license, the license corresponds to Identification number and so on. During the license production process, the license server obtains the license private key, and generates the license from the license private key obtained by the license server. Wherein, the license private key is generated by the SM2 encryption algorithm. When the SM2 encryption algorithm generates the license private key, the license public key is generated, the license public key is an asymmetric public key, and the license private key is asymmetric Private key. The SM2 is an elliptic curve public key cryptographic algorithm issued by the State Cryptography Administration, with an encryption strength of 256 bits. The SM2 algorithm can complete signature, key exchange and encryption applications. Further, a PCI (Peripheral Component Interconnect, Peripheral Component Interconnect) encryption card can be installed in the license server. The PCI encryption card is a type of PCI bus interface applied to a computer terminal to provide file encryption and decryption functions. Hardware equipment. In order to ensure that the license private key in the license server will not be lost due to damage to the PCI encryption card, it is recommended that the license be encrypted and backed up and stored properly. To ensure that the license private key will not be leaked due to backup storage, it is recommended to learn from finance According to industry experience, two employees are responsible for encrypting and backing up the password of the license private key. They enter the first half and the second half of the password respectively. When the license key is restored, two people must be present at the same time to complete.
[0071] Further, the step S10 includes:
[0072] Step a: When obtaining the license private key, obtain the MAC address and generate a set of random numbers;
[0073] Step b: Use the license private key to digitally sign the MAC address and the random number to obtain a signature result, and generate a license according to the signature result.
[0074] When the license server obtains the license private key, the license server obtains the MAC address and generates a set of random numbers. When the license server generates a random number, the license server combines the random number with the MAC address, and uses the license private key to sign the combined random number with the MAC address To obtain the signature result, and generate a license according to the signature result, that is, use the signature result as the license. The random number is a group of irregular random numbers, that is, a true random number, a total of 256-bit true random numbers, a total of 32 bytes. The digital signature is a digital string that can only be generated by the sender of the information and that others cannot forge. This digital string is also an effective proof of the authenticity of the information sent by the sender of the information. The digital signature is an application of asymmetric key encryption technology and digital digest technology.
[0075] Step S20: After the license is generated, the relevant data generated by the license server is obtained, and the relevant data is encrypted using an encryption algorithm to generate an encryption key;
[0076] After the license is generated, the license server generates relevant data, and uses an encryption algorithm to encrypt the relevant data to generate an encryption key. The related data includes, but is not limited to, the MAC address, the random number, the private key of the household electrical appliance, the public key of the household electrical appliance, the session key, and the license. The public key of the household electrical appliance and the private key of the household electrical appliance are generated by the SM2 encryption algorithm, and are asymmetric public and private keys. It should be noted that, in this embodiment, the home appliance asymmetric public key is 64 bytes, and the home appliance asymmetric private key is 32 bytes. The session key is 32 bytes, and the session key is an encryption key and a decryption key randomly generated to ensure a secure communication session between the user and another computer or two computers. The license is 64 bytes. The encryption algorithm for encrypting the related data is the SM4 algorithm. The SM4 algorithm is a block symmetric key algorithm, the plaintext, key, and ciphertext are all 16 bytes, and the encryption and decryption keys are the same. Encryption and decryption are realized through a non-linear iterative round function of 32 cycles. Including non-linear transformation S-box and linear transformation composed of shifted exclusive OR; the basic process is to first divide the 16-byte key into 4 groups according to a group of 4 bytes, and then generate 32 groups of 4 according to the key expansion algorithm. Byte round key; then divide the input 16-byte data into 4 groups according to a group of 4 bytes, and then perform circular operation.
[0077] Step S30: Obtain the USB-Shield public key, and encrypt the encryption key with the USB-Shield public key.
[0078] The license server obtains the pre-stored USB-Shield public key, and uses the USB-Shield public key to re-encrypt the encryption key obtained by the SM4 algorithm. The USB-Shield is a tool for electronic signature and digital authentication of online banking. It has a built-in micro smart card processor and uses a 1024-bit asymmetric key algorithm to encrypt, decrypt and digitally sign online data to ensure the confidentiality of online transactions. Authenticity, completeness and non-repudiation.
[0079] In this embodiment, a license is generated according to the license private key. After the license is generated, the relevant data generated by the license server is obtained, and the relevant data is encrypted using an encryption algorithm to generate an encryption key, and the USB shield public key is obtained through U The shield public key encrypts the encryption key. Improved the security in the process of license production, and increased the difficulty of forging the license.
[0080] Reference Figure 5 , Figure 5 It is a schematic flowchart of the second embodiment of the encryption method of the present invention, and the second embodiment of the encryption method of the present invention is proposed based on the first embodiment of the encryption method of the present invention.
[0081] In this embodiment, the encryption method further includes:
[0082] Step S40, storing the encryption key in a comma separated value CSV file;
[0083] When the encryption key is obtained through the SM4 algorithm, the license server stores the encryption key in a CSV (Comma-Separated Values) file, that is, writes the encryption key into the CSV file. When writing the encryption key into the CSV file, the license server simultaneously writes the MAC address into the CSV file. Further, in the process of writing the MAC address and the encryption key into the CSV file, the MAC address and the encryption key are divided into two columns and written into the CSV file to It is convenient to find data later.
[0084] In step S50, the encryption key encrypted by the U-Shield public key is stored in the authorization file.
[0085] When the license server obtains the encryption key encrypted by the USB-Shield public key, the license server stores the encrypted encryption key in an authorization file, that is, a key file. When the manufacturer inserts the USB-shield in the terminal of the tooling, that is, when the terminal detects the USB-shield, it obtains the USB-shield private key, the USB-shield private key and the USB-shield public key. The key is generated by the SM2 algorithm. When the terminal detects a start instruction for starting the tooling software, it starts the tooling software according to the start instruction, and obtains the CSV file and the key file. The terminal decrypts the authorization file using the USB shield private key to obtain the encryption key, and decrypts the CSV file using the encryption key to obtain the relevant data, that is, the MAC address, Random number, home appliance private key, home appliance public key, session key and license. The terminal includes, but is not limited to, a personal computer and the like.
[0086] In this embodiment, the encryption key is stored in a CSV file, and the encryption key encrypted by the USB-Shield public key is stored in an authorization file, so that subsequent manufacturers can burn and write the license. In the process, the encryption key is obtained in the authorization file through the USB-Shield public key, and the relevant data of the license is obtained through the encryption key. Only the user who wants to obtain the USB-Shield private key can obtain the relevant data of the license, which further improves the security of the license.
[0087] Reference Image 6 , Image 6 It is a schematic flowchart of the third embodiment of the encryption method of the present invention, and the third embodiment of the encryption method of the present invention is proposed based on the first embodiment of the encryption method of the present invention.
[0088] In this embodiment, the encryption method further includes:
[0089] Step S60: Send the MAC address, the random number, the home appliance public key, the session key, and the license to the cloud, so that the cloud can back up the MAC address, the random number, The home appliance public key, the session key, and the license.
[0090] When the license server obtains the relevant data generated by the license server, that is, when the license server obtains the MAC address, the random number, the public key of the home appliance, the private key of the home appliance, and the session key And the license, send the MAC address, the random number, the public key of the home appliance, the session key, and the license to the cloud, so that the cloud can back up the MAC address, the A random number, the public key of the household electrical appliance, the session key, and the license. When the relevant data is lost during the software upgrade process due to the WiFi module in the home appliance, the MAC address, the random number, the public key of the home appliance, and the home appliance can be retrieved from the cloud. The session key and the license. Further, the license server sends data such as the MAC address, the random number, the public key of the home appliance, the private key of the home appliance, the session key, and the license to the WiFi module of the home appliance Wherein, the security of the WiFi module is verified by data such as the MAC address, the random number, the public key of the household electrical appliance, the private key of the household electrical appliance, the session key, and the license. It should be noted that the step S60 does not have to be after the step S20, and can also be performed simultaneously with the step S20.
[0091] In this embodiment, the MAC address, the random number, the home appliance public key, the session key, and the license are sent to the cloud, so that the cloud can back up the MAC address and the random number. , The public key of the household electrical appliance, the session key, and the license. Prevent home appliances from losing data such as the MAC address, the random number, the home appliance public key, the session key, and the license from the cloud. Data such as the public key of the household electrical appliance, the session key, and the license.
[0092] It should be noted that in this article, the terms "include", "include" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, article or device including a series of elements not only includes those elements, It also includes other elements not explicitly listed, or elements inherent to the process, method, article, or device. Without more restrictions, the element defined by the sentence "including a..." does not exclude the existence of other identical elements in the process, method, article or device that includes the element.
[0093] The sequence numbers of the foregoing embodiments of the present invention are only for description, and do not represent the superiority of the embodiments.
[0094] Through the description of the above embodiments, those skilled in the art can clearly understand that the method of the above embodiments can be implemented by means of software plus the necessary general hardware platform. Of course, it can also be implemented by hardware, but in many cases the former is better. 的实施方式。 Based on this understanding, the technical solution of the present invention essentially or the part that contributes to the existing technology can be embodied in the form of a software product, and the computer software product is stored in a storage medium (such as ROM/RAM, magnetic disk, The optical disc) includes a number of instructions to enable a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to execute the method described in each embodiment of the present invention.
[0095] The above are only the preferred embodiments of the present invention, and do not limit the scope of the present invention. Any equivalent structure or equivalent process transformation made using the content of the description and drawings of the present invention, or directly or indirectly applied to other related technical fields , The same reason is included in the scope of patent protection of the present invention.
