[go: up one dir, main page]

CN100518060C - Encryption protection method and client device for digital document - Google Patents

Encryption protection method and client device for digital document Download PDF

Info

Publication number
CN100518060C
CN100518060C CNB2007101189171A CN200710118917A CN100518060C CN 100518060 C CN100518060 C CN 100518060C CN B2007101189171 A CNB2007101189171 A CN B2007101189171A CN 200710118917 A CN200710118917 A CN 200710118917A CN 100518060 C CN100518060 C CN 100518060C
Authority
CN
China
Prior art keywords
encrypted
information
key
client device
document
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB2007101189171A
Other languages
Chinese (zh)
Other versions
CN101282214A (en
Inventor
汤帜
洪献文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New Founder Holdings Development Co ltd
Peking University
Founder Apabi Technology Ltd
Original Assignee
Peking University
Peking University Founder Group Co Ltd
Beijing Founder Apabi Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Peking University, Peking University Founder Group Co Ltd, Beijing Founder Apabi Technology Co Ltd filed Critical Peking University
Priority to CNB2007101189171A priority Critical patent/CN100518060C/en
Publication of CN101282214A publication Critical patent/CN101282214A/en
Application granted granted Critical
Publication of CN100518060C publication Critical patent/CN100518060C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The present invention discloses a ciphering protecting method of a digital file and a client device thereof in order to settle a problem that the file can not be protected when the client end generating the file is off network or the file is in the editing state. According to the invention a client system directly ciphers the file, binds the ciphering key with the hardware information or ciphers with the public key of the server system thereby protecting the file. When the file is in the editing state, a local client device protecting mode is adopted and the protection to the file is realized by a client machine singly. When the file is in the network circulating state, a network server protecting mode is adopted and a network identification of the server system is used for realizing the protection to the file. And when the file is authorized to be used by other client, the file being protected can be transferred again from other client device for circulating use.

Description

一种数字文档的加密保护方法及客户端设备 Encryption protection method and client device for digital document

技术领域 technical field

本发明涉及数字版权保护技术领域,特别涉及一种数字文档的加密保护方法及客户端设备。The invention relates to the technical field of digital copyright protection, in particular to an encryption protection method for digital documents and a client device.

背景技术 Background technique

随着互联网的发展,网上电子书、音乐、电影、图片等数字内容的传播越来越多,由于数字内容很容易复制、修改,网络上传播的数字内容存在大量的盗版和侵权问题。因此,针对数字内容的版权保护越来越重要。With the development of the Internet, more and more digital content such as e-books, music, movies, and pictures are disseminated online. Since digital content is easy to copy and modify, there are a lot of piracy and infringement problems in digital content disseminated on the Internet. Therefore, copyright protection for digital content is becoming more and more important.

数字版权保护方法主要有两类,一类是采用数字水印技术,另一类是以数据加密和防拷贝为核心的DRM(Digital Rights Management,数字版权保护)技术。使用DRM技术进行保护的数字内容包括电子书(eBook)、视频、音频、图片等。There are two main types of digital copyright protection methods, one is digital watermarking technology, and the other is DRM (Digital Rights Management, digital rights protection) technology with data encryption and copy protection as the core. Digital content protected by DRM technology includes eBooks (eBooks), videos, audios, pictures, and the like.

DRM的主要技术是以一定的计算方法,实现对数字内容的数据加密,只有授权用户才能得到解密的密钥,而且密钥与用户的硬件信息绑定,形成许可证,防止了非法拷贝。DRM技术防止了数字内容的非法复制,或者在一定程度上使复制很困难,最终用户必须得到授权后才能使用数字内容。The main technology of DRM is to realize the data encryption of digital content with a certain calculation method. Only authorized users can obtain the decryption key, and the key is bound with the user's hardware information to form a license to prevent illegal copying. DRM technology prevents illegal copying of digital content, or makes copying difficult to a certain extent, and end users must be authorized to use digital content.

但是,目前以数据加密和防复制为核心的DRM技术存在以下几个问题:However, the current DRM technology with data encryption and anti-duplication as the core has the following problems:

1、对文档进行加密保护的过程,或者需要一个数字版权保护的服务器系统参与,不能由客户端独立进行加密保护;或者只能在客户端加密,不能流通和传播。前者见于文档需要流通的系统,后者见于文档无法在加密状态下流通的单机版的加密系统,这两种方式相互独立,无法共同使用。1. The process of encrypting and protecting documents may require the participation of a digital copyright protection server system, and cannot be independently encrypted and protected by the client; or it can only be encrypted on the client, and cannot be circulated and disseminated. The former is found in systems where documents need to be circulated, and the latter is found in stand-alone encryption systems where documents cannot be circulated in an encrypted state. These two methods are independent of each other and cannot be used together.

2、正在修改的文档不适合于强制要求处于联网状态,未必能与服务器系统联通,但文档在成文后需要流通。2. The document being revised is not suitable for the mandatory requirement to be in the network state, and may not be able to communicate with the server system, but the document needs to be circulated after it is written.

3、已经进入流通环节的成文文档在脱离网络后无法使用,而且成文文档也有重新修改的可能。3. Written documents that have entered the circulation link cannot be used after leaving the network, and the written documents may also be revised.

发明内容 Contents of the invention

本发明实施例公开了一种数字文档的加密保护方法及客户端设备,以实现生成文档的客户端脱离网络时对文档进行加密保护。The embodiment of the invention discloses an encryption protection method of a digital document and a client device, so as to implement encryption protection on the document when the client generating the document leaves the network.

本发明实施例的一种客户端设备对数字文档进行加密的方法:A method for a client device to encrypt a digital document according to an embodiment of the present invention:

当客户端系统独立对起草或修改中的文档进行保护时切换为本地客户端设备保护方式对数字文档进行加密,加密的方法包括:When the client system independently protects the document being drafted or revised, switch to the local client device protection method to encrypt the digital document. The encryption methods include:

客户端设备生成密钥K11,并使用所述密钥K11加密数字文档,获得所述数字文档的加密文档;The client device generates a key K11, and encrypts a digital document using the key K11, to obtain an encrypted document of the digital document;

客户端设备根据客户端设备的指定特征信息生成密钥K12,并使用所述密钥K12加密密钥K11,获得所述密钥K11的加密信息E11;The client device generates a key K12 according to the specified feature information of the client device, and uses the key K12 to encrypt the key K11 to obtain encrypted information E11 of the key K11;

客户端设备关联所述加密文档和加密信息E11;The client device associates the encrypted document with the encrypted information E11;

在文档流通阅读的状态下进行保护时切换为网络服务器保护方式,使用服务器系统网络认证实现对文档的保护,加密的方法包括:Switch to the network server protection mode when protecting the document in the state of circulation and reading, and use the server system network authentication to realize the protection of the document. The encryption method includes:

客户端设备生成密钥K11,并用所述密钥K11加密数字文档,获得所述数字文档的加密文档;The client device generates a key K11, and encrypts the digital document with the key K11, to obtain an encrypted document of the digital document;

客户端设备从网络侧加密服务器获取公钥K31,并用所述公钥K31加密密钥K11,获得所述密钥K11的加密信息E12,设定加密文档对除本地客户端之外的其他客户端的授权信息;The client device obtains the public key K31 from the encryption server on the network side, and encrypts the key K11 with the public key K31, obtains the encrypted information E12 of the key K11, and sets the encrypted file to other clients except the local client. authorization information;

客户端设备使用所述公钥K31加密该其他客户端的授权信息,获得该其他客户端的授权信息的加密信息A12;The client device encrypts the authorization information of the other client using the public key K31, and obtains the encrypted information A12 of the authorization information of the other client;

客户端设备生成包含加密信息E12、A12和客户端设备标识信息的许可证书V12,并关联所述许可证书V12和加密文档。The client device generates a license certificate V12 containing encrypted information E12, A12 and client device identification information, and associates the license certificate V12 with the encrypted document.

本发明实施例的一种客户端设备对加密文档进行解密的方法,所述加密文档是客户端设备根据上述方法对数字文档进行加密后获得的,当需要解密的数字文档为采用本地客户端设备保护方式加密时,所述解密方法包括:According to an embodiment of the present invention, a client device decrypts an encrypted document. The encrypted document is obtained by the client device after encrypting the digital document according to the above method. When the protection mode is encrypted, the decryption method includes:

客户端设备根据指定特征信息生成密钥K12;The client device generates the key K12 according to the specified characteristic information;

客户端设备获取加密文档所关联的加密信息E11,并使用所述密钥K12客户端设备解密加密信息E11,获得所述加密文档的加密密钥K11;The client device obtains the encrypted information E11 associated with the encrypted document, and uses the key K12 to decrypt the encrypted information E11, and obtains the encrypted key K11 of the encrypted document;

客户端设备使用所述密钥K11解密所述加密文档,获得解密的数字文档;The client device uses the key K11 to decrypt the encrypted document to obtain a decrypted digital document;

当需要解密的数字文档为采用网络服务器保护方式加密并在异地解密时,所述解密方法包括:When the digital document that needs to be decrypted is encrypted using a network server protection method and decrypted in a different place, the decryption method includes:

客户端设备从所述许可证书V12获取加密信息E12和A12,所述E12和A12为分别使用网络侧加密服务器提供的公钥K31对K11和加密文档的授权信息进行加密后获得的加密信息,所述K11为加密文档的加密密钥;The client device obtains the encrypted information E12 and A12 from the license certificate V12, and the E12 and A12 are encrypted information obtained by encrypting K11 and the authorization information of the encrypted document respectively using the public key K31 provided by the encryption server on the network side. K11 is the encryption key of the encrypted document;

客户端设备根据指定特征信息生成密钥K22,并使用所述公钥K31加密所述密钥K22,获得所述密钥K22的加密信息E21;The client device generates the key K22 according to the specified feature information, and encrypts the key K22 using the public key K31, and obtains the encrypted information E21 of the key K22;

客户端设备将所述加密信息E12、A12和E21发送给所述网络侧加密服务器,并接收所述网络侧加密服务器在使用所述公钥K31对应的私钥K32解密加密信息E12、A12和E21后,返回的加密信息E31和A31,其中:所述加密信息A31是使用密钥K22对设置在加密信息A12中的该客户端设备授权信息进行加密后的加密信息,所述加密信息E31是使用密钥K22对密钥K11进行加密的加密信息;The client device sends the encrypted information E12, A12, and E21 to the network-side encryption server, and receives the encrypted information E12, A12, and E21 decrypted by the network-side encryption server using the private key K32 corresponding to the public key K31. Afterwards, the encrypted information E31 and A31 returned, wherein: the encrypted information A31 is the encrypted information after using the key K22 to encrypt the authorization information of the client device set in the encrypted information A12, and the encrypted information E31 is encrypted using Encryption information encrypted by key K22 to key K11;

客户端设备使用密钥K22解密加密信息E31以获得密钥K11、解密加密信息A31获得对该客户端设备的授权信息;The client device uses the key K22 to decrypt the encrypted information E31 to obtain the key K11, and decrypts the encrypted information A31 to obtain authorization information for the client device;

客户端设备使用密钥K11解密加密文档获得对应的数字文档,并根据对该客户端设备的授权信息控制该客户端设备所述数字文档的使用权限。The client device uses the key K11 to decrypt the encrypted file to obtain the corresponding digital file, and controls the use authority of the digital file of the client device according to the authorization information of the client device.

本发明实施例的一种客户端设备,包括:A client device according to an embodiment of the present invention includes:

加密文档生成单元,用于生成密钥K11,并使用所述密钥K11加密数字文档,获得所述数字文档的加密文档;An encrypted file generation unit, configured to generate a key K11, and use the key K11 to encrypt a digital file to obtain an encrypted file of the digital file;

第一加密信息生成单元,用于根据客户端设备的指定特征信息生成密钥K12,并使用所述密钥K12加密密钥K11,获得所述密钥K11的加密信息E11;A first encrypted information generation unit, configured to generate a key K12 according to specified feature information of the client device, and use the key K12 to encrypt the key K11 to obtain encrypted information E11 of the key K11;

第一关联存储单元,用于关联存储所述加密文档和加密信息E11;A first associative storage unit, configured to associatively store the encrypted document and the encrypted information E11;

公钥获取单元,用于从网络侧加密服务器获取公钥K31;A public key acquisition unit, configured to acquire the public key K31 from the network-side encryption server;

第二加密信息生成单元,用于使用所述公钥K31加密密钥K11,获得所述密钥K11的加密信息E12;A second encrypted information generating unit, configured to use the public key K31 to encrypt the key K11 to obtain encrypted information E12 of the key K11;

第二授权信息生成单元,用于对生成其它客户端设备使用所述加密文档的授权信息,并使用所述公钥K31加密该授权信息,获得该授权信息的加密信息A12;The second authorization information generation unit is used to generate the authorization information of the encrypted document for other client devices, and encrypt the authorization information with the public key K31, and obtain the encrypted information A12 of the authorization information;

第二许可证书生成单元,用于生成包含加密信息E12和A12的许可证书V12;A second license generating unit, configured to generate a license V12 containing encrypted information E12 and A12;

第二关联存储单元,用于关联存储所述许可证书V12和加密文档。The second associative storage unit is used to associatively store the license certificate V12 and the encrypted document.

本发明实施例通过由客户端系统独立对起草或修改中的文档进行保护,并使被保护的文档与客户端的设备硬件信息绑定,使客户端设备无法与服务器通过网络连接时,也能对文档进行保护,同时,被保护的文档也可以通过授权供其他人使用,并在其他人使用时需要与数字版权保护服务器联网才能获得授权的许可证。更进一步的,被保护的文档可以从其他人机器上再次传递,进行循环使用。In the embodiment of the present invention, the client system independently protects the document being drafted or revised, and binds the protected document with the device hardware information of the client, so that when the client device cannot connect to the server through the network, it can also At the same time, the protected files can also be authorized for use by others, and when they are used by others, they need to be connected to the digital copyright protection server to obtain the authorized license. Furthermore, the protected files can be retransmitted from other people's machines for recycling.

附图说明 Description of drawings

图1为本发明实施例中客户端设备对数字文档进行加密的一种方法流程图;Fig. 1 is a flow chart of a method for encrypting a digital document by a client device in an embodiment of the present invention;

图2为本发明实施例中对加密文档进行解密的一种方法流程图;Fig. 2 is a flow chart of a method for decrypting an encrypted document in an embodiment of the present invention;

图3为本发明实施例中客户端设备对数字文档进行加密的另一种方法流程图;3 is a flow chart of another method for encrypting a digital document by a client device in an embodiment of the present invention;

图4为本发明实施例中对加密文档进行解密的另一种方法流程图;FIG. 4 is a flow chart of another method for decrypting an encrypted document in an embodiment of the present invention;

图5为本发明实施例中一种客户端设备结构示意图;FIG. 5 is a schematic structural diagram of a client device in an embodiment of the present invention;

图6为本发明实施例中另一种客户端设备结构示意图。FIG. 6 is a schematic structural diagram of another client device in an embodiment of the present invention.

具体实施方式 Detailed ways

由于现有数字版权保护技术要求执行设备必须联上网络才能够对文档进行加密保护,在单机运行时不能对文档进行加密保护,不能防止正在编辑的文档在无网络状态下被非法复制,因此,在实际应用中,需要一种可以在本地客户端设备保护和网络服务器保护两种保护方式下自由切换的保护系统,文档在起草或修改状态下自动切换为本地客户端设备保护方式,由客户端机器单独实现对文档的保护,在文档流通阅读的状态下自动切换为网络服务器保护方式,使用服务器系统网络认证实现对文档的保护。Since the existing digital copyright protection technology requires that the execution device must be connected to the network to be able to encrypt and protect the document, the document cannot be encrypted and protected when running on a stand-alone computer, and it cannot prevent the document being edited from being illegally copied without a network. Therefore, In practical applications, a protection system that can freely switch between local client device protection and network server protection is needed. When a document is drafted or modified, it automatically switches to the local client device protection method, and the client The machine independently realizes the protection of documents, and automatically switches to the network server protection mode in the state of document circulation and reading, and uses the server system network authentication to realize the protection of documents.

本发明实施例通过由客户端系统独立对起草或修改中的文档进行保护,并使被保护的文档与客户端的指定特征信息绑定,使客户端设备无法与服务器通过网络连接时,也能对文档进行保护,同时,被保护的文档也可以通过授权供其他人使用,并在其他人使用时需要与数字版权保护服务器联网才能获得授权的许可证。更进一步的,被保护的文档可以从其他人机器上再次传递,进行循环使用。In the embodiment of the present invention, the client system independently protects the document being drafted or revised, and binds the protected document with the specified feature information of the client, so that the client device can also be protected when the client device cannot connect to the server through the network. At the same time, the protected files can also be authorized for use by others, and when they are used by others, they need to be connected to the digital copyright protection server to obtain the authorized license. Furthermore, the protected files can be retransmitted from other people's machines for recycling.

参阅图1所示,本发明实施例的一种客户端设备对数字文档进行加密的方法具体工作流程如下:Referring to Fig. 1, a method for encrypting a digital document by a client device according to an embodiment of the present invention has a specific workflow as follows:

S010、生成密钥K11,并使用上述密钥K11加密数字文档,获得上述数字文档的加密文档;S010. Generate a key K11, and use the key K11 to encrypt the digital document to obtain an encrypted document of the above digital document;

S020、根据客户端设备的指定特征信息生成密钥K12,并使用上述密钥K12加密密钥K11,获得上述密钥K11的加密信息E11;S020. Generate a key K12 according to the specified feature information of the client device, and use the key K12 to encrypt the key K11 to obtain encrypted information E11 of the key K11;

上述客户端设备的指定特征信息可以是客户端设备的硬件特征信息;The above specified feature information of the client device may be hardware feature information of the client device;

S030、生成上述加密文档的完全授权信息,并使用上述密钥K12加密上述完全授权信息,获得上述完全授权信息的加密信息A11;S030. Generate the full authorization information of the above-mentioned encrypted document, and encrypt the above-mentioned full authorization information with the above-mentioned key K12, and obtain the encrypted information A11 of the above-mentioned full authorization information;

S040、将上述加密信息E11和A11写入加密文档中以形成关联;或者生成包含上述加密信息E11、A11和客户端设备标识信息的许可证书V11,并关联上述加密文档和许可证书V11;S040. Write the above-mentioned encrypted information E11 and A11 into an encrypted file to form an association; or generate a license certificate V11 including the above-mentioned encrypted information E11, A11 and client device identification information, and associate the above-mentioned encrypted file with the license certificate V11;

参阅图2所示,客户端设备在本地解密根据上述加密文档时,具体包括以下步骤:Referring to Figure 2, when the client device locally decrypts the above-mentioned encrypted document, it specifically includes the following steps:

s051、从所述许可证书V11中获取客户端设备标识信息和加密信息A11;s051. Obtain client device identification information and encrypted information A11 from the license certificate V11;

s052、确认该标识信息为本客户端设备标识信息后,根据客户端设备的指定特征信息生成密钥K12;s052. After confirming that the identification information is the identification information of the client device, generate a key K12 according to the specified characteristic information of the client device;

s053、使用密钥K12解密加密信息A11得到授权信息,确认该授权信息为完全授权信息;s053. Use the key K12 to decrypt the encrypted information A11 to obtain authorization information, and confirm that the authorization information is full authorization information;

s054、从所述加密文档或从与加密文档关联的许可证书V11中获取加密信息E11,并使用密钥K12解密加密信息E11,获得上述加密文档的加密密钥K11;s054. Obtain the encrypted information E11 from the encrypted document or the license V11 associated with the encrypted document, and use the key K12 to decrypt the encrypted information E11 to obtain the encrypted key K11 of the encrypted document;

s055、使用密钥K11解密上述加密文档,获得解密的数字文档。s055. Use the key K11 to decrypt the above-mentioned encrypted document to obtain a decrypted digital document.

参阅图3所示,本发明实施例的另一种客户端设备对数字文档进行加密的方法在本地客户端对数字文档进行加密形成加密文档后,当该加密文档进入网络流通供其他客户端设备使用时,利用网络侧加密服务器提供的公钥K3 1和用来解密由公钥K31加密的数据的私钥K32,完成了对该加密文档的保护,其中公钥K31向所有的客户端发布,私钥K32保存在加密服务器中,该方法的具体工作过程如下:Referring to Fig. 3, another client device encrypts a digital document according to an embodiment of the present invention. After the local client encrypts the digital document to form an encrypted document, when the encrypted document enters the network circulation for other client devices During use, the public key K31 provided by the encryption server on the network side and the private key K32 used to decrypt the data encrypted by the public key K31 are used to complete the protection of the encrypted document, wherein the public key K31 is issued to all clients. The private key K32 is stored in an encrypted server, and the specific working process of this method is as follows:

S110、产生一个文件加密密钥K11,并使用密钥K11加密需要被保护的数字文档,形成加密文档;S110. Generate a file encryption key K11, and use the key K11 to encrypt the digital document to be protected to form an encrypted document;

S120、根据本地客户端设备的指定特征信息产生密钥K12,使用密钥K12加密密钥K11,生成密钥K11的加密信息E11,即E11=K12(K11),本地客户端设定加密文档对本机的使用权限,生成授权信息,并用密钥K12加密该授权信息,获得该授权信息的加密信息A11;S120. Generate the key K12 according to the specified feature information of the local client device, use the key K12 to encrypt the key K11, and generate the encrypted information E11 of the key K11, that is, E11=K12(K11), and the local client sets the encrypted file to this computer, generate authorization information, and encrypt the authorization information with the key K12 to obtain the encrypted information A11 of the authorization information;

由于本地客户端是需要被保护的数字文档的加密方,其授权信息应规定本地客户端具有最大使用权限;Since the local client is the encryptor of the digital document that needs to be protected, its authorization information should stipulate that the local client has the maximum usage authority;

S130、本地客户端从加密服务器获取公钥K31,用公钥K31加密密钥K11得到加密信息E12,即E12=K31(K11),设定加密文档对除本地客户端之外的其他客户端的授权信息,并用公钥K31加密该授权信息,获得该授权信息的加密信息A12;S130, the local client obtains the public key K31 from the encryption server, uses the public key K31 to encrypt the key K11 to obtain the encrypted information E12, that is, E12=K31(K11), and sets the authorization of the encrypted document to other clients except the local client information, and encrypt the authorization information with the public key K31 to obtain the encrypted information A12 of the authorization information;

S140、本地客户端生成包含客户端设备标识信息、加密信息A11、E11、A12及E12的许可证书V12,该许可证书V12与加密文档关联;S140. The local client generates a license certificate V12 including client device identification information, encrypted information A11, E11, A12, and E12, and the license certificate V12 is associated with the encrypted document;

本步骤中本地客户端也可以将客户端设备标识信息、加密信息A11、E11、A12及E12写入上述加密文件中。In this step, the local client may also write the client device identification information, encrypted information A11, E11, A12, and E12 into the above encrypted file.

至此数字文档完成了加密保护。So far, the digital document has been encrypted and protected.

参阅图4所示,对上述加密文档进行解密的方法包括以下步骤:Referring to shown in Figure 4, the method for decrypting the above-mentioned encrypted document comprises the following steps:

s151、在使用上述加密文档前,根据许可证书V12中的客户端标识信息判断当前客户端是否与许可证书V12匹配;s151. Before using the above-mentioned encrypted document, judge whether the current client matches the license V12 according to the client identification information in the license V12;

如果许可证书V12与当前客户端匹配,则可以直接使用许可证书V12,进入本地许可证解析;If the license certificate V12 matches the current client, you can directly use the license certificate V12 to enter the local license analysis;

上述本地许可证解析包括以下步骤:根据当前客户端的指定特征信息产生密钥K12,并使用密钥K12解密许可证书V12中的加密信息E11得到密钥K11,用密钥K12解密加密信息A11得到当前客户端对加密文档的使用权限,用密钥K11解密上述加密文档得到最终可以操作的数字文档,根据当前客户端对该加密文档的使用权限对数字文档进行相应操作;The above local license parsing includes the following steps: generate a key K12 according to the specified feature information of the current client, and use the key K12 to decrypt the encrypted information E11 in the license certificate V12 to obtain the key K11, and use the key K12 to decrypt the encrypted information A11 to obtain the current The client's right to use the encrypted document, use the key K11 to decrypt the above encrypted document to obtain the final operable digital document, and perform corresponding operations on the digital document according to the current client's right to use the encrypted document;

如果许可证书V12与当前客户端不匹配,则继续进入以下步骤进行异地许可证解析;If the license certificate V12 does not match the current client, proceed to the following steps to analyze the remote license;

s152、根据当前客户端的指定特征信息产生密钥K22,从加密服务器获取公钥K31,用公钥K31加密密钥K22,即K31(K22)=E21;s152. Generate a key K22 according to the specified feature information of the current client, obtain the public key K31 from the encryption server, and encrypt the key K22 with the public key K31, that is, K31(K22)=E21;

s153、从许可证书V12获取加密信息E12和A12,并将加密信息E21、E12和A12发送给加密服务器;s153. Obtain the encrypted information E12 and A12 from the license certificate V12, and send the encrypted information E21, E12, and A12 to the encrypted server;

如果前边将加密信息A11、E11、A12及E12写入了上述加密文件中,则从上述加密文件中获取加密信息E12和A12;If the encrypted information A11, E11, A12 and E12 are written in the above-mentioned encrypted file, then the encrypted information E12 and A12 are obtained from the above-mentioned encrypted file;

s154、加密服务器用公钥K31对应的私钥K32解密加密信息A12,获得加密文档的授权信息,依据授权信息判断当前客户端是否具有合法的使用文件权限;s154. The encryption server decrypts the encrypted information A12 with the private key K32 corresponding to the public key K31, obtains the authorization information of the encrypted document, and judges whether the current client has legal authority to use the file according to the authorization information;

如果不具备使用文件的权限,则向当前客户端返回拒绝使用的信息,当前客户端无法使用该加密文档;If you do not have the permission to use the file, return the information of denial of use to the current client, and the current client cannot use the encrypted file;

如果当前客户端具有对文件的某些使用权利,则加密服务器用私钥K32从加密信息E12解密出密钥K11以及从加密信息E21中解密出密钥K22,使用密钥K22加密密钥K11得到加密信息E31,用密钥K22加密当前客户端的使用权限信息得到加密信息A31后,以加密信息E31、A31以及E12、A12构造当前客户端的新许可证书V31,即V31=(E31,A31,E12,A12),将该许可证书V31返回给当前客户端,其中V31中还包含当前客户端标识信息;If the current client has some right to use the file, the encryption server uses the private key K32 to decrypt the key K11 from the encrypted information E12 and decrypts the key K22 from the encrypted information E21, and uses the key K22 to encrypt the key K11 to obtain Encrypted information E31, after encrypting the use authority information of current client with key K22 to obtain encrypted information A31, construct the new license certificate V31 of current client with encrypted information E31, A31 and E12, A12, namely V31=(E31, A31, E12, A12), returning the license certificate V31 to the current client, wherein V31 also includes the identification information of the current client;

s155、再次产生密钥K22,从许可证书V31中获取加密信息E31和A31,并用密钥K22解密加密信息E31获得密钥K11,用密钥K22解密加密信息A31获得当前客户端的授权信息;s155. Generate the key K22 again, obtain the encrypted information E31 and A31 from the license certificate V31, and decrypt the encrypted information E31 with the key K22 to obtain the key K11, and decrypt the encrypted information A31 with the key K22 to obtain the authorization information of the current client;

s156、用密钥K11解密加密文档形成最终可使用的数字文档,根据获得的授权信息对该数字文档进行相应操作。s156. Decrypt the encrypted document with the key K11 to form a final usable digital document, and perform corresponding operations on the digital document according to the obtained authorization information.

依据上述步骤和流程,即完成了一个典型的文件在客户端加密、异地使用授权、传播、使用的完整实施过程。According to the above steps and processes, a typical complete implementation process of file encryption on the client side, remote use authorization, dissemination, and use is completed.

当客户端通过异地许可证解析过程获得相匹配的许可证书V31后,客户端还可以在当前客户机上保存许可证书V31并将许可证书V31与加密文档重新关联,则在下次访问该加密文档时,直接根据相匹配的许可证书V31进入本地许可证解析过程离线使用加密文档,不需要再次通过加密服务器获取许可证书V31。After the client obtains the matching license certificate V31 through the remote license parsing process, the client can also save the license certificate V31 on the current client computer and re-associate the license certificate V31 with the encrypted document, then when accessing the encrypted document next time, Enter the local license parsing process directly according to the matching license certificate V31 to use the encrypted document offline, without needing to obtain the license certificate V31 through the encryption server again.

可见,通过本地许可证解析过程使用的加密文档包括两类:其一为经本地客户端加密生成的加密文档;其二为从其它客户端接收的并使用过的加密文档,该加密文档已经被重新关联了从加密服务器获得的许可证书。It can be seen that the encrypted documents used through the local license parsing process include two types: one is the encrypted document generated by the local client encryption; the other is the encrypted document received and used from other clients, and the encrypted document has been encrypted The license certificate obtained from the encryption server was reassociated.

根据使用中各个步骤的不同次序组合,也可以产生其它一些不同的典型应用。例如对于接收客户端中已经使用过的文档,由接收客户端再次发出进行流通,则可以产生类似但全新的应用流程。一旦文档被另外一台客户端所接收,此客户端与接收客户端的角色将分别取代上述参考实施例中的接收客户端和本地客户端。特殊的,如果文件被本地客户端重新获得并使用,则本地客户端和接收客户端的角色将产生置换。Some other typical applications can also be produced according to different sequence combinations of the various steps in use. For example, if the documents that have been used in the receiving client are reissued by the receiving client for circulation, a similar but brand new application process can be generated. Once the document is received by another client, the roles of this client and the receiving client will respectively replace the receiving client and the local client in the above-mentioned reference embodiment. In particular, if the file is retrieved and used by the local client, the roles of the local client and the receiving client will be reversed.

如图5,本发明实施例还提供一种客户端设备,包括:As shown in Figure 5, the embodiment of the present invention also provides a client device, including:

加密文档生成单元501,用于生成密钥K11,并使用所述密钥K11加密数字文档,获得所述数字文档的加密文档;An encrypted file generation unit 501, configured to generate a key K11, and use the key K11 to encrypt a digital file to obtain an encrypted file of the digital file;

第一加密信息生成单元502,用于根据客户端设备的指定特征信息生成密钥K12,并使用所述密钥K12加密密钥K11,获得所述密钥K11的加密信息E11;The first encrypted information generating unit 502 is configured to generate a key K12 according to the specified characteristic information of the client device, and use the key K12 to encrypt the key K11 to obtain the encrypted information E11 of the key K11;

第一关联存储单元503,用于关联存储所述加密文档和加密信息E11。The first associative storage unit 503 is configured to associatively store the encrypted document and the encrypted information E11.

其中,所述的第一关联存储单元将加密信息E11写入相关联的加密文档中以形成关联。Wherein, the first association storage unit writes the encrypted information E11 into the associated encrypted file to form an association.

进一步,还包括:Further, it also includes:

第一许可证书生成单元504,用于生成包含所述加密信息E11的许可证书V11,所述的第一关联存储单元关联存储所述加密文档和许可证书V11;The first license generating unit 504 is configured to generate a license V11 containing the encrypted information E11, and the first associated storage unit associates and stores the encrypted document and the license V11;

第一授权信息生成单元505,用于生成所述加密文档的完全授权信息,并使用所述密钥K12加密所述完全授权信息,获得所述授权信息的加密信息A11;所述第一许可证书生成单元生成的许可证书V11中还包含该加密信息A11。The first authorization information generating unit 505 is configured to generate the full authorization information of the encrypted document, and use the key K12 to encrypt the full authorization information to obtain the encrypted information A11 of the authorization information; the first license certificate The license certificate V11 generated by the generating unit also includes the encrypted information A11.

如果在本端使用加密文档,则客户端设备还包括:If encrypted files are used locally, the client device also includes:

第一解密单元506,用于从所述第一关联存储单元中获取关联存储的加密文档和加密信息E11,使用所述密钥K12解密加密信息E11,获得所述加密文档的加密密钥K11,使用所述密钥K11解密所述加密文档,获得解密的数字文档。The first decryption unit 506 is configured to obtain the associated stored encrypted document and encrypted information E11 from the first associated storage unit, use the key K12 to decrypt the encrypted information E11, and obtain the encrypted key K11 of the encrypted document, The encrypted document is decrypted by using the key K11 to obtain a decrypted digital document.

如果需要将加密文档发送到网络进行流通,则客户端设备还包括:If encrypted documents need to be sent to the network for circulation, the client device also includes:

公钥获取单元507,用于从网络侧加密服务器获取公钥K31;A public key obtaining unit 507, configured to obtain the public key K31 from the network side encryption server;

第二加密信息生成单元508,用于使用所述公钥K31加密密钥K11,获得所述密钥K11的加密信息E12;The second encrypted information generation unit 508 is configured to use the public key K31 to encrypt the key K11 to obtain encrypted information E12 of the key K11;

第二授权信息生成单元509,用于对生成其它客户端设备使用所述加密文档的授权信息,并使用所述公钥K31加密该授权信息,获得该授权信息的加密信息A12;The second authorization information generating unit 509 is configured to generate authorization information for other client devices using the encrypted document, and encrypt the authorization information using the public key K31, to obtain encrypted information A12 of the authorization information;

第二许可证书生成单元510,用于生成包含加密信息E12和A12的许可证书V12;A second license generating unit 510, configured to generate a license V12 containing encrypted information E12 and A12;

第二关联存储单元511,用于关联存储所述许可证书V12和加密文档。The second associative storage unit 511 is configured to associatively store the license certificate V12 and the encrypted document.

以及,还包括:and, also includes:

发送单元512,用于发送所述许可证书V12和加密文档。A sending unit 512, configured to send the license certificate V12 and the encrypted document.

如图6所示,如果客户端设备从网络接收到其它网络设备的解密文档和许可证书,需要利用许可证书将加密文档解密到本端时,客户端设备包括:As shown in Figure 6, if the client device receives the decrypted document and license certificate from other network devices from the network, and needs to use the license certificate to decrypt the encrypted document to the local end, the client device includes:

接收单元601,用于接收所述许可证书V12和加密文档,并从所述许可证书V12获取所述加密信息E12和A12;A receiving unit 601, configured to receive the license V12 and the encrypted document, and obtain the encrypted information E12 and A12 from the license V12;

第二加密信息生成单元602,用于根据客户端设备的指定特征信息生成密钥K22,并使用所述公钥K31加密所述密钥K22,获得所述密钥K22的加密信息E21;The second encrypted information generating unit 602 is configured to generate a key K22 according to the specified characteristic information of the client device, and encrypt the key K22 using the public key K31 to obtain encrypted information E21 of the key K22;

鉴权单元603,用于将所述加密信息E12、A12和E21发送给所述加密服务器,并接收加密服务器在使用所述公钥K31对应的私钥K32解密所述加密信息E12、A12和E21后,返回给客户端的加密信息E31和A31,其中:所述加密信息A31是使用密钥K22对包含在许可证书V12中的该客户端设备授权信息进行加密后的加密信息,所述加密信息E31是使用密钥K22对密钥K11进行加密的加密信息;An authentication unit 603, configured to send the encrypted information E12, A12, and E21 to the encryption server, and receive the encrypted information E12, A12, and E21 decrypted by the encryption server using the private key K32 corresponding to the public key K31. Afterwards, the encrypted information E31 and A31 returned to the client, wherein: the encrypted information A31 is the encrypted information after using the key K22 to encrypt the authorization information of the client device included in the license certificate V12, and the encrypted information E31 is the encrypted information encrypted with the key K11 using the key K22;

第二解密单元604,用于使用密钥K22解密加密信息E31以获得密钥K11、解密加密信息A31获得对该客户端设备的授权信息;The second decryption unit 604 is configured to use the key K22 to decrypt the encrypted information E31 to obtain the key K11, and decrypt the encrypted information A31 to obtain authorization information for the client device;

权限控制单元605,用于使用密钥K11解密加密文档获得对应的数字文档,并根据对该客户端设备的授权信息控制对所述数字文档的使用权限。The authority control unit 605 is configured to use the key K11 to decrypt the encrypted document to obtain a corresponding digital document, and control the use authority of the digital document according to the authorization information of the client device.

需要说明的是,图5和图6所示结构可以设置在同一个客户端设备上,组成一个综合的客户端系统,则第一加密信息生成单元502可以和第二加密信息生成单元602合并设置,第一解密单元506和第二解密单元604也可以合并设置。It should be noted that the structures shown in Figure 5 and Figure 6 can be set on the same client device to form a comprehensive client system, then the first encrypted information generating unit 502 can be combined with the second encrypted information generating unit 602 , the first decryption unit 506 and the second decryption unit 604 may also be combined.

参阅图5和图6所示的客户端设备和网络侧的加密服务器构成加密系统,实现客户端本地加密数字文字,并授权其它客户端设备使用的需求。Referring to Figure 5 and Figure 6, the client device and the encryption server on the network side constitute an encryption system to realize the client's local encrypted digital text and authorize other client devices to use it.

综上所述,本发明实施例通过由客户端系统独立对起草或修改中的文档进行保护,并使被保护的文档与客户端的设备硬件信息绑定,使客户端设备无法与服务器通过网络连接时,也能对文档进行保护,同时,被保护的文档也可以通过授权供其他人使用,并在其他人使用时需要与数字版权保护服务器联网才能获得授权的许可证。更进一步的,被保护的文档可以从其他人机器上再次传递,进行循环使用。In summary, the embodiment of the present invention independently protects the document being drafted or revised by the client system, and binds the protected document with the client device hardware information, so that the client device cannot be connected to the server through the network At the same time, the protected document can also be authorized for use by others, and when other people use it, it needs to be connected to the digital copyright protection server to obtain the authorized license. Furthermore, the protected files can be transferred from other people's machines for recycling.

显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. Thus, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalent technologies, the present invention also intends to include these modifications and variations.

Claims (17)

1、一种客户端设备对数字文档进行加密的方法,其特征在于:1. A method for a client device to encrypt a digital document, characterized in that: 当客户端系统独立对起草或修改中的文档进行保护时切换为本地客户端设备保护方式对数字文档进行加密,加密的方法包括:When the client system independently protects the document being drafted or revised, switch to the local client device protection method to encrypt the digital document. The encryption methods include: 客户端设备生成密钥K11,并使用所述密钥K11加密数字文档,获得所述数字文档的加密文档;The client device generates a key K11, and encrypts a digital document using the key K11, to obtain an encrypted document of the digital document; 客户端设备根据客户端设备的指定特征信息生成密钥K12,并使用所述密钥K12加密密钥K11,获得所述密钥K11的加密信息E11;The client device generates a key K12 according to the specified feature information of the client device, and uses the key K12 to encrypt the key K11 to obtain encrypted information E11 of the key K11; 客户端设备生成所述加密文档的完全授权信息,并使用所述密钥K12加密所述完全授权信息,获得所述完全授权信息的加密信息A11;The client device generates the full authorization information of the encrypted document, and uses the key K12 to encrypt the full authorization information, and obtains the encrypted information A11 of the full authorization information; 客户端设备关联所述加密文档、加密信息E11和A11;The client device associates the encrypted document, encrypted information E11 and A11; 在文档流通阅读的状态下进行保护时切换为网络服务器保护方式,使用服务器系统网络认证实现对文档的保护,加密的方法包括:Switch to the network server protection method when protecting the document in the state of circulation and reading, and use the server system network authentication to realize the protection of the document. The encryption method includes: 客户端设备生成密钥K11,并用所述密钥K11加密数字文档,获得所述数字文档的加密文档;The client device generates a key K11, and encrypts the digital document with the key K11, to obtain an encrypted document of the digital document; 客户端设备从网络侧加密服务器获取公钥K31,并用所述公钥K31加密密钥K11,获得所述密钥K11的加密信息E12,设定加密文档对除本地客户端之外的其他客户端的授权信息;The client device obtains the public key K31 from the encryption server on the network side, and encrypts the key K11 with the public key K31, obtains the encrypted information E12 of the key K11, and sets the encrypted file to other clients except the local client. authorization information; 客户端设备使用所述公钥K31加密该其他客户端的授权信息,获得该其他客户端的授权信息的加密信息A12;The client device encrypts the authorization information of the other client using the public key K31, and obtains the encrypted information A12 of the authorization information of the other client; 客户端设备生成包含加密信息E12、A12和客户端设备标识信息的许可证书V12,并关联所述许可证书V12和加密文档。The client device generates a license certificate V12 containing encrypted information E12, A12 and client device identification information, and associates the license certificate V12 with the encrypted document. 2、如权利要求1所述的方法,其特征在于,当切换为本地客户端设备保护方式对数字文档进行加密时,所述关联所述加密文档、加密信息E11和A11的方法包括:将所述加密信息E11和A11写入加密文档中以形成关联。2. The method according to claim 1, wherein when switching to the local client device protection mode to encrypt the digital document, the method for associating the encrypted document and encrypted information E11 and A11 comprises: The aforementioned encrypted information E11 and A11 are written into the encrypted file to form an association. 3、如权利要求1所述的方法,其特征在于,当切换为本地客户端设备保护方式对数字文档进行加密时,所述关联所述加密文档、加密信息E11和A11的方法包括:生成包含所述加密信息E11、A11和客户端设备标识信息的许可证书V11,并关联所述加密文档和许可证书V11。3. The method according to claim 1, wherein when switching to the local client device protection mode to encrypt the digital document, the method for associating the encrypted document, encrypted information E11 and A11 comprises: generating The encrypted information E11, A11 and the license certificate V11 of the client device identification information are associated with the encrypted document and the license certificate V11. 4、如权利要求1所述的方法,其特征在于,所述指定特征信息包括客户端设备的硬件特征信息。4. The method according to claim 1, wherein the specified feature information includes hardware feature information of the client device. 5、如权利要求1所述的方法,其特征在于,当切换为网络服务器保护方式时,所述加密方法还包括:将所述许可证书V12和加密文档一起发送给接收方。5. The method according to claim 1, wherein when switching to the network server protection mode, the encryption method further comprises: sending the license certificate V12 and the encrypted document to the receiver. 6、一种对加密文档进行解密的方法,其特征在于,所述加密文档是客户端设备根据权利要求1所述方法对数字文档进行加密后获得的,当需要解密的数字文档为采用本地客户端设备保护方式加密时,所述解密方法包括:6. A method for decrypting an encrypted document, characterized in that the encrypted document is obtained by the client device after encrypting the digital document according to the method according to claim 1, when the digital document to be decrypted is obtained by a local client When encrypting in the protection mode of the end device, the decryption method includes: 客户端设备根据指定特征信息生成密钥K12;The client device generates the key K12 according to the specified characteristic information; 客户端设备获取加密文档所关联的加密信息A11,并使用所述密钥K12解密A11得到授权信息,确认授权信息为完全授权信息;The client device obtains the encrypted information A11 associated with the encrypted document, and uses the key K12 to decrypt A11 to obtain the authorization information, and confirms that the authorization information is full authorization information; 客户端设备获取加密文档所关联的加密信息E11,并使用所述密钥K12解密加密信息E11,获得所述加密文档的加密密钥K11;The client device obtains the encrypted information E11 associated with the encrypted document, and uses the key K12 to decrypt the encrypted information E11, and obtains the encrypted key K11 of the encrypted document; 客户端设备使用所述密钥K11解密所述加密文档,获得解密的数字文档;The client device uses the key K11 to decrypt the encrypted document to obtain a decrypted digital document; 当需要解密的数字文档为采用网络服务器保护方式加密并在异地解密时,所述解密方法包括:When the digital document that needs to be decrypted is encrypted using a network server protection method and decrypted in a different place, the decryption method includes: 客户端设备从所述许可证书V12获取加密信息E12和A12,所述E12和A12为分别使用网络侧加密服务器提供的公钥K31对K11和加密文档的授权信息进行加密后获得的加密信息,所述K11为加密文档的加密密钥;The client device obtains the encrypted information E12 and A12 from the license certificate V12, and the E12 and A12 are encrypted information obtained by encrypting K11 and the authorization information of the encrypted document respectively using the public key K31 provided by the encryption server on the network side. K11 is the encryption key of the encrypted document; 客户端设备根据指定特征信息生成密钥K22,并使用所述公钥K31加密所述密钥K22,获得所述密钥K22的加密信息E21;The client device generates the key K22 according to the specified feature information, and encrypts the key K22 using the public key K31, and obtains the encrypted information E21 of the key K22; 客户端设备将所述加密信息E12、A12和E21发送给所述网络侧加密服务器,并接收所述网络侧加密服务器在使用所述公钥K31对应的私钥K32解密加密信息E12、A12和E21后,返回的加密信息E31和A31,其中:所述加密信息A31是使用密钥K22对设置在加密信息A12中的该客户端的授权信息进行加密后的加密信息,所述加密信息E31是使用密钥K22对密钥K11进行加密的加密信息;The client device sends the encrypted information E12, A12, and E21 to the network-side encryption server, and receives the encrypted information E12, A12, and E21 decrypted by the network-side encryption server using the private key K32 corresponding to the public key K31. Afterwards, the encrypted information E31 and A31 returned, wherein: the encrypted information A31 is the encrypted information after using the key K22 to encrypt the authorization information of the client set in the encrypted information A12, and the encrypted information E31 is encrypted using the key K22. Key K22 encrypts the encrypted information of key K11; 客户端设备使用密钥K22解密加密信息E31以获得密钥K11、解密加密信息A31获得对该客户端设备的授权信息;The client device uses the key K22 to decrypt the encrypted information E31 to obtain the key K11, and decrypts the encrypted information A31 to obtain authorization information for the client device; 客户端设备使用密钥K11解密加密文档获得对应的数字文档,并根据对该客户端设备的授权信息控制该客户端设备所述数字文档的使用权限。The client device uses the key K11 to decrypt the encrypted file to obtain the corresponding digital file, and controls the use authority of the digital file of the client device according to the authorization information of the client device. 7、如权利要求6所述的方法,其特征在于,当需要解密的数字文档为采用本地客户端设备保护方式加密时,所述加密信息E11和A11是从所述加密文档中获取的。7. The method according to claim 6, wherein when the digital document to be decrypted is encrypted using a local client device protection method, the encrypted information E11 and A11 are obtained from the encrypted document. 8、如权利要求6所述的方法,其特征在于,当需要解密的数字文档为采用本地客户端设备保护方式加密时,所述E11和A11是从与加密文档关联的许可证书V11中获取的。8. The method according to claim 6, wherein when the digital document to be decrypted is encrypted using a local client device protection method, the E11 and A11 are obtained from the license certificate V11 associated with the encrypted document . 9、如权利要求8所述的方法,其特征在于,所述解密方法还包括:9. The method according to claim 8, wherein the decryption method further comprises: 客户端设备从所述许可证书V11中获取客户端设备标识信息;The client device obtains the client device identification information from the license certificate V11; 客户端设备确认该标识信息为本客户端设备标识信息后,再生成所述密钥K12。The client device generates the key K12 after confirming that the identification information is the identification information of the client device. 9、如权利要求6所述的方法,其特征在于,所述指定特征信息包括客户端设备的硬件特征信息。9. The method according to claim 6, wherein the specified feature information includes hardware feature information of the client device. 10、如权利要求6所述的方法,其特征在于,当需要解密的数字文档为采用网络服务器保护方式加密并在异地解密时,所述解密方法还包括:10. The method according to claim 6, wherein when the digital document to be decrypted is encrypted using a network server protection method and decrypted in a different place, the decryption method further comprises: 所述网络侧加密服务器将加密信息E31和A31包含在许可证书V31中返回给客户端设备。The network-side encryption server returns the encryption information E31 and A31 included in the license certificate V31 to the client device. 11、如权利要求6所述的方法,其特征在于,当需要解密的数字文档为采用网络服务器保护方式加密并在异地解密时,所述许可证书V12中还包含加密文档发送方的标识信息,所述客户端设备先从许可证书V12中获取该标识信息,并验证该标识信息不是本地客户端设备标识信息后,再继续从所述许可证书V12获取所述加密信息E12和A12。11. The method according to claim 6, characterized in that when the digital document to be decrypted is encrypted using a network server protection method and decrypted in a different place, the license V12 also includes the identification information of the sender of the encrypted document, The client device first obtains the identification information from the license certificate V12, and after verifying that the identification information is not local client device identification information, continues to obtain the encrypted information E12 and A12 from the license certificate V12. 12、如权利要求11所述的方法,其特征在于,所述网络侧加密服务器根据解密后的授权信息,判断其中包含针对所述客户端设备所设置的授权信息后,向该客户端设备返回所加密信息述E31和A31,否则返回拒绝响应。12. The method according to claim 11, wherein the encryption server on the network side returns to the client device after judging that it contains the authorization information set for the client device according to the decrypted authorization information. The encrypted information is described as E31 and A31, otherwise a rejection response is returned. 13、一种客户端设备,其特征在于,包括:13. A client device, characterized by comprising: 加密文档生成单元,用于生成密钥K11,并使用所述密钥K11加密数字文档,获得所述数字文档的加密文档;An encrypted file generation unit, configured to generate a key K11, and use the key K11 to encrypt a digital file to obtain an encrypted file of the digital file; 第一加密信息生成单元,用于根据客户端设备的指定特征信息生成密钥K12,并使用所述密钥K12加密密钥K11,获得所述密钥K11的加密信息E11;A first encrypted information generation unit, configured to generate a key K12 according to specified feature information of the client device, and use the key K12 to encrypt the key K11 to obtain encrypted information E11 of the key K11; 第一关联存储单元,用于关联存储所述加密文档和加密信息E11;A first associative storage unit, configured to associatively store the encrypted document and the encrypted information E11; 第一授权信息生成单元,用于生成所述加密文档的完全授权信息,并使用所述密钥K12加密所述完全授权信息,获得所述授权信息的加密信息A11;A first authorization information generating unit, configured to generate full authorization information of the encrypted document, and use the key K12 to encrypt the full authorization information to obtain encrypted information A11 of the authorization information; 公钥获取单元,用于从网络侧加密服务器获取公钥K31;A public key acquisition unit, configured to acquire the public key K31 from the network-side encryption server; 第二加密信息生成单元,用于使用所述公钥K31加密密钥K11,获得所述密钥K11的加密信息E12;A second encrypted information generating unit, configured to use the public key K31 to encrypt the key K11 to obtain encrypted information E12 of the key K11; 第二授权信息生成单元,用于对生成其它客户端设备使用所述加密文档的授权信息,并使用所述公钥K31加密该授权信息,获得该授权信息的加密信息A12;The second authorization information generation unit is used to generate the authorization information of the encrypted document for other client devices, and encrypt the authorization information with the public key K31, and obtain the encrypted information A12 of the authorization information; 第二许可证书生成单元,用于生成包含客户端设备标识信息、加密信息E12和A12的许可证书V12;A second license generating unit, configured to generate a license V12 including client device identification information, encrypted information E12 and A12; 第二关联存储单元,用于关联存储所述许可证书V12和加密文档。The second associative storage unit is used to associatively store the license certificate V12 and the encrypted document. 14、如权利要求13所述的设备,其特征在于,所述的第一关联存储单元将加密信息E11和A12写入相关联的加密文档中以形成关联。14. The device according to claim 13, wherein the first association storage unit writes the encrypted information E11 and A12 into the associated encrypted file to form an association. 15、如权利要求13所述的设备,其特征在于,还包括:15. The apparatus of claim 13, further comprising: 第一许可证书生成单元,用于生成包含所述客户端设备标识信息、加密信息E11和A11的许可证书V11,所述的第一关联存储单元关联存储所述加密文档和许可证书V11。The first license generation unit is configured to generate a license V11 including the client device identification information, encrypted information E11 and A11, and the first associated storage unit stores the encrypted document and the license V11 in association. 第一解密单元,用于获取关联存储的加密文档和加密信息E11,使用所述密钥K12解密加密信息E11,获得所述加密文档的加密密钥K11,使用所述密钥K11解密所述加密文档,获得解密的数字文档。The first decryption unit is used to obtain the encrypted document and encrypted information E11 stored in association, use the key K12 to decrypt the encrypted information E11, obtain the encryption key K11 of the encrypted document, and use the key K11 to decrypt the encrypted Documents, access to decrypted digital documents. 16、如权利要求13所述的设备,其特征在于,还包括:16. The apparatus of claim 13, further comprising: 发送单元,用于发送所述许可证书V12和加密文档。A sending unit, configured to send the license certificate V12 and the encrypted document.
CNB2007101189171A 2007-06-14 2007-06-14 Encryption protection method and client device for digital document Expired - Fee Related CN100518060C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2007101189171A CN100518060C (en) 2007-06-14 2007-06-14 Encryption protection method and client device for digital document

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2007101189171A CN100518060C (en) 2007-06-14 2007-06-14 Encryption protection method and client device for digital document

Publications (2)

Publication Number Publication Date
CN101282214A CN101282214A (en) 2008-10-08
CN100518060C true CN100518060C (en) 2009-07-22

Family

ID=40014512

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2007101189171A Expired - Fee Related CN100518060C (en) 2007-06-14 2007-06-14 Encryption protection method and client device for digital document

Country Status (1)

Country Link
CN (1) CN100518060C (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2942334B1 (en) * 2009-02-18 2011-02-18 Att METHOD AND DEVICE FOR SECURING DOCUMENTS AGAINST COUNTERFEITING
US9137214B2 (en) * 2010-12-15 2015-09-15 Microsoft Technology Licensing, Llc Encrypted content streaming
CN102684877B (en) * 2012-03-31 2016-03-30 北京奇虎科技有限公司 A kind of method and device carrying out user profile process
CN105303070A (en) * 2014-07-09 2016-02-03 程旭 Copyright protection method for offline data
CN113609497B (en) * 2021-06-30 2022-09-23 荣耀终端有限公司 Data protection method and device

Also Published As

Publication number Publication date
CN101282214A (en) 2008-10-08

Similar Documents

Publication Publication Date Title
US7975312B2 (en) Token passing technique for media playback devices
CN100403209C (en) Method and apparatus for authorizing content operations
EP1686504B1 (en) Flexible licensing architecture in content rights management systems
US7995766B2 (en) Group subordinate terminal, group managing terminal, server, key updating system, and key updating method therefor
US20060149683A1 (en) User terminal for receiving license
US20130268759A1 (en) Digital rights management system transfer of content and distribution
US20120303967A1 (en) Digital rights management system and method for protecting digital content
CN114584295B (en) Universal black-box traceability method and apparatus for attribute-based proxy re-encryption systems
JP2010537287A (en) Apparatus and method for backup of copyright objects
CA2714196A1 (en) Information distribution system and program for the same
KR20090000624A (en) Mutual authentication method with host device and system
WO2007086015A2 (en) Secure transfer of content ownership
US20100058047A1 (en) Encrypting a unique cryptographic entity
CN101923616A (en) Service providing device, user terminal and copyright protection method in copyright protection
CN101399663B (en) A digital content authorization method, system and device
CN100518060C (en) Encryption protection method and client device for digital document
CN103139143A (en) Method, system and server for digital rights management (DRM)
CN101094062B (en) Method for implementing safe distribution and use of digital content by using memory card
US8755521B2 (en) Security method and system for media playback devices
JP5139045B2 (en) Content distribution system, content distribution method and program
EP2299379A1 (en) Digital rights management system with diversified content protection process
CN105046112A (en) Digital copyright protection method
JP2008503832A (en) Apparatus and method for processing digital rights objects
Fan et al. A novel usage control protocol model for DRM system
HK1108041A (en) Digital rights management system with diversified content protection process

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20220627

Address after: 100871 No. 5, the Summer Palace Road, Beijing, Haidian District

Patentee after: Peking University

Patentee after: New founder holdings development Co.,Ltd.

Patentee after: FOUNDER APABI TECHNOLOGY Ltd.

Address before: 100871 No. 5, the Summer Palace Road, Beijing, Haidian District

Patentee before: Peking University

Patentee before: PEKING UNIVERSITY FOUNDER GROUP Co.,Ltd.

Patentee before: FOUNDER APABI TECHNOLOGY Ltd.

TR01 Transfer of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20090722

CF01 Termination of patent right due to non-payment of annual fee