A file distribution method, system and medium in an offline environment

By using domestically developed encryption algorithms and authorization center verification mechanisms, combined with USB flash drive key decryption, the issues of flexibility and security in offline file distribution have been resolved, enabling efficient and secure file distribution in offline environments.

CN122247599APending Publication Date: 2026-06-19SHENZHEN OLYM INFORMATION SECURITY TECHOLOGY CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
SHENZHEN OLYM INFORMATION SECURITY TECHOLOGY CO LTD
Filing Date
2026-03-09
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

Existing technologies have limitations in flexibility and practicality when distributing and authorizing files in offline environments. They cannot quickly respond to authorization needs in emergency scenarios, and the hardware key method has device compatibility issues and is inconvenient to operate.

Method used

The original file is encrypted using a domestically developed encryption algorithm, generating an encrypted file and a QR code encrypted ciphertext. The encrypted file is then verified by an authorized center or decrypted using a USB key from the user. By combining white-box technology and a dual decryption method using a USB key, the secure distribution of the file is achieved.

Benefits of technology

It enhances the security and convenience of file distribution in offline environments, ensures the prevention of unauthorized copying and tampering during file transmission and storage, and provides a flexible authorization mechanism to deal with emergency scenarios.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122247599A_ABST
    Figure CN122247599A_ABST
Patent Text Reader

Abstract

This invention provides a file distribution method, system, and medium in an offline environment, relating to the field of file encryption. The method includes: the copyright holder and the user applying for authorization from an authorization center; the copyright holder encrypting the original file using a domestically developed encryption algorithm to obtain an encrypted file and a QR code encrypted ciphertext, which is then sent to the user; the user verifies and decrypts the encrypted file by sending the QR code encrypted ciphertext to the authorization center, or the user decrypts the encrypted file using their USB flash drive key. This application of a domestically developed encryption algorithm effectively improves the security of file distribution in an offline environment, preventing illegal copying and tampering during transmission and storage. Simultaneously, this solution combines the authorization center's verification mechanism with the user's USB flash drive key for dual decryption, ensuring both the convenience of file distribution and enhanced controllability of file use, providing strong protection for secure file distribution in an offline environment.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of file encryption technology, and more specifically, to a file distribution method, system, and medium in an offline environment. Background Technology

[0002] With increasingly stringent data security compliance regulations, various confidentiality reviews and compliance verifications are becoming more routine and rigorous. Currently, critical data and related software products that do not employ domestically developed cryptographic technologies that comply with national cryptographic assessment standards not only struggle to meet compliance requirements but also face security risks such as data breaches and unauthorized access. Against this backdrop, integrating domestically developed cryptographic technologies has become a rigid requirement for critical data protection and a core prerequisite for ensuring data security throughout its entire lifecycle and passing compliance reviews.

[0003] The existing licensing model has obvious shortcomings in flexibility and practicality. Software licensing requires advance planning and one-to-one binding on the PC. Although the control granularity is fine, it lacks flexibility and cannot quickly respond to licensing needs in urgent scenarios such as reviewing drawings with superiors the next day or temporarily adding production computers. On the other hand, the licensing method that relies on hardware keys has many application limitations. Not only does it require additional driver installation, but it may also face device compatibility issues. It is even more difficult to use in office environments where USB interfaces are strictly controlled, which seriously affects the convenience of operation and greatly reduces the actual efficiency of licensing implementation. Summary of the Invention

[0004] To improve the efficiency of data distribution and utilization, firstly, embodiments of the present invention provide a file distribution authorization method in an offline environment, the method comprising:

[0005] Copyright holders and users apply for authorization from the licensing center;

[0006] The copyright holder uses a domestically developed encryption algorithm to encrypt the original file, resulting in an encrypted file and a QR code encrypted ciphertext, which is then sent to the user.

[0007] The user can decrypt the encrypted file by sending a QR code encrypted with ciphertext to the authorization center, or the user can decrypt the encrypted file using the user's USB flash drive key, which is issued by the authorization center.

[0008] As one possible implementation, before the copyright holder and the user apply for authorization from the licensing center, the method further includes:

[0009] The authorization center is initialized, which includes generating public-private key pairs for file encryption, system parameters, and / or public-private key pairs for authorization file signing.

[0010] As one possible implementation method, the copyright holder applies for authorization from the licensing center, including:

[0011] The copyright holder submits the copyright holder's authorization information to the authorization center. The copyright holder's authorization information includes user identifier, number of authorized clients, types of encryptable files, list of authorized software and / or authorization time.

[0012] Based on the copyright holder's authorization information, the authorization center generates an authorization file according to preset rules and sends the copyright holder's USB flash drive key to the copyright holder;

[0013] The authorization center writes the private key corresponding to the copyright holder's user identifier under the authorization center parameters into the copyright holder's USB key and then distributes it to the copyright holder;

[0014] The authorization center issues the corresponding USB key to the number of authorized clients to the copyright holder.

[0015] As one possible implementation, applying for authorization using a directional authorization center includes:

[0016] The user sends authorization information, including user identification, to the copyright holder;

[0017] Based on the user's authorization information, the copyright holder generates a user identifier private key, writes it into the user's USB flash drive key, and then sends the user's USB flash drive key to the user.

[0018] As one possible implementation, applying for authorization using a directional authorization center includes:

[0019] Send user authorization information, including user identifier, mobile phone number and / or terminal ID, to the Directional Authorization Center;

[0020] Based on the user's authorization information, the authorization center sends a fragment of the collaborative signature identifier private key to the user.

[0021] As one possible implementation method, the copyright holder uses a domestically developed encryption algorithm to encrypt the original file, obtaining an encrypted file and a QR code encrypted ciphertext, which is then sent to the user, including:

[0022] The copyright holder generates the file encryption key and the key encryption key;

[0023] The copyright holder encrypts the file encryption key with the key encryption key to obtain the ciphertext of the file encryption key;

[0024] The copyright holder uses the file encryption key to encrypt the original file, thus obtaining the encrypted original file;

[0025] The copyright holder uses the aforementioned key to encrypt the key and generate a lineage code and a file control code;

[0026] The copyright holder generates an encrypted file based on the user identifier, the ciphertext of the file encryption key, the encrypted original file, the lineage code, the file control code, and / or the list of licensed software, and sends it to the user.

[0027] The user sends the device identification code to the copyright holder;

[0028] The copyright holder generates an authorization QR code based on the user identifier, the key encryption key, and / or the user's device identification code.

[0029] The copyright holder uses white-box technology to encrypt the authorized QR code, forming encrypted QR code text, and sends it to the user.

[0030] As one possible implementation, the user verifies and decrypts the encrypted file by sending a QR code encrypted ciphertext to the authorization center, including:

[0031] The user sends the encrypted QR code to the authorization center;

[0032] The authorization center uses the user's private key to decrypt the QR code encrypted text and obtain the copyright holder's user identifier and key encryption key.

[0033] The authorization center generates a Chinese character verification code based on the copyright holder's user identifier and key encryption key;

[0034] The authorization center will send the Chinese character verification code and the key encryption key to the user;

[0035] The user decrypts the encrypted file based on the Chinese character verification code and the key encryption key.

[0036] Secondly, embodiments of the present invention provide a file distribution system in an offline environment, including: a copyright holder, a user, and an authorization center;

[0037] The copyright holder uses this information to apply for authorization from the authorization center; the original file is encrypted using a domestically developed encryption algorithm to obtain an encrypted file and a QR code encrypted ciphertext, which is then sent to the user.

[0038] The user can use this to apply for authorization from the authorization center; the user can send a QR code to the authorization center to encrypt and decrypt the encrypted file, or the user can use the user's USB flash drive key to decrypt the encrypted file.

[0039] The authorization center is used to authorize copyright holders and users; to verify the encrypted QR code sent by the user so that the user can decrypt the encrypted file, or to issue a USB flash drive key to the user.

[0040] As one possible implementation, the system further includes: a copyright holder's USB flash drive key and a user's USB flash drive key, wherein the copyright holder's USB flash drive key is used to connect with the copyright holder, and the user's USB flash drive key is used to connect with the user, and both the copyright holder's USB flash drive key and the user's USB flash drive key are issued by the authorization center.

[0041] Thirdly, embodiments of the present invention provide a readable storage medium having executable instructions stored thereon, wherein the executable instructions, when executed by a processor, implement the method described in the first aspect.

[0042] The file distribution authorization method, system, and medium provided in the embodiments of the present invention for offline environment involves the copyright holder and the user applying for authorization from the authorization center; the copyright holder uses a domestic encryption algorithm to encrypt the original file to obtain an encrypted file and a QR code encrypted ciphertext, which is then sent to the user; the user verifies and decrypts the encrypted file by sending the QR code encrypted ciphertext to the authorization center, or the user decrypts the encrypted file using the user's USB flash drive key.

[0043] In this way, the application of domestically developed encryption algorithms effectively enhances the security of file distribution in offline environments, preventing unauthorized copying and tampering during transmission and storage. Simultaneously, this solution combines the verification mechanism of the authorization center with a dual decryption method using the user's USB key, ensuring both the convenience of file distribution and the controllability of file usage, providing strong protection for secure file distribution in offline environments. Attached Figure Description

[0044] Figure 1 This is an exemplary architecture diagram in which an embodiment of the present invention can be applied;

[0045] Figure 2 This is a flowchart of an embodiment of the file distribution authorization method in an offline environment provided by the present invention;

[0046] Figure 3 This is a schematic diagram of the structure of a computer suitable for implementing embodiments of the present disclosure. Detailed Implementation

[0047] The present invention will now be described in further detail with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and not intended to limit it. Furthermore, it should be noted that, for ease of description, only the parts relevant to the invention are shown in the accompanying drawings.

[0048] It should be noted that, unless otherwise specified, the embodiments and features described in the present invention can be combined with each other. The present invention will now be described in detail with reference to the accompanying drawings and embodiments.

[0049] Figure 1 An exemplary architecture 100 is shown, illustrating an embodiment of the file distribution method, system, and medium for offline environments to which the present invention can be applied.

[0050] like Figure 1 As shown, architecture 100 may include an authorization center 101, a copyright holder 102, and a user 103. The authorization center 101 can configure and distribute a copyright holder USB key 104 (SUKEY) and a user USB key 105 (CUKEY). The copyright holder USB key 104 is used to connect with the copyright holder 102, and the user USB key 105 is used to connect with the user 103. Network 106 serves as the medium for providing a communication link between the authorization center 101, the copyright holder 102, and the user 103. The authorization center 101, the copyright holder 102, and the user 103 are terminal devices, on which various communication client applications can be installed, such as file distribution applications, voice recognition applications, short video social applications, audio and video conferencing applications, live video streaming applications, document editing applications, input method applications, web browser applications, shopping applications, search applications, instant messaging tools, email clients, social platform software, etc. Network 106 may include various connection types, such as wired, wireless communication links, or fiber optic cables, etc.

[0051] The licensing center 101, copyright holder 102, and user 103 can be either hardware or software. When the licensing center 101, copyright holder 102, and user 103 are hardware, they can be various electronic devices with displays, including but not limited to smartphones, smart home appliances, wearable devices, and desktop computers. When the licensing center 101, copyright holder 102, and user 103 are software, they can be installed on the terminal devices listed above. They can be implemented as multiple software programs or software modules (e.g., used to provide file distribution services) or as a single software program or software module. No specific limitations are imposed here.

[0052] In some cases, the file distribution method in an offline environment provided by the present invention can be executed by the authorization center 101, the copyright holder 102, and the user 103.

[0053] In some cases, the file distribution method in an offline environment provided by this invention can be jointly executed by the authorization center 101, the copyright holder 102, and the user 103. For example, the step of "applying for authorization from the authorization center" can be executed by the copyright holder 102 and the user 103, and the steps such as "generating an authorization file based on the copyright holder's authorization information" can be executed by the authorization center 101. This invention does not limit this.

[0054] It should be understood that Figure 1The number of the authorization center 101, copyright holder 102, user 103, copyright holder USB key 104, and user USB key 105 in the diagram is merely illustrative. Depending on implementation needs, there can be any number of authorization centers 101, copyright holders 102, users 103, copyright holder USB key 104, and user USB key 105.

[0055] Continue to refer to Figure 2 It illustrates a flow 200 of an embodiment of a file distribution authorization method in an offline environment according to the present invention, which includes the following steps 201 to 204:

[0056] Step 201: The copyright holder and the user apply for authorization from the authorization center.

[0057] The copyright holder, also known as the data provider, refers to the entity that generates valuable data files. This entity encrypts the data files and then distributes them to data users. The data provider must use a file distribution server version of the software.

[0058] After obtaining encrypted data files and authorization from the copyright holder, the user uses this data to create new data files.

[0059] The Authorization Center, acting as the key generation hub, is responsible for generating and managing the keys for copyright holders and users, thereby ensuring the security of the entire file distribution process. Each copyright holder and user is equipped with a corresponding USB key, which stores a private key generated by the Authorization Center and identifies the user accordingly. The Authorization Center generates a public-private key pair for file encryption. The public key is embedded in the software client that can be installed by all three parties, while the private key is stored by the Authorization Center. This private key is used by the Authorization Center to sign the software client's authorization document, and the software client uses the public key to verify the authorization document.

[0060] Before encryption and authorization can be performed, both the copyright holder and the user need to apply for authorization from the authorization center. Before receiving this information, the authorization center needs to initialize and build a key generation system, specifically including: ① generating file encryption public-private key pairs and system parameters, for example, system parameter name OLYM_GIS_SM9, version 1; ② generating authorization file signing public-private key pairs, for example, PubKey_Lic, PrvKey_Lic; ③ building the authorization center to allow applications for authorization files and creating USB flash drive keys.

[0061] When a copyright holder applies for authorization from the licensing center, they first submit their authorization information. This information includes, but is not limited to, user identifiers, the number of authorized clients, the types of files that can be encrypted, a list of authorized software, and the authorization period. It should be noted that both the copyright holder and the user have unique user identifiers, which end with a '~' counter, starting at 1, for example, "XXX Province YYY City ZZZ Organization ~1". To update, the counter is incremented at the end, for example, ending with '~2'. The number of authorized clients refers to the number of users the copyright holder needs to authorize. The types of files that can be encrypted are set according to the requirements for file distribution.

[0062] After receiving this information, the authorization center generates an authorization file according to preset rules and then sends it to the copyright holder. It should be noted that the authorization file includes the copyright holder's user identifier, the number of authorized clients, the types of files that can be encrypted, a list of authorized software, the authorization time (CTIME), and the authorization center's signature on the authorization information (e.g., using a PrvKey_Lic signature).

[0063] After receiving this information, the authorization center will write the private key corresponding to the copyright holder's user identifier under the authorization center parameters into the copyright holder's USB key (SUKEY), and prepare at least one user USB key (CUKEY) corresponding to the number of authorized clients. This content will then be securely distributed to the copyright holder. Secure distribution refers to the secure physical transmission of both the copyright holder's USB key (SUKEY) and the user's USB key (CUKEY). Authorization files can be distributed via USB key or network.

[0064] The relevant personnel will insert the copyright holder's USB key (SUKEY) into the copyright holder's computer and launch the copyright holder's software client for distributing files. The software client can then import the license file, verify the license file, and initialize the copyright holder's USB key (SUKEY), file encryption master key (MFEK), and key encryption key (EFEKK).

[0065] Specifically, first verify the authorization file (e.g., using PubKey_Lic verification in the software). Then verify the legitimacy of the copyright holder's USB key (SUKEY), including confirming it is a copyright holder USB key (SUKEY) type (not a user's USB key). Next, create the copyright holder's key information within the copyright holder's USB key (SUKEY), including generating a file encryption public / private key pair and system parameters (e.g., "XXX Province YYY City ZZZ Organization_KGC" as the domain name, version 1). Then, generate the relevant key information for the file encryption master key (MFEKK) within the copyright holder's USB key (SUKEY): a random encryption master key identifier (MKID) and the file encryption master key (MFEKK). Finally, optionally, the file encryption master key (MFEKK) can be encrypted and exported as a backup using the user identifier (XXX Province YYY City ZZZ Organization~1) under the system parameters.

[0066] The FEK (File Encryption Key) is the "small key" that directly encrypts the original file. It is randomly generated and does not need to be updated; its encrypted version is present at the beginning of the file. The EFEKK (Key Encryption Key) is a "middle-level key" specifically used to "lock" the FEK. It is derived from the root key MFEKK based on the EKID, and it updates whenever the EKID changes. The MFEKK (File Encryption Master Key) is the "master key" of the entire system. It is a 32-byte key randomly generated by the copyright holder and used to derive the EFEKK. Its update changes the corresponding identifier MKID. The MKID (File Encryption Master Key Identifier) ​​is a 4-byte "identity tag" attached to the "master key MFEKK," consisting of 1 byte version and 3 bytes of random data. The EKID (Key Encryption Key ID) is a 12-byte "identity code" specifically identifying the FEK, composed of 4 bytes of MKID and 8 bytes of DBID. The 8-byte DBID is an "auxiliary code," composed of 2 bytes of protection period start time (BEGINTIME) plus a 6-byte hash value calculated from relevant information, used to distinguish keys for different periods.

[0067] It should be noted that the software client can be configured with key update policies that are valid monthly, quarterly, semi-annually, annually, 3-yearly, or permanently to address potential security threats. Specifically, a start time (BEGINTIME) is generated based on the current time. A file encryption master key (MFEKK) is generated using the copyright holder's USB key (SUKEY) based on the encryption master key identifier (MKID), user identifier, and start time (BEGINTIME). The start time (BEGINTIME) defines the lifecycle of the encryption key (EFEKK), including monthly, quarterly, semi-annual, annual, 3-yearly, and permanently valid options. For monthly updates, it's the first day of the current month (e.g., 2025-02-01); for quarterly updates, it's the start day of the current quarter (e.g., 2025-04-01), and so on. The date is converted to a 16-bit integer, representing the number of days since 2025-01-01.

[0068] There are two ways to apply for authorization using the Directional Authorization Center:

[0069] The first method involves the user sending user authorization information, including a user identifier, to the copyright holder; based on the user authorization information, the copyright holder generates a user identifier private key, writes it into the user's USB flash drive key (CUKEY), and sends it to the user.

[0070] Since the copyright holder receives multiple user USB key (CUKEY) from the authorization center, they can generate a private key corresponding to the user's identifier under the system parameters based on the user's authorization information and write it into the user USB key (CUKEY). Authorized users can then connect to the user USB key (CUKEY), write the device ID into it, and decrypt encrypted files. Furthermore, the maximum number of device IDs that can be written into the user USB key (CUKEY) can be set to enhance its security.

[0071] The second method involves the user sending authorization information, including user identifier, mobile phone number, and / or terminal ID (e.g., application software ID), to the authorization center; based on the user's authorization information, the authorization center sends a fragment of the collaborative signature identifier private key to the user.

[0072] After obtaining the authorization information, the authorization center verifies the uniqueness of the complete user identifier to ensure no duplicates. Then, it sends an SMS verification code to the corresponding mobile phone number. Upon receiving the verification code from the user, the center associates the user identifier, mobile phone number, and / or terminal ID, and sends a collaborative signature identifier private key fragment to the user via the user's mobile phone number. The user can then launch the software client for distributing files and use the collaborative signature identifier private key fragment to complete the authorization request. After verifying the correctness of the collaborative signature identifier private key fragment, the authorization center completes the authorization process, and the user can then decrypt encrypted files via the authorization QR code. Furthermore, the user can request a change of mobile phone number by sending an SMS to the authorization center; the specific process is not restricted here.

[0073] The two authorization methods can be used individually or in combination. For frequently used or internally used devices, the user's USB key (CUKEY) can be used for convenient operation. For temporarily added devices, authorization can be done through the authorization center. This can handle emergencies without the need for advance authorization planning (obtaining the user's device information) or concerns about inconvenience or insufficient quantity of user USB keys (CUKEY). It provides a secure, flexible, and quick binding process, improving the efficiency of file transfer.

[0074] Step 202: The copyright holder uses a domestically developed encryption algorithm to encrypt the original file, obtaining an encrypted file and a QR code encrypted ciphertext, which is then sent to the user.

[0075] The file encryption process using domestically developed encryption algorithms must follow a layered key protection logic and proceed in an orderly manner step by step.

[0076] First, preliminary preparations are carried out. The copyright holder randomly generates a 32-byte file encryption master key (MFEKK) and a 4-byte file encryption master key identifier (MKID) consisting of 1 byte of version information and 3 bytes of random data, thus initializing the master key. The software client selects a monthly, quarterly, semi-annual, annual, 3-year, or permanently valid key update cycle according to actual needs. Based on the current time, the data protection cycle start time (BEGINTIME) is determined, converted into the number of days from 2025-01-01, and then converted into a 2-byte 16-bit integer. Using BEGINTIME, the data owner identifier, and MKID as input parameters, a hash value is generated through a hash algorithm. The first 6 bytes of this hash value are extracted and concatenated with the 2-byte BEGINTIME to form an 8-byte DBID. Finally, the 4-byte MKID is further concatenated with the 8-byte DBID to obtain a 12-byte key encryption key ID (EKID).

[0077] After completing the preliminary preparations, the copyright holder uses the generated MFEKK to derive the key encryption key (EFEKK) from the EKID, and uses this as the dedicated key for encryption work; then a file encryption key (FEK) is randomly generated for directly encrypting the original file, and this key does not need to be updated later.

[0078] Next, the core encryption process begins. First, the FEK is encrypted using EFEKK to generate ciphertext FEK (FKCTX), which is stored in the header of the file to be encrypted, providing a basis for subsequent decryption. Then, the unencrypted FEK is used to encrypt the original target file (DATA), generating an encrypted file (DCTX) that cannot be directly read. The key encryption key (EFEKK) is used to generate the lineage code (LNC) and file control code (FCTL). Finally, the copyright holder's user identifier, the key encryption key ID (EKID), the ciphertext of the file encryption key (FKCTX), the lineage code (LNC), the file control code (FCTL), and / or the encrypted original file (DCTX), along with the list of licensed software, are integrated to generate the final encrypted file, which is then sent to the user.

[0079] The lineage code (LNC) is a 16-byte data stored in the header of the encrypted file. It identifies that the file belongs to a batch of data encrypted and protected by the file encryption key (FEK), thus representing the ownership of the original file. Although the file contains the data owner, the key encryption key ID (EKID), and the ciphertext of the file encryption key (FKCTX), the consistency of these data is protected by a QR code (MAC) generated by the file encryption key (FEK), which can be tampered with. This data requires the file encryption key (FEK) to participate in the calculation. The file encryption key (FEK) is encrypted by the key encryption key (EFEKK) to form the ciphertext of the file encryption key (FKCTX), which is stored in the header of the encrypted file (16 bytes or 32 bytes).

[0080] The File Control Code (FCTL) is a 16-byte data stored in the header of an encrypted file. It identifies the user of the file, the time range of use, the number of times it has been used, and records the original file's usage permissions. This data requires the File Encryption Key (FEK) for calculation.

[0081] The ciphertext of the file encryption key (FKCTX) is the ciphertext of the file encryption key FEK. FEK is encrypted by the key encryption key (EFEKK) to form FKCTX, which is present in the header of the encrypted file (16 bytes or 32 bytes).

[0082] After the copyright holder sends the encrypted file to the user, the user will send a Device Identifier (DEV) to the copyright holder. Device Identifier (DEV): A unique identifier extracted by the software client from the user's or copyright holder's device.

[0083] The copyright holder generates an authorization QR code using either method a or b, based on their own user identifier, key encryption key ID (EKID), key encryption key (EFEKK), user's device identifier (DEV), authorization validity period, and purpose: a. Encrypting with authorization center system parameters and user identifier to form encrypted ciphertext (CTX) and authorization QR code (LMAC); b. Encrypting with copyright holder system parameters and user identifier to form encrypted ciphertext (CTX) and authorization QR code (LMAC). Then, using white-box technology, they encrypt the QR code to form encrypted ciphertext (LCTX) and send it to the user.

[0084] Step 203: The user sends a QR code to the authorization center to verify and decrypt the encrypted file.

[0085] The user sends the encrypted QR code to the authorization center; the authorization center uses the user's corresponding private key to decrypt the encrypted QR code, obtaining the copyright holder's user identifier and key encryption key; the authorization center generates a Chinese character verification code based on the copyright holder's user identifier and key encryption key; the authorization center sends the Chinese character verification code and key encryption key to the user; the user decrypts the encrypted file based on the Chinese character verification code and key encryption key.

[0086] Specifically, users can decrypt the encrypted file by sending a QR code to the authorization center for encrypted verification in two ways:

[0087] The first method involves the user obtaining the encrypted QR code (LCTX) and sending it to the authorization center. The authorization center uses the file encryption public-private key pair to generate the identifier private key used by the user when applying for authorization. This is then decrypted to obtain information such as the copyright holder's user identifier, the key encryption key ID (EKID), and the key encryption key (EFEKK). Relevant personnel from the user enter the copyright holder's user identifier into the client software. These personnel then scan the QR code (without the EKID information) on the software client and submit it to the authorization center. The authorization center then encrypts and distributes the most recently encrypted key encryption key ID (EKID). The encryption key (EFEKK) is used to generate a 17-character Chinese character verification code. Relevant personnel on the user's software client input this 17-character verification code to recover part of the encryption key's ID (EKID, last 48 bits: EKIDR, where EKIDR is 6 bytes, representing the 6-byte hash information within EKID) and the complete encryption key (EFEKK). The user's software client injects EKIDR and the encryption key (EFEKK) into the kernel. Combined with the software client's public key, the user can then open the encrypted file in authorized software and decrypt it.

[0088] The second scenario involves a user encountering a lack of authorization to access an encrypted file. In this case, the user's client software can generate an authorization QR code. The user's personnel scan the client software's QR code (containing complete EKID information) and submit it to the authorization center. The authorization center then uses the encrypted key's ID (EKID) to generate a 13-character verification code. The user's personnel input this verification code into the client software to reconstruct the complete EKID. The client then injects the EKID and EKK into its kernel, combining them with the client's public key, allowing the user to open the encrypted file within the authorized software.

[0089] Step 204: The user decrypts the encrypted file using the user's USB flash drive key.

[0090] The user decrypts the QR code encrypted ciphertext (LCTX) using a white-box decryption tool to obtain the encrypted ciphertext (CTX). Then, using the user's USB drive key (CUKEY), the user decrypts the encrypted ciphertext (CTX) to obtain the key encryption key (EFEKK). In reality, the key encryption key (EFEKK) does not leave the user's USB drive key (CUKEY); instead, it is provided to the user in the form of a handle. The user uses the ciphertext of the file encryption key (FKCTX), lineage code (LNC), file control code (FCTL), license time (CTIME), copyright holder's user identifier, copyright holder's key encryption key ID (EKID), and user's device identifier (DEV) to access the user's USB drive key (CUKEY) or kernel, decrypts it to obtain the file encryption key (FEK), and then decrypts the original encrypted file (DCTX) in memory to obtain the original file (DATA).

[0091] Through the steps described above, copyright holders and users can securely and efficiently complete the file distribution and decryption process offline. In this process, the licensing center plays a crucial role, not only generating and managing licensing files but also ensuring the security and traceability of the entire distribution process. The copyright holder uses a carefully designed encryption mechanism to transform the original file into an encrypted file, along with rich access control information such as lineage codes and file control codes. This information plays a key role in verification and control during subsequent file use.

[0092] After receiving the encrypted file, the user applies for authorization using different methods depending on whether an authorization QR code has been obtained simultaneously. Regardless of the method, the ultimate goal is to obtain the key information needed to decrypt the file. Once authorization is successful, the user can use the user's USB key (CUKEY) to decrypt the file. During this process, the key encryption key (EFEKK) is provided in the form of a handle, ensuring that the key information is not leaked to unauthorized entities.

[0093] Furthermore, the entire file distribution system considers a balance between flexibility and security. By providing two authorization methods, the system can handle both regular device usage scenarios and flexibly respond to temporary device additions in emergency situations. Simultaneously, by setting a maximum number of device IDs that can be written to the user's USB drive key (CUKEY), and utilizing mechanisms such as lineage codes and file control codes, the system effectively enhances the security and controllability of file transfer.

[0094] The following is for reference. Figure 3 It shows a schematic diagram of the structure of a computer 300 suitable for implementing the electronic device of the present invention. Figure 3 The computer 300 shown is merely an example and should not be construed as limiting the functionality and scope of the embodiments of the present invention.

[0095] like Figure 3 As shown, the computer 300 may include a processing device (e.g., a central processing unit, a graphics processing unit, etc.) 301, which can perform various appropriate actions and processes according to a program stored in a read-only memory (ROM) 302 or a program loaded from a storage device 308 into a random access memory (RAM) 303. The RAM 303 also stores various programs and data required for the operation of the computer 300. The processing device 301, ROM 302, and RAM 303 are interconnected via a bus 304. An input / output (I / O) interface 305 is also connected to the bus 304.

[0096] Typically, the following devices can be connected to I / O interface 305: input devices 306 including, for example, touchscreens, touchpads, keyboards, mice, cameras, microphones, etc.; output devices 307 including, for example, liquid crystal displays (LCDs), speakers, vibrators, etc.; storage devices 308 including, for example, magnetic tapes, hard disks, etc.; and communication devices 309. Communication device 309 allows computer 300 to communicate wirelessly or wiredly with other devices to exchange data. Although Figure 3 A computer 300 with various electronic devices is shown; however, it should be understood that it is not required to implement or possess all of the devices shown. More or fewer devices may be implemented or possessed alternatively.

[0097] In particular, according to embodiments of the present invention, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, embodiments of the present invention include a computer program product comprising a computer program carried on a computer-readable medium, the computer program containing program code for performing the methods shown in the flowcharts. In such embodiments, the computer program can be downloaded and installed from a network via a communication device 309, or installed from a storage device 308, or installed from a ROM 302. When the computer program is executed by the processing device 301, it performs the functions defined in the methods of the embodiments of the present invention.

[0098] It should be noted that the computer-readable medium described above in this invention can be a computer-readable signal medium, a computer-readable storage medium, or any combination thereof. A computer-readable storage medium can be, for example,—but not limited to—an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor device or apparatus, or any combination thereof. More specific examples of a computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer disk, a hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination thereof. In this invention, a computer-readable storage medium can be any tangible medium containing or storing a program that can be executed by instructions, used by a device or apparatus, or used in conjunction with it. In this invention, a computer-readable signal medium can include a data signal propagated in baseband or as part of a carrier wave, carrying computer-readable program code. Such propagated data signals can take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. A computer-readable signal medium may be any computer-readable medium other than a computer-readable storage medium, which can send, propagate, or transmit a program for use by or in connection with instructions, apparatus, or device. The program code contained on the computer-readable medium can be transmitted using any suitable medium, including but not limited to: wires, optical fibers, RF (radio frequency), etc., or any suitable combination thereof.

[0099] The aforementioned computer-readable medium may be included in the aforementioned electronic device; or it may exist independently and not assembled into the electronic device.

[0100] The aforementioned computer-readable medium carries one or more programs, which, when executed by the electronic device, cause the electronic device to perform the following functions: Figure 2 The methods illustrated in the embodiments and their alternative implementations are methods.

[0101] Computer program code for performing the operations of this invention can be written in one or more programming languages ​​or a combination thereof, including object-oriented programming languages ​​such as Java, Smalltalk, and C++, and conventional procedural programming languages ​​such as C or similar languages. The program code can be executed entirely on the user's computer, partially on the user's computer, as a standalone software package, partially on the user's computer and partially on a remote computer, or entirely on a remote computer or server. In cases involving remote computers, the remote computer can be connected to the user's computer via any type of network—including a local area network (LAN) or a wide area network (WAN)—or can be connected to an external computer (e.g., via the Internet using an Internet service provider).

[0102] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of methods and computer program products according to various embodiments of the present invention. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing the specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, may be implemented using dedicated hardware-based implementations that perform the specified functions or operations, or using a combination of dedicated hardware and computer instructions.

[0103] The units or modules described in the embodiments of the present invention can be implemented in software or hardware. In some cases, the user identifier of a unit or module does not constitute a limitation on the unit itself.

[0104] The above description is merely a preferred embodiment of the present invention and an explanation of the technical principles employed. Those skilled in the art should understand that the scope of disclosure in this invention is not limited to technical solutions formed by specific combinations of the above-described technical features, but should also cover other technical solutions formed by arbitrary combinations of the above-described technical features or their equivalents without departing from the above-disclosed concept. For example, technical solutions formed by substituting the above features with (but not limited to) technical features with similar functions disclosed in this invention.

Claims

1. A file distribution method in an offline environment, characterized by, The method includes: Copyright holders and users apply for authorization from the licensing center; The copyright holder uses a domestically developed encryption algorithm to encrypt the original file, resulting in an encrypted file and a QR code encrypted ciphertext, which is then sent to the user. The user can decrypt the encrypted file by sending a QR code encrypted with ciphertext to the authorization center, or the user can decrypt the encrypted file using the user's USB flash drive key, which is issued by the authorization center.

2. The method of claim 1, wherein, Before the copyright holder and the user apply for authorization from the licensing center, the method further includes: The authorization center is initialized, which includes generating public-private key pairs for file encryption, system parameters, and / or public-private key pairs for authorization file signing.

3. The method according to claim 1, characterized in that, Apply for authorization from the copyright licensing center, including: The copyright holder submits the copyright holder's authorization information to the authorization center. The copyright holder's authorization information includes user identifier, number of authorized clients, types of encryptable files, list of authorized software and / or authorization time. Based on the copyright holder's authorization information, the authorization center generates an authorization file according to preset rules and sends it to the copyright holder; The authorization center writes the private key corresponding to the copyright holder's user identifier under the authorization center parameters into the copyright holder's USB key, and then sends the copyright holder's USB key to the copyright holder; The authorization center issues the corresponding USB key to the number of authorized clients to the copyright holder.

4. The method according to claim 3, characterized in that, Apply for authorization using the Directional Authorization Center, including: The user sends authorization information, including user identification, to the copyright holder; Based on the user's authorization information, the copyright holder generates a user identifier private key, writes it into the user's USB flash drive key, and then sends the user's USB flash drive key to the user.

5. The method according to claim 3, characterized in that, Apply for authorization using the Directional Authorization Center, including: Send user authorization information, including user identifier, mobile phone number and / or terminal ID, to the Directional Authorization Center; Based on the user's authorization information, the authorization center sends a fragment of the collaborative signature identifier private key to the user.

6. The method according to claim 5, characterized in that, The copyright holder uses a domestically developed encryption algorithm to encrypt the original file, obtaining an encrypted file and a QR code encrypted ciphertext, which is then sent to the user, including: The copyright holder generates the file encryption key and the key encryption key; The copyright holder encrypts the file encryption key with the key encryption key to obtain the ciphertext of the file encryption key; The copyright holder uses the file encryption key to encrypt the original file, thus obtaining the encrypted original file; The copyright holder uses the aforementioned key to encrypt the key and generate a lineage code and a file control code; The copyright holder generates an encrypted file based on the user identifier, the ciphertext of the file encryption key, the encrypted original file, the lineage code, the file control code, and / or the list of licensed software, and sends it to the user. The user sends the device identification code to the copyright holder; The copyright holder generates an authorization QR code based on the user identifier, the key encryption key, and / or the user's device identification code. The copyright holder uses white-box technology to encrypt the authorized QR code, forming encrypted QR code text, and sends it to the user.

7. The method according to claim 6, characterized in that, The user decrypts the encrypted file by sending a QR code encrypted with ciphertext to the authorization center, including: The user sends the encrypted QR code to the authorization center; The authorization center uses the user's private key to decrypt the QR code encrypted text and obtain the copyright holder's user identifier and key encryption key. The authorization center generates a Chinese character verification code based on the copyright holder's user identifier and key encryption key; The authorization center will send the Chinese character verification code and the key encryption key to the user; The user decrypts the encrypted file based on the Chinese character verification code and the key encryption key.

8. A file distribution system for offline environments, characterized in that, include: Copyright holders, users, and licensing centers; The copyright holder uses this information to apply for authorization from the authorization center; the original file is encrypted using a domestically developed encryption algorithm to obtain an encrypted file and a QR code encrypted ciphertext, which is then sent to the user. The user can use this to apply for authorization from the authorization center; the user can send a QR code to the authorization center to encrypt and decrypt the encrypted file, or the user can use the user's USB flash drive key to decrypt the encrypted file. The authorization center is used to authorize copyright holders and users; to verify the encrypted QR code sent by the user so that the user can decrypt the encrypted file, or to issue a USB flash drive key to the user.

9. The system according to claim 8, characterized in that, The system also includes: a copyright holder USB key and a user USB key. The copyright holder USB key is used to connect with the copyright holder, and the user USB key is used to connect with the user. Both the copyright holder USB key and the user USB key are issued by the authorization center.

10. A readable storage medium having executable instructions stored thereon, characterized in that, When the executable instructions are executed by the processor, they implement the method of any one of claims 1 to 7.