[go: up one dir, main page]

CN108257319B - USBKEY safe storage cabinet with encryption and decryption functions and application method thereof - Google Patents

USBKEY safe storage cabinet with encryption and decryption functions and application method thereof Download PDF

Info

Publication number
CN108257319B
CN108257319B CN201810145686.1A CN201810145686A CN108257319B CN 108257319 B CN108257319 B CN 108257319B CN 201810145686 A CN201810145686 A CN 201810145686A CN 108257319 B CN108257319 B CN 108257319B
Authority
CN
China
Prior art keywords
unit
usbkey
drawer
storage cabinet
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810145686.1A
Other languages
Chinese (zh)
Other versions
CN108257319A (en
Inventor
梁晓兵
翟峰
黄加羽
岑炜
赵兵
刘鹰
吕英杰
孔令达
李保丰
付义伦
曹永峰
许斌
徐萌
刘书勇
冯占成
任博
张庚
杨全萍
周琪
李丽丽
冯云
袁泉
卢艳
韩文博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Electric Power Research Institute Co Ltd CEPRI
Original Assignee
China Electric Power Research Institute Co Ltd CEPRI
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Electric Power Research Institute Co Ltd CEPRI filed Critical China Electric Power Research Institute Co Ltd CEPRI
Priority to CN201810145686.1A priority Critical patent/CN108257319B/en
Publication of CN108257319A publication Critical patent/CN108257319A/en
Application granted granted Critical
Publication of CN108257319B publication Critical patent/CN108257319B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F17/00Coin-freed apparatus for hiring articles; Coin-freed facilities or services
    • G07F17/10Coin-freed apparatus for hiring articles; Coin-freed facilities or services for means for safe-keeping of property, left temporarily, e.g. by fastening the property
    • G07F17/12Coin-freed apparatus for hiring articles; Coin-freed facilities or services for means for safe-keeping of property, left temporarily, e.g. by fastening the property comprising lockable containers, e.g. for accepting clothes to be cleaned
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Lock And Its Accessories (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a USBKEY safe storage cabinet device with encryption and decryption functions and an application method thereof, wherein the device comprises a USB-KEY safe storage cabinet and a control server; the USBKEY safe storage cabinet comprises a main control unit, a drawer unit, a safety unit, an information authentication unit, an electronic seal unit, a USBKEY taking and returning unit, a data storage unit and a power supply unit; the USBKEY safe storage cabinet is used for safely storing the USBKEY, performs authentication communication with the control server and completes the taking out and returning of the USBKEY according to the received encryption control instruction; the control server comprises a parameter input unit, a data communication unit, a parameter setting unit and a control logic unit; the control server is used for carrying out authentication communication with the USBKEY safe storage cabinet and sending a control instruction to the USBKEY safe storage cabinet; the drawer unit comprises N drawer subunits, wherein each drawer subunit comprises a CPU module, a drawer mechanical structure and a drawer safety module.

Description

一种具有加解密功能的USBKEY安全存储柜及其应用方法A USBKEY secure storage cabinet with encryption and decryption functions and its application method

技术领域Technical field

本发明涉及信息安全技术领域,更具体地,涉及一种具有加解密功能的USBKEY安全存储柜装置及其应用方法。The present invention relates to the field of information security technology, and more specifically, to a USBKEY secure storage cabinet device with encryption and decryption functions and an application method thereof.

背景技术Background technique

USBKEY作为常用的密钥广泛的应用于各种需要进行审核的领域中,以电力营销系统的核心业务—费控业务为例,它直接关系着电力企业和电力用户的切身利益,其安全性至关重要。在实施费控过程中,营销系统接收营销远程实时费控系统生成的欠费列表,相应县、市营业专责对欠费控制列表信息进行审核并对审核数据进行加密和签名,生成最终跳闸控制列表和跳闸控制电子工单。跳闸控制列表和跳闸控制电子工单经统一接口服务平台发送至用电信息采集系统进行处理。而跳闸控制列表的审核数据即是需要营业专责通过USBKEY进行加密和签名;目前营销审核人员使用的USBKEY缺乏有效的管理方法和装置,而且营销审核人员使用的USBKEY不只一把,而且存在容易混淆的问题,无法保证费控操作的安全性和可追溯性,为解决上述问题,必须对USBKEY进行安全有效管理。As a commonly used key, USBKEY is widely used in various fields that require auditing. Taking the core business of the power marketing system - the cost control business as an example, it is directly related to the vital interests of power companies and power users, and its security is of utmost importance. It's important. During the implementation of fee control, the marketing system receives the arrears list generated by the marketing remote real-time fee control system. The corresponding county and city business departments are responsible for reviewing the arrears control list information, encrypting and signing the audit data, and generating the final trip control list. and trip control electronic work orders. The trip control list and trip control electronic work order are sent to the power consumption information collection system for processing through the unified interface service platform. The audit data of the trip control list needs to be encrypted and signed by the salesperson through USBKEY; the USBKEY currently used by marketing auditors lacks effective management methods and devices, and the USBKEY used by marketing auditors is more than one, and there are easily confused Problem, the security and traceability of fee control operations cannot be guaranteed. In order to solve the above problems, USBKEY must be managed safely and effectively.

发明内容Contents of the invention

为了解决背景技术存在的USBKEY缺乏有效的管理方法和装置,无法保证费控操作的安全性和可追溯性,本发明提供了一种具有加解密功能的USBKEY安全存储柜装置及其应用方法;所述装置及方法通过设置具有加解密功能的安全存储柜,将USBKEY有序的存储管理,同时通过建立双向认证机制以及使用密文进行数据通信,提高了USBKEY的安全性,所述一种具有加解密功能的USBKEY安全存储柜装置包括:In order to solve the problem that the USBKEY existing in the background technology lacks effective management methods and devices and cannot guarantee the safety and traceability of fee control operations, the present invention provides a USBKEY secure storage cabinet device with encryption and decryption functions and its application method; The device and method described above provide orderly storage and management of USBKEY by setting up a secure storage cabinet with encryption and decryption functions, and at the same time improve the security of USBKEY by establishing a two-way authentication mechanism and using ciphertext for data communication. The device and method have encryption and decryption functions. USBKEY secure storage cabinet devices with decryption capabilities include:

USBKEY安全存储柜以及控制服务器;USBKEY secure storage cabinet and control server;

所述USBKEY安全存储柜包括主控单元、抽屉单元、安全单元以及信息认证单元;所述USBKEY安全存储柜用于安全存储USBKEY,所述USBKEY安全存储柜与控制服务器进行认证通信并根据接收的加密控制指令完成USBKEY的取出和收还;The USBKEY secure storage cabinet includes a main control unit, a drawer unit, a security unit and an information authentication unit; the USBKEY secure storage cabinet is used to securely store USBKEY, and the USBKEY secure storage cabinet communicates with the control server for authentication and encryption based on the received The control command completes the removal and return of USBKEY;

所述主控单元用于接收控制服务器发送的双向认证请求,并将所述双向认证请求发送至信息认证单元;所述主控单元用于接收控制服务器发送的加密的控制指令,并根据所述控制指令生成相应的操作指令与所述USBKEY安全存储柜的其他单元进行数据传输;The main control unit is used to receive the two-way authentication request sent by the control server, and send the two-way authentication request to the information authentication unit; the main control unit is used to receive the encrypted control instruction sent by the control server, and according to the The control instructions generate corresponding operation instructions for data transmission with other units of the USBKEY safety storage cabinet;

所述抽屉单元包括N个抽屉子单元,所述N个抽屉子单元中的每一个包括CPU模块、抽屉机械结构以及抽屉安全模块,所述CPU模块用于接收主控单元发送的加密的抽屉操作指令,通过所述抽屉安全模块进行解密确认后,将相应的抽屉执行指令处理后发送至抽屉机械结构;所述CPU模块用于通过所述抽屉安全模块与主控模块建立双向认证;所述CPU模块包括USB接口,所述USBKEY在抽屉子单元内通过与所述USB接口插接固定并进行数据通信;The drawer unit includes N drawer sub-units. Each of the N drawer sub-units includes a CPU module, a drawer mechanical structure and a drawer safety module. The CPU module is used to receive encrypted drawer operations sent by the main control unit. After the instruction is decrypted and confirmed by the drawer safety module, the corresponding drawer execution instruction is processed and sent to the drawer mechanical structure; the CPU module is used to establish two-way authentication with the main control module through the drawer safety module; the CPU The module includes a USB interface, and the USBKEY is plugged and fixed with the USB interface in the drawer subunit and performs data communication;

所述安全单元包括内置多种国密算法的密码芯片;所述安全单元用于对主控单元接收的加密控制指令进行解密,并对主控单元生成的各操作指令进行加密;The security unit includes a cryptographic chip with built-in multiple national secret algorithms; the security unit is used to decrypt the encrypted control instructions received by the main control unit, and encrypt each operation instruction generated by the main control unit;

所述信息认证单元用于接收经主控单元传输的双向认证请求,并根据所述双向认证请求进行安全认证,并将认证结果发送至主控单元;所述信息认证单元用于根据主控单元指令生成主控单元与抽屉单元间以及主控单元与控制服务器间的双向认证请求;The information authentication unit is used to receive a two-way authentication request transmitted by the main control unit, perform security authentication according to the two-way authentication request, and send the authentication result to the main control unit; the information authentication unit is used to perform security authentication according to the main control unit. The instruction generates a two-way authentication request between the main control unit and the drawer unit and between the main control unit and the control server;

所述控制服务器包括参数录入单元以及数据通信单元;所述控制服务器用于与USBKEY安全存储柜进行认证通信并向USBKEY安全存储柜发送控制指令;The control server includes a parameter entry unit and a data communication unit; the control server is used to perform authentication communication with the USBKEY secure storage cabinet and send control instructions to the USBKEY secure storage cabinet;

所述参数录入单元用于录入操作员基本信息以及包括USBKEY时效的参数;所述参数录入单元根据操作员录入的信息生成控制指令;所述操作员基本信息包括操作员编号及操作员密码;The parameter entry unit is used to enter the operator's basic information and parameters including USBKEY aging; the parameter entry unit generates control instructions based on the information entered by the operator; the operator's basic information includes the operator number and operator password;

所述数据通信单元用于与USBKEY安全存储柜建立双向认证;所述数据通信单元对所述参数录入单元生成的控制指令进行加密,并传送至所述USBKEY安全存储柜。The data communication unit is used to establish two-way authentication with the USBKEY secure storage cabinet; the data communication unit encrypts the control instructions generated by the parameter entry unit and transmits them to the USBKEY secure storage cabinet.

进一步的,所述USBKEY安全存储柜还包括电子封印单元、USBKEY取还单元、数据存储单元以及电源单元;Further, the USBKEY safety storage cabinet also includes an electronic seal unit, a USBKEY retrieval unit, a data storage unit and a power supply unit;

所述电子封印单元包括基于国密算法的密码芯片,所述电子封印单元用于存储所述USBKEY安全存储柜设备信息,所述设备信息包括设备唯一编号以及设备用途;The electronic seal unit includes a cryptographic chip based on the national secret algorithm. The electronic seal unit is used to store device information of the USBKEY secure storage cabinet. The device information includes the unique number of the device and the purpose of the device;

所述电源单元用于对USBKEY安全存储柜供电,所述电源单元包括一路主供电AC-DC模块以及一路备用AC-DC模块,两路AC-DC模块相互隔离;The power supply unit is used to power the USBKEY safety storage cabinet. The power supply unit includes a main power supply AC-DC module and a backup AC-DC module. The two AC-DC modules are isolated from each other;

所述数据存储单元用于存储操作员基本信息,并存储每个抽屉单元存储的USBKEY信息;所述USBKEY信息包括USBKEY编号以及USBKEY状态信息;The data storage unit is used to store the operator's basic information and store the USBKEY information stored in each drawer unit; the USBKEY information includes USBKEY number and USBKEY status information;

所述USBKEY取还单元用于根据主控单元的操作指令判断所述抽屉单元的各子单元反馈状态是否正确,所述USBKEY取还单元用于确认还USBKEY的时效是否异常,并对异常状态反馈给主控单元。The USBKEY retrieval and return unit is used to determine whether the feedback status of each sub-unit of the drawer unit is correct according to the operating instructions of the main control unit. The USBKEY retrieval and return unit is used to confirm whether the timeliness of returning the USBKEY is abnormal and to provide feedback on the abnormal status. to the main control unit.

进一步的,所述控制服务器还包括参数设置单元以及控制逻辑单元;Further, the control server also includes a parameter setting unit and a control logic unit;

所述参数设置单元用于设置操作员基本信息以及USBKEY安全存储柜设备信息;所述参数设置单元用于对USBKEY信息进行更新;The parameter setting unit is used to set the operator's basic information and the USBKEY safety storage cabinet device information; the parameter setting unit is used to update the USBKEY information;

所述控制逻辑单元用于根据所述抽屉单元的使用状态、USBKEY验证状态以及控制指令设置控制抽屉单元的预设规则。The control logic unit is used to set preset rules for controlling the drawer unit according to the usage status of the drawer unit, USBKEY verification status and control instructions.

进一步的,所述每个抽屉子单元的抽屉机械结构包括抽屉壳体、电子锁、位置传感器、齿轮条、弹簧、活动套管以及导轨;所述位置传感器用于感应抽屉壳体是否关闭到位,当所述位置传感器感应抽屉壳体已关闭到位时所述电子锁自动上锁;所述电子锁用于根据CPU模块指令进行开锁,开锁时,所述抽屉壳体通过所述弹簧的预紧力弹出,并通过齿轮条、活动套管和导轨组成的减速部件达到阻尼效果。Further, the drawer mechanical structure of each drawer subunit includes a drawer shell, an electronic lock, a position sensor, a gear rack, a spring, a movable sleeve and a guide rail; the position sensor is used to sense whether the drawer shell is closed in place, When the position sensor senses that the drawer shell has been closed in place, the electronic lock automatically locks; the electronic lock is used to unlock according to the instructions of the CPU module. When unlocking, the drawer shell is pre-tightened by the spring. It pops up and achieves damping effect through the deceleration component composed of gear rack, movable sleeve and guide rail.

进一步的,所述每个抽屉子单元的抽屉壳体内部两侧设有支架,用于支撑抽屉;所述电子锁固定在所述抽屉壳体的底部内侧;所述弹簧、齿轮条、活动套管和导轨固定在抽屉壳体的底部。Further, brackets are provided on both sides of the drawer housing of each drawer sub-unit to support the drawer; the electronic lock is fixed on the inside of the bottom of the drawer housing; the spring, gear bar, and movable sleeve The tubes and rails are fixed to the bottom of the drawer housing.

进一步的,所述装置还包括多个附属控制服务器,所述附属控制服务器包括附属参数录入单元,所述附属参数录入单元用于录入操作员基本信息以及包括USBKEY时效的参数;所述参数录入单元根据操作员指令生成控制指令;所述附属控制服务器与所述控制服务器通信,并将所述操作员基本信息、参数及控制指令发送至所述控制服务器。Further, the device further includes a plurality of auxiliary control servers, and the auxiliary control servers include an auxiliary parameter entry unit. The auxiliary parameter entry unit is used to enter basic operator information and parameters including USBKEY aging; the parameter entry unit Generate control instructions according to operator instructions; the affiliated control server communicates with the control server and sends the operator's basic information, parameters and control instructions to the control server.

进一步的,所述信息认证单元用于对USBKEY的签名信息进行验签;若验签不通过,则将验签不通过信息发送给主控单元。Further, the information authentication unit is used to verify the signature information of USBKEY; if the signature verification fails, the signature verification failure information is sent to the main control unit.

进一步的,所述USBKEY安全存储柜与所述控制服务器间、所述控制服务器与其他外设系统间、所述USBKEY安全存储柜内部均使用密文加MAC的方式进行数据传输。Furthermore, the data transmission between the USBKEY secure storage cabinet and the control server, between the control server and other peripheral systems, and inside the USBKEY secure storage cabinet uses ciphertext plus MAC for data transmission.

进一步的,所述主控单元包括主控CPU,所述各抽屉子单元的CPU模块包括抽屉CPU;所述主控CPU以及各抽屉CPU均为高性能系列32位CORTEX-M3核处理器。Further, the main control unit includes a main control CPU, and the CPU module of each drawer sub-unit includes a drawer CPU; the main control CPU and each drawer CPU are high-performance series 32-bit CORTEX-M3 core processors.

所述一种进行USBKEY安全存储的方法包括:The method for secure storage of USBKEY includes:

控制服务器接收录入指令后与USBKEY安全存储柜建立双向认证;After receiving the input command, the control server establishes two-way authentication with the USBKEY secure storage cabinet;

认证成功后,所述控制服务器向USBKEY安全存储柜发送加密的控制指令,所述控制指令包括操作员基本信息以及USBKEY时效参数;After successful authentication, the control server sends encrypted control instructions to the USBKEY secure storage cabinet. The control instructions include the operator's basic information and USBKEY aging parameters;

所述USBKEY安全存储柜的安全单元对所述加密的控制指令进行解密验证,并将验证通过的控制指令发送至所述USBKEY安全存储柜的主控单元;The security unit of the USBKEY secure storage cabinet decrypts and verifies the encrypted control instructions, and sends the verified control instructions to the main control unit of the USBKEY secure storage cabinet;

所述主控单元根据所述控制指令生成操作指令并将所述操作指令发送至抽屉单元;The main control unit generates an operation instruction according to the control instruction and sends the operation instruction to the drawer unit;

抽屉单元按所述操作指令进行USBKEY的取还。The drawer unit retrieves and returns the USBKEY according to the operation instructions.

进一步的,在所述主控单元将操作指令发送至所述抽屉单元前,所述方法还包括:Further, before the main control unit sends the operation instruction to the drawer unit, the method also includes:

所述主控单元通过所述信息认证单元与所述抽屉单元的抽屉安全模块建立双向认证,待认证通过后进行数据传输。The main control unit establishes bidirectional authentication with the drawer security module of the drawer unit through the information authentication unit, and performs data transmission after the authentication is passed.

进一步的,所述主控单元定时查询所述抽屉单元当前各抽屉子单元反馈状态,并向控制服务器上传操作日志;所述反馈状态包括所述抽屉子单元是否正存储有USBKEY。Further, the main control unit regularly queries the current feedback status of each drawer sub-unit of the drawer unit and uploads an operation log to the control server; the feedback status includes whether the drawer sub-unit is storing USBKEY.

进一步的,所述方法还包括:Further, the method also includes:

附属控制服务器接收录入指令后生成认证指令,并将所述认证指令发送至控制服务器;The affiliated control server generates an authentication instruction after receiving the input instruction, and sends the authentication instruction to the control server;

所述控制服务器根据接收的认证指令与USBKEY安全存储柜建立双向认证;The control server establishes two-way authentication with the USBKEY secure storage cabinet based on the received authentication instructions;

认证通过后,所述附属控制服务器将根据录入指令生成的控制指令发送至控制服务器,并由所述控制服务器对所述控制指令进行加密。After the authentication is passed, the affiliated control server sends the control instruction generated according to the input instruction to the control server, and the control server encrypts the control instruction.

进一步的,所述操作指令为还USBKEY时,所述抽屉单元根据操作指令打开对应的抽屉子单元,由操作员将USBKEY插入抽屉子单元的USB接口中;Further, when the operation instruction is to return the USBKEY, the drawer unit opens the corresponding drawer sub-unit according to the operation instruction, and the operator inserts the USBKEY into the USB interface of the drawer sub-unit;

所述信息认证单元对所述USBKEY的签名信息进行验证;The information authentication unit verifies the signature information of the USBKEY;

所述USBKEY取还单元对所述USBKEY的时效是否异常进行验证;The USBKEY retrieval unit verifies whether the aging of the USBKEY is abnormal;

若均验证通过,则由操作员关闭对应抽屉子单元,所述抽屉子单元自动上锁;If all verifications pass, the operator closes the corresponding drawer sub-unit, and the drawer sub-unit is automatically locked;

若有验证不通过,所述USBKEY安全存储柜进行异常提醒。If the verification fails, the USBKEY safe storage cabinet will issue an abnormality reminder.

进一步的,所述USBKEY安全存储柜与所述控制服务器间、所述控制服务器与其他外设系统间、所述USBKEY安全存储柜内部均使用密文加MAC的方式进行数据传输;使用国密算法对所述数据传输进行加解密。Furthermore, the data transmission between the USBKEY secure storage cabinet and the control server, between the control server and other peripheral systems, and inside the USBKEY secure storage cabinet uses ciphertext plus MAC; the national secret algorithm is used. Encrypt and decrypt the data transmission.

本发明的有益效果为:本发明的技术方案,给出了一种具有加解密功能的USBKEY安全存储柜装置及其应用方法,所述装置及方法通过设置具有加解密功能的安全存储柜以及对应的控制服务器,将USBKEY有效的存储管理,同时通过建立双向认证机制以及使用密文进行数据通信提高了USBKEY的安全性;实现了USBKEY资产自动化、定位化管理,提升USBKEY的管理水平。The beneficial effects of the present invention are: the technical solution of the present invention provides a USBKEY safe storage cabinet device with encryption and decryption functions and its application method. The device and method are provided with a safe storage cabinet with encryption and decryption functions and corresponding The control server effectively stores and manages USBKEY, and at the same time improves the security of USBKEY by establishing a two-way authentication mechanism and using ciphertext for data communication; it realizes the automated and localized management of USBKEY assets and improves the management level of USBKEY.

附图说明Description of the drawings

通过参考下面的附图,可以更为完整地理解本发明的示例性实施方式:A more complete understanding of exemplary embodiments of the invention may be obtained by reference to the following drawings:

图1为本发明具体实施方式的一种具有加解密功能的USBKEY安全存储柜装置的结构图;Figure 1 is a structural diagram of a USBKEY secure storage cabinet device with encryption and decryption functions according to a specific embodiment of the present invention;

图2为本发明具体实施方式的抽屉子单元的结构示意图;Figure 2 is a schematic structural diagram of a drawer subunit according to a specific embodiment of the present invention;

图3为本发明具体实施方式的抽屉子单元的机械结构图;Figure 3 is a mechanical structural diagram of a drawer subunit according to a specific embodiment of the present invention;

图4为本发明具体实施方式的一种应用具有加解密功能的USBKEY安全存储柜进行安全存储的方法的流程图。Figure 4 is a flow chart of a method for secure storage using a USBKEY secure storage cabinet with encryption and decryption functions according to a specific embodiment of the present invention.

具体实施方式Detailed ways

现在参考附图介绍本发明的示例性实施方式,然而,本发明可以用许多不同的形式来实施,并且不局限于此处描述的实施例,提供这些实施例是为了详尽地且完全地公开本发明,并且向所属技术领域的技术人员充分传达本发明的范围。对于表示在附图中的示例性实施方式中的术语并不是对本发明的限定。在附图中,相同的单元/元件使用相同的附图标记。Exemplary embodiments of the present invention will now be described with reference to the accompanying drawings. However, the present invention may be embodied in many different forms and is not limited to the embodiments described herein. These embodiments are provided so that this disclosure will be thorough and complete. invention, and fully convey the scope of the invention to those skilled in the art. The terminology used in the exemplary embodiments represented in the drawings does not limit the invention. In the drawings, identical units/elements use the same reference numerals.

除非另有说明,此处使用的术语(包括科技术语)对所属技术领域的技术人员具有通常的理解含义。另外,可以理解的是,以通常使用的词典限定的术语,应当被理解为与其相关领域的语境具有一致的含义,而不应该被理解为理想化的或过于正式的意义。Unless otherwise defined, the terms (including scientific and technical terms) used herein have the commonly understood meaning to one of ordinary skill in the art. In addition, it is understood that terms defined in commonly used dictionaries should be understood to have consistent meanings in the context of their relevant fields and should not be understood as having an idealized or overly formal meaning.

图1为本发明具体实施方式的一种具有加解密功能的USBKEY安全存储柜装置的结构图;所述装置通过设置具有加解密功能的安全存储柜以及对应的控制服务器,将USBKEY有序的存储管理,同时通过建立双向认证机制以及使用密文进行数据通信提高了USBKEY的安全性;所述一种具有加解密功能的USBKEY安全存储柜装置包括:Figure 1 is a structural diagram of a USBKEY secure storage cabinet device with encryption and decryption functions according to a specific embodiment of the present invention; the device stores USBKEY in an orderly manner by providing a secure storage cabinet with encryption and decryption functions and a corresponding control server. Management, while improving the security of USBKEY by establishing a two-way authentication mechanism and using ciphertext for data communication; the USBKEY secure storage cabinet device with encryption and decryption functions includes:

USBKEY安全存储柜110以及控制服务器120;USBKEY secure storage cabinet 110 and control server 120;

所述USBKEY安全存储柜110包括主控单元111、抽屉单元112、安全单元113以及信息认证单元114;所述USBKEY安全存储柜110用于安全存储USBKEY,所述USBKEY安全存储柜110与控制服务器120进行认证通信并根据接收的加密控制指令完成USBKEY的取出和收还;The USBKEY secure storage cabinet 110 includes a main control unit 111, a drawer unit 112, a security unit 113 and an information authentication unit 114; the USBKEY secure storage cabinet 110 is used to securely store USBKEY, and the USBKEY secure storage cabinet 110 and the control server 120 Carry out authentication communication and complete the removal and return of USBKEY according to the received encryption control instructions;

所述USBKEY安全存储柜110与所述控制服务器120相互连接,并进行数据通信;所述通信方式包括USB数据线连接;The USBKEY safety storage cabinet 110 and the control server 120 are connected to each other and perform data communication; the communication method includes USB data line connection;

所述主控单元111用于接收控制服务器120发送的双向认证请求,并将所述双向认证请求发送至信息认证单元;所述主控单元111用于接收控制服务器120发送的加密的控制指令,并根据所述控制指令生成相应的操作指令与所述USBKEY安全存储柜110的其他单元进行数据传输;The main control unit 111 is used to receive the two-way authentication request sent by the control server 120, and send the two-way authentication request to the information authentication unit; the main control unit 111 is used to receive the encrypted control instruction sent by the control server 120, And generate corresponding operation instructions according to the control instructions for data transmission with other units of the USBKEY secure storage cabinet 110;

所述抽屉单元112包括N个抽屉子单元,如图2所示,所述N个抽屉子单元中的每一个包括CPU模块201、抽屉机械结构202以及抽屉安全模块203,所述CPU模块201用于接收主控单元111发送的加密的抽屉操作指令,通过所述抽屉安全模块203进行解密确认后,将相应的抽屉执行指令处理后发送至抽屉机械结构202;所述CPU模块201用于通过所述抽屉安全模块203与主控模块111建立双向认证;所述CPU模块201包括USB接口,所述USBKEY在抽屉子单元内通过与所述USB接口插接固定并进行数据通信;The drawer unit 112 includes N drawer sub-units. As shown in Figure 2, each of the N drawer sub-units includes a CPU module 201, a drawer mechanical structure 202 and a drawer safety module 203. The CPU module 201 uses After receiving the encrypted drawer operation command sent by the main control unit 111, after decryption and confirmation by the drawer security module 203, the corresponding drawer execution command is processed and sent to the drawer mechanical structure 202; the CPU module 201 is used to pass the drawer safety module 203. The drawer security module 203 establishes two-way authentication with the main control module 111; the CPU module 201 includes a USB interface, and the USBKEY is plugged and fixed in the drawer sub-unit with the USB interface and performs data communication;

进一步的,所述抽屉单元的每一个抽屉子单元与主控单元相连接并进行数据通信;Further, each drawer sub-unit of the drawer unit is connected to the main control unit and performs data communication;

进一步的,所述每个抽屉子单元的抽屉机械结构202包括抽屉壳体、电子锁、位置传感器、齿轮条、弹簧、活动套管以及导轨;所述位置传感器用于感应抽屉壳体是否关闭到位,当所述位置传感器感应抽屉壳体已关闭到位时所述电子锁自动上锁;所述电子锁用于根据CPU模块指令进行开锁,开锁时,所述抽屉壳体通过所述弹簧的预紧力弹出,并通过齿轮条、活动套管和导轨组成的减速部件达到阻尼效果;Further, the drawer mechanical structure 202 of each drawer subunit includes a drawer shell, an electronic lock, a position sensor, a gear rack, a spring, a movable sleeve and a guide rail; the position sensor is used to sense whether the drawer shell is closed in place. , when the position sensor senses that the drawer shell has been closed in place, the electronic lock automatically locks; the electronic lock is used to unlock according to the instructions of the CPU module. When unlocking, the drawer shell is pre-tightened by the spring The force pops out, and the damping effect is achieved through the deceleration component composed of gear rack, movable sleeve and guide rail;

进一步的,图3为一个抽屉子单元的机械结构图,所述每一个抽屉子单元可以单独拆卸组装,所述每个抽屉子单元的抽屉壳体内部两侧设有支架,用于支撑抽屉;所述电子锁固定在所述抽屉壳体的底部内侧;所述弹簧、齿轮条、活动套管和导轨固定在抽屉壳体的底部;Further, Figure 3 is a mechanical structural diagram of a drawer sub-unit. Each drawer sub-unit can be disassembled and assembled separately. Each drawer sub-unit is provided with brackets on both sides of the drawer housing to support the drawer; The electronic lock is fixed on the inside of the bottom of the drawer housing; the spring, gear rack, movable sleeve and guide rail are fixed on the bottom of the drawer housing;

所述安全单元113包括内置多种国密算法的密码芯片;所述安全单元113用于对主控单元111接收的加密控制指令进行解密,并对主控单元111生成的各操作指令进行加密;The security unit 113 includes a cryptographic chip with built-in multiple national secret algorithms; the security unit 113 is used to decrypt the encrypted control instructions received by the main control unit 111, and encrypt each operation instruction generated by the main control unit 111;

进一步的,所述安全单元113与主控单元111相连接并进行数据通信;Further, the security unit 113 is connected to the main control unit 111 and performs data communication;

所述信息认证单元114用于接收经主控单元111传输的双向认证请求,并根据所述双向认证请求进行安全认证,并将认证结果发送至主控单元111;所述信息认证单元114用于根据主控单元111指令生成主控单元111与抽屉单元112间以及主控单元111与控制服务器120间的双向认证请求。The information authentication unit 114 is configured to receive the two-way authentication request transmitted by the main control unit 111, perform security authentication according to the two-way authentication request, and send the authentication result to the main control unit 111; the information authentication unit 114 is used to Bidirectional authentication requests between the main control unit 111 and the drawer unit 112 and between the main control unit 111 and the control server 120 are generated according to the instructions of the main control unit 111 .

进一步的所述信息认证单元114与主控单元111相连接并进行数据通信;所述信息认证单元114用于对USBKEY的签名信息进行验签;若验签不通过,则将验签不通过信息发送给主控单元111。Further, the information authentication unit 114 is connected to the main control unit 111 and performs data communication; the information authentication unit 114 is used to verify the signature information of USBKEY; if the signature verification fails, the signature verification failure information is Sent to main control unit 111.

进一步的,所述USBKEY安全存储柜110还包括电子封印单元115、USBKEY取还单元116、数据存储单元117以及电源单元118;Further, the USBKEY safe storage cabinet 110 also includes an electronic seal unit 115, a USBKEY retrieval unit 116, a data storage unit 117 and a power supply unit 118;

所述电子封印单元115包括基于国密算法的密码芯片,所述电子封印单元115用于存储所述USBKEY安全存储柜110设备信息,所述设备信息包括设备唯一编号以及设备用途;The electronic seal unit 115 includes a cryptographic chip based on the national secret algorithm. The electronic seal unit 115 is used to store device information of the USBKEY secure storage cabinet 110. The device information includes a unique device number and device usage;

所述电源单元118用于对USBKEY安全存储柜110供电,所述电源单元118包括一路主供电AC-DC模块以及一路备用AC-DC模块,两路AC-DC模块相互隔离;The power supply unit 118 is used to power the USBKEY safety storage cabinet 110. The power supply unit 118 includes a main power supply AC-DC module and a backup AC-DC module. The two AC-DC modules are isolated from each other;

所述数据存储单元117用于存储操作员基本信息,并存储每个抽屉单元112存储的USBKEY信息;所述USBKEY信息包括USBKEY编号以及USBKEY状态信息;The data storage unit 117 is used to store the operator's basic information and store the USBKEY information stored in each drawer unit 112; the USBKEY information includes USBKEY number and USBKEY status information;

所述USBKEY取还单元116用于根据主控单元111的操作指令判断所述抽屉单元112的各子单元反馈状态是否正确,所述USBKEY取还单元116用于确认还USBKEY的时效是否异常,并对异常状态反馈给主控单元111。The USBKEY retrieval unit 116 is used to determine whether the feedback status of each sub-unit of the drawer unit 112 is correct according to the operating instructions of the main control unit 111. The USBKEY retrieval unit 116 is used to confirm whether the timeliness of returning the USBKEY is abnormal, and Abnormal status is fed back to the main control unit 111.

进一步的,所述电子封印单元115、USBKEY取还单元116、数据存储单元117以及电源单元118均与主控单元111相连接并进行数据通信;Further, the electronic seal unit 115, USBKEY retrieval unit 116, data storage unit 117 and power supply unit 118 are all connected to the main control unit 111 and perform data communication;

所述控制服务器120包括参数录入单元121以及数据通信单元122;所述控制服务器120用于与USBKEY安全存储柜110进行认证通信并向USBKEY安全存储柜110发送控制指令;The control server 120 includes a parameter entry unit 121 and a data communication unit 122; the control server 120 is used to perform authentication communication with the USBKEY secure storage cabinet 110 and send control instructions to the USBKEY secure storage cabinet 110;

所述参数录入单元121用于录入操作员基本信息以及包括USBKEY时效的参数;所述参数录入单元121根据操作员录入的信息生成控制指令;所述操作员基本信息包括操作员编号及操作员密码;The parameter entry unit 121 is used to enter the operator's basic information and parameters including USBKEY aging; the parameter entry unit 121 generates control instructions according to the information entered by the operator; the operator's basic information includes the operator number and operator password ;

所述数据通信单元122用于与USBKEY安全存储柜110建立双向认证;所述数据通信单元122对所述参数录入单元121生成的控制指令进行加密,并传送至所述USBKEY安全存储柜110。The data communication unit 122 is used to establish two-way authentication with the USBKEY secure storage cabinet 110; the data communication unit 122 encrypts the control instructions generated by the parameter entry unit 121 and transmits them to the USBKEY secure storage cabinet 110.

进一步的,所述控制服务器120还包括参数设置单元123以及控制逻辑单元124;Further, the control server 120 also includes a parameter setting unit 123 and a control logic unit 124;

所述参数设置单元123用于设置操作员基本信息以及USBKEY安全存储柜110设备信息;所述参数设置单元123用于对USBKEY信息进行更新;The parameter setting unit 123 is used to set the operator's basic information and the USBKEY secure storage cabinet 110 device information; the parameter setting unit 123 is used to update the USBKEY information;

所述控制逻辑单元124用于根据所述抽屉单元112的使用状态、USBKEY验证状态以及控制指令设置控制抽屉单元112的预设规则。The control logic unit 124 is configured to set preset rules for controlling the drawer unit 112 according to the usage status of the drawer unit 112, the USBKEY verification status, and control instructions.

进一步的,所述装置还包括多个附属控制服务器,所述附属控制服务器包括附属参数录入单元,所述附属参数录入单元用于录入操作员基本信息以及包括USBKEY时效的参数;所述参数录入单元根据操作员指令生成控制指令;所述附属控制服务器与所述控制服务器120通信,并将所述操作员基本信息、参数及控制指令发送至所述控制服务器120。Further, the device further includes a plurality of auxiliary control servers, and the auxiliary control servers include an auxiliary parameter entry unit. The auxiliary parameter entry unit is used to enter basic operator information and parameters including USBKEY aging; the parameter entry unit Generate control instructions according to operator instructions; the affiliated control server communicates with the control server 120 and sends the operator's basic information, parameters and control instructions to the control server 120 .

进一步的,所述USBKEY安全存储柜110与所述控制服务器120间、所述控制服务器120与其他外设系统间、所述USBKEY安全存储柜110内部均使用密文加MAC的方式进行数据传输。Furthermore, the data transmission between the USBKEY secure storage cabinet 110 and the control server 120, between the control server 120 and other peripheral systems, and inside the USBKEY secure storage cabinet 110 uses ciphertext plus MAC for data transmission.

进一步的,所述主控单元111包括主控CPU,所述各抽屉子单元的CPU模块包括抽屉CPU;所述主控CPU以及各抽屉CPU均为高性能系列32位CORTEX-M3核处理器。Further, the main control unit 111 includes a main control CPU, and the CPU modules of each drawer sub-unit include a drawer CPU; the main control CPU and each drawer CPU are high-performance series 32-bit CORTEX-M3 core processors.

图4为本发明具体实施方式的一种应用具有加解密功能的USBKEY安全存储柜进行安全存储的方法的流程图;如图4所示,所示方法包括:Figure 4 is a flow chart of a method for secure storage using a USBKEY secure storage cabinet with encryption and decryption functions according to a specific embodiment of the present invention; as shown in Figure 4, the method includes:

步骤410,控制服务器接收录入指令后与USBKEY安全存储柜建立双向认证;Step 410: After receiving the input command, the control server establishes two-way authentication with the USBKEY secure storage cabinet;

步骤420,认证成功后,所述控制服务器向USBKEY安全存储柜发送加密的控制指令,所述控制指令包括操作员基本信息以及USBKEY时效参数;Step 420: After successful authentication, the control server sends encrypted control instructions to the USBKEY secure storage cabinet. The control instructions include the operator's basic information and USBKEY aging parameters;

步骤430,所述USBKEY安全存储柜的安全单元对所述加密的控制指令进行解密验证,并将验证通过的控制指令发送至所述USBKEY安全存储柜的主控单元;Step 430: The security unit of the USBKEY secure storage cabinet decrypts and verifies the encrypted control instructions, and sends the verified control instructions to the main control unit of the USBKEY secure storage cabinet;

步骤440,所述主控单元根据所述控制指令生成操作指令并将所述操作指令发送至抽屉单元;Step 440, the main control unit generates an operation instruction according to the control instruction and sends the operation instruction to the drawer unit;

步骤450,抽屉单元按所述操作指令进行USBKEY的取还。Step 450: The drawer unit retrieves and returns the USBKEY according to the operation instructions.

进一步的,在所述主控单元将操作指令发送至所述抽屉单元前,所述方法还包括:Further, before the main control unit sends the operation instruction to the drawer unit, the method also includes:

所述主控单元通过所述信息认证单元与所述抽屉单元的抽屉安全模块建立双向认证,待认证通过后进行数据传输。The main control unit establishes bidirectional authentication with the drawer security module of the drawer unit through the information authentication unit, and performs data transmission after the authentication is passed.

进一步的,所述主控单元定时查询所述抽屉单元当前各抽屉子单元反馈状态,并向控制服务器上传操作日志;所述反馈状态包括所述抽屉子单元是否正存储有USBKEY。Further, the main control unit regularly queries the current feedback status of each drawer sub-unit of the drawer unit and uploads an operation log to the control server; the feedback status includes whether the drawer sub-unit is storing USBKEY.

进一步的,所述方法还包括:Further, the method also includes:

附属控制服务器接收录入指令后生成认证指令,并将所述认证指令发送至控制服务器;The affiliated control server generates an authentication instruction after receiving the input instruction, and sends the authentication instruction to the control server;

所述控制服务器根据接收的认证指令与USBKEY安全存储柜建立双向认证;The control server establishes two-way authentication with the USBKEY secure storage cabinet based on the received authentication instructions;

认证通过后,所述附属控制服务器将根据录入指令生成的控制指令发送至控制服务器,并由所述控制服务器对所述控制指令进行加密。After the authentication is passed, the affiliated control server sends the control instruction generated according to the input instruction to the control server, and the control server encrypts the control instruction.

进一步的,所述操作指令为还USBKEY时,所述抽屉单元根据操作指令打开对应的抽屉子单元,由操作员将USBKEY插入抽屉子单元的USB接口中;Further, when the operation instruction is to return the USBKEY, the drawer unit opens the corresponding drawer sub-unit according to the operation instruction, and the operator inserts the USBKEY into the USB interface of the drawer sub-unit;

所述信息认证单元对所述USBKEY的签名信息进行验证;The information authentication unit verifies the signature information of the USBKEY;

所述USBKEY取还单元对所述USBKEY的时效是否异常进行验证;The USBKEY retrieval unit verifies whether the aging of the USBKEY is abnormal;

若均验证通过,则由操作员关闭对应抽屉子单元,所述抽屉子单元自动上锁;If all verifications pass, the operator closes the corresponding drawer sub-unit, and the drawer sub-unit is automatically locked;

若有验证不通过,所述USBKEY安全存储柜进行异常提醒。If the verification fails, the USBKEY safe storage cabinet will issue an abnormality reminder.

进一步的,所述USBKEY安全存储柜与所述控制服务器间、所述控制服务器与其他外设系统间、所述USBKEY安全存储柜内部均使用密文加MAC的方式进行数据传输;使用国密算法对所述数据传输进行加解密。Furthermore, the data transmission between the USBKEY secure storage cabinet and the control server, between the control server and other peripheral systems, and inside the USBKEY secure storage cabinet uses ciphertext plus MAC; the national secret algorithm is used. Encrypt and decrypt the data transmission.

在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本公开的实施例可以在没有这些具体细节的情况下实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。In the instructions provided here, a number of specific details are described. However, it is understood that embodiments of the present disclosure may be practiced without these specific details. In some instances, well-known methods, structures, and techniques have not been shown in detail so as not to obscure the understanding of this description.

本领域那些技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外,可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。本说明书中涉及到的步骤编号仅用于区别各步骤,而并不用于限制各步骤之间的时间或逻辑的关系,除非文中有明确的限定,否则各个步骤之间的关系包括各种可能的情况。Those skilled in the art will understand that modules in the devices in the embodiment can be adaptively changed and arranged in one or more devices different from that in the embodiment. The modules or units or components in the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All features disclosed in this specification (including accompanying claims, abstract and drawings) and any method so disclosed may be employed in any combination, except that at least some of such features and/or processes or units are mutually exclusive. All processes or units of the equipment are combined. Each feature disclosed in this specification (including accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise. The step numbers involved in this manual are only used to distinguish each step, and are not used to limit the time or logical relationship between the steps. Unless there is an explicit limit in the text, the relationship between each step includes various possible relationships. Condition.

此外,本领域的技术人员能够理解,尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本公开的范围之内并且形成不同的实施例。例如,在权利要求书中所要求保护的实施例的任意之一都可以以任意的组合方式来使用。Furthermore, those skilled in the art will understand that although some embodiments described herein include certain features included in other embodiments but not other features, combinations of features of different embodiments are meant to be within the scope of the present disclosure. within and form different embodiments. For example, any of the embodiments claimed in the claims may be used in any combination.

本公开的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。本公开还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者系统程序(例如,计算机程序和计算机程序产品)。这样的实现本公开的程序可以存储在计算机可读介质上,或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到,或者在载体信号上提供,或者以任何其他形式提供。Various component embodiments of the present disclosure may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. The present disclosure may also be implemented as a device or system program (eg, computer program and computer program product) for performing part or all of the methods described herein. Such a program implementing the present disclosure may be stored on a computer-readable medium, or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, or provided on a carrier signal, or in any other form.

应该注意的是上述实施例对本公开进行说明而不是对本公开进行限制,并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本公开可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干系统的单元权利要求中,这些系统中的若干个可以是通过同一个硬件项来具体体现。It should be noted that the above-mentioned embodiments illustrate rather than limit the disclosure, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The present disclosure may be implemented by means of hardware comprising several different elements and by means of a suitably programmed computer. In the element claim enumerating several systems, several of these systems can be embodied by the same item of hardware.

以上所述仅是本公开的具体实施方式,应当指出的是,对于本领域的普通技术人员来说,在不脱离本公开精神的前提下,可以作出若干改进、修改、和变形,这些改进、修改、和变形都应视为落在本申请的保护范围内。The above are only specific embodiments of the present disclosure. It should be noted that those of ordinary skill in the art can make several improvements, modifications, and deformations without departing from the spirit of the present disclosure. These improvements, modifications, and variations can be made without departing from the spirit of the present disclosure. Modifications and transformations shall be deemed to fall within the protection scope of this application.

Claims (14)

1. The device comprises a USBKEY safe storage cabinet and a control server;
the USBKEY safe storage cabinet comprises a main control unit, a drawer unit, a safety unit and an information authentication unit; the USBKEY safe storage cabinet is used for safely storing the USBKEY, performs authentication communication with the control server and completes the taking out and returning of the USBKEY according to the received encryption control instruction;
the main control unit is used for receiving a bidirectional authentication request sent by the control server and sending the bidirectional authentication request to the information authentication unit; the main control unit is used for receiving the encrypted control instruction sent by the control server, generating a corresponding operation instruction according to the control instruction, and carrying out data transmission with other units of the USBKEY safe storage cabinet;
the drawer unit comprises N drawer subunits, each of the N drawer subunits comprises a CPU module, a drawer mechanical structure and a drawer safety module, the CPU module is used for receiving encrypted drawer operation instructions sent by the main control unit, and after decryption confirmation is carried out through the drawer safety module, the corresponding drawer execution instructions are processed and then sent to the drawer mechanical structure; the CPU module is used for establishing bidirectional authentication with the main control module through the drawer security module; the CPU module comprises a USB interface, and the USBKEY is fixed in the drawer subunit through being inserted into the USB interface and performs data communication; the drawer mechanical structure of each drawer subunit comprises a drawer shell, an electronic lock, a position sensor, a gear bar, a spring, a movable sleeve and a guide rail; the position sensor is used for sensing whether the drawer shell is closed in place, and the electronic lock is automatically locked when the position sensor senses that the drawer shell is closed in place; the electronic lock is used for unlocking according to a CPU module instruction, when the electronic lock is unlocked, the drawer shell is ejected out through the pretightening force of the spring, and a damping effect is achieved through a speed reduction part consisting of a gear bar, a movable sleeve and a guide rail;
the safety unit comprises a cipher chip with a plurality of built-in national cipher algorithms; the security unit is used for decrypting the encryption control instruction received by the main control unit and encrypting each operation instruction generated by the main control unit;
the information authentication unit is used for receiving the bidirectional authentication request transmitted by the main control unit, carrying out security authentication according to the bidirectional authentication request, and sending an authentication result to the main control unit; the information authentication unit is used for generating bidirectional authentication requests between the main control unit and the drawer unit and between the main control unit and the control server according to the main control unit instruction;
the control server comprises a parameter input unit and a data communication unit; the control server is used for carrying out authentication communication with the USBKEY safe storage cabinet and sending a control instruction to the USBKEY safe storage cabinet;
the parameter input unit is used for inputting basic information of an operator and parameters including aging of the USBKEY; the parameter input unit generates a control instruction according to information input by an operator; the basic operator information comprises an operator number and an operator password;
the data communication unit is used for establishing bidirectional authentication with the USBKEY safe storage cabinet; and the data communication unit encrypts the control instruction generated by the parameter input unit and transmits the control instruction to the USBKEY safe storage cabinet.
2. The device according to claim 1, wherein the USBKEY safe storage cabinet further comprises an electronic seal unit, a USBKEY retrieval unit, a data storage unit and a power supply unit;
the electronic seal unit comprises a cryptographic chip based on a national seal algorithm and is used for storing the device information of the USBKEY safe storage cabinet, wherein the device information comprises a device unique number and a device purpose;
the power supply unit is used for supplying power to the USBKEY safe storage cabinet and comprises a main power supply AC-DC module and a standby AC-DC module, wherein the two AC-DC modules are mutually isolated;
the data storage unit is used for storing basic information of operators and storing USBKEY information stored in each drawer unit and operation logs of the USBKEY safe storage cabinet; the USBKEY information comprises a USBKEY number and USBKEY state information;
the USBKEY taking and returning unit is used for judging whether the feedback state of each subunit of the drawer unit is correct according to the operation instruction of the main control unit, and the USBKEY taking and returning unit is used for confirming whether the aging of the USBKEY is abnormal or not and feeding back the abnormal state to the main control unit.
3. The apparatus according to claim 2, wherein: the control server also comprises a parameter setting unit and a control logic unit;
the parameter setting unit is used for setting basic information of an operator and equipment information of the USBKEY safe storage cabinet; the parameter setting unit is used for updating USBKEY information;
the control logic unit is used for setting a preset rule for controlling the drawer unit according to the use state of the drawer unit, the USBKEY verification state and the control instruction.
4. The apparatus according to claim 1, wherein: brackets are arranged on two sides of the interior of the drawer shell of each drawer subunit and used for supporting drawers; the electronic lock is fixed on the inner side of the bottom of the drawer shell; the spring, the gear strip, the movable sleeve and the guide rail are fixed at the bottom of the drawer shell.
5. The apparatus according to claim 1, further comprising a plurality of auxiliary control servers, the auxiliary control servers comprising an auxiliary parameter entry unit for entering operator basic information and parameters including USBKEY aging; the parameter input unit generates a control instruction according to an operator instruction; the auxiliary control server communicates with the control server and transmits the operator basic information, parameters and control instructions to the control server.
6. The apparatus according to claim 1, wherein: the information authentication unit is used for checking signature information of the USBKEY; if the signature verification is not passed, the signature verification non-passing information is sent to the main control unit.
7. The apparatus according to claim 1, wherein: and data transmission is carried out between the USBKEY safe storage cabinet and the control server, between the control server and other peripheral systems and in the USBKEY safe storage cabinet by using a ciphertext and MAC (media access control) mode.
8. The apparatus according to claim 1, wherein: the main control unit comprises a main control CPU, and the CPU module of each drawer subunit comprises a drawer CPU; the main control CPU and each drawer CPU are high-performance serial 32-bit CORTEX-M3 core processors.
9. A method of using the apparatus of claim 1 for secure storage of a usb key, the method comprising:
after receiving the input command, the control server establishes bidirectional authentication with the USBKEY safe storage cabinet;
after successful authentication, the control server sends an encrypted control instruction to the USBKEY safe storage cabinet, wherein the control instruction comprises basic information of an operator and aging parameters of the USBKEY;
the safety unit of the USBKEY safety storage cabinet decrypts and verifies the encrypted control instruction, and sends the verified control instruction to the main control unit of the USBKEY safety storage cabinet;
the main control unit generates an operation instruction according to the control instruction and sends the operation instruction to the drawer unit;
and the drawer unit fetches and returns the USBKEY according to the operation instruction.
10. The method according to claim 9, wherein: before the main control unit sends the operation instruction to the drawer unit, the method further comprises:
and the main control unit establishes bidirectional authentication with the drawer safety module of the drawer unit through the information authentication unit, and performs data transmission after the authentication is passed.
11. The method according to claim 9, wherein: the main control unit queries the feedback state of each drawer subunit of the drawer unit at regular time and uploads an operation log to the control server; the feedback status includes whether the drawer subunit is storing a USBKEY.
12. The method according to claim 9, wherein the method further comprises:
the auxiliary control server receives the input command, generates an authentication command and sends the authentication command to the control server;
the control server establishes bidirectional authentication with the USBKEY safe storage cabinet according to the received authentication instruction;
after the authentication is passed, the auxiliary control server sends a control instruction generated according to the input instruction to the control server, and the control server encrypts the control instruction.
13. The method according to claim 9, wherein:
when the operation instruction is USBKEY, the drawer unit opens the corresponding drawer subunit according to the operation instruction, and an operator inserts the USBKEY into a USB interface of the drawer subunit;
the information authentication unit verifies the signature information of the USBKEY;
the USBKEY taking and returning unit verifies whether the aging of the USBKEY is abnormal or not;
if both the verification passes, closing the corresponding drawer subunit by an operator, wherein the drawer subunit is automatically locked;
if the verification is not passed, the USBKEY safe storage cabinet carries out abnormal reminding.
14. The method according to claim 9, wherein: the data transmission is carried out between the USBKEY safe storage cabinet and the control server, between the control server and other peripheral systems and in the USBKEY safe storage cabinet by using a ciphertext and MAC (media access control) mode; and encrypting and decrypting the data transmission by using a national encryption algorithm.
CN201810145686.1A 2018-02-12 2018-02-12 USBKEY safe storage cabinet with encryption and decryption functions and application method thereof Active CN108257319B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810145686.1A CN108257319B (en) 2018-02-12 2018-02-12 USBKEY safe storage cabinet with encryption and decryption functions and application method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810145686.1A CN108257319B (en) 2018-02-12 2018-02-12 USBKEY safe storage cabinet with encryption and decryption functions and application method thereof

Publications (2)

Publication Number Publication Date
CN108257319A CN108257319A (en) 2018-07-06
CN108257319B true CN108257319B (en) 2023-10-31

Family

ID=62745151

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810145686.1A Active CN108257319B (en) 2018-02-12 2018-02-12 USBKEY safe storage cabinet with encryption and decryption functions and application method thereof

Country Status (1)

Country Link
CN (1) CN108257319B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2606201B (en) * 2021-04-29 2025-02-26 Medication Support Ltd Lockable cabinet

Citations (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB8828988D0 (en) * 1987-12-18 1989-01-25 Pitney Bowes Inc Document authentication system
US4853961A (en) * 1987-12-18 1989-08-01 Pitney Bowes Inc. Reliable document authentication system
DE10025052A1 (en) * 2000-05-23 2002-01-03 Kaba Gallenschuetz Gmbh Turnstile, especially for large functions; has guide element on opposite side of grid rods forming barrier and having door that can be opened to allow people through passage
JP2002276222A (en) * 2001-01-12 2002-09-25 Nippon Telegr & Teleph Corp <Ntt> Biological information authentication cabinet and locking and unlocking method
CN101178802A (en) * 2006-11-08 2008-05-14 李东声 Dynamic password realization method in network bank trading and electronic signing device
CN101183456A (en) * 2007-12-18 2008-05-21 中国工商银行股份有限公司 Encryption device, system and method for encryption, identification using the encryption device
CN103117853A (en) * 2011-11-16 2013-05-22 航天信息股份有限公司 Account input and authentication method of safe storing device
CN202970174U (en) * 2012-06-01 2013-06-05 杭州双华智能家居有限公司 Remote wake-up smart lock system with low power consumption
CN103297413A (en) * 2012-01-28 2013-09-11 查平 Sharable online file secure safe
CN104113437A (en) * 2014-07-12 2014-10-22 浙商银行股份有限公司 An account transfer machine remote management method based on dynamic passwords
CN105138891A (en) * 2015-07-30 2015-12-09 山东超越数控电子有限公司 USBKey based drive-free encryption and decryption certification communication circuit and method
CN106101159A (en) * 2016-08-27 2016-11-09 谢志豪 Dynamic cipher generating method, dynamic cipher authentication method and device
CN205713658U (en) * 2016-03-15 2016-11-23 江苏群杰软件有限公司 Seal Internet of Things and intelligent management system
CN106683286A (en) * 2016-12-26 2017-05-17 上海传英信息技术有限公司 Intelligent article storage method and intelligent storage system
CN106789024A (en) * 2016-12-30 2017-05-31 深圳市文鼎创数据科技有限公司 A kind of remote de-locking method, device and system
CN106973056A (en) * 2017-03-30 2017-07-21 中国电力科学研究院 The safety chip and its encryption method of a kind of object-oriented
CN206574191U (en) * 2017-03-17 2017-10-20 桂林电子科技大学 A kind of double-encryption device of locker
CN107426155A (en) * 2017-04-17 2017-12-01 浙江德塔森特数据技术有限公司 A kind of method for unlocking of integrated cabinet
CN107633588A (en) * 2017-10-24 2018-01-26 北京金储自动化技术有限公司 Control method, system, lockset, electronic equipment and readable storage medium storing program for executing
CN107672931A (en) * 2017-09-20 2018-02-09 深圳怡化电脑股份有限公司 A kind of cash box, financial self-service equipment and cassette management system

Patent Citations (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB8828988D0 (en) * 1987-12-18 1989-01-25 Pitney Bowes Inc Document authentication system
US4853961A (en) * 1987-12-18 1989-08-01 Pitney Bowes Inc. Reliable document authentication system
DE10025052A1 (en) * 2000-05-23 2002-01-03 Kaba Gallenschuetz Gmbh Turnstile, especially for large functions; has guide element on opposite side of grid rods forming barrier and having door that can be opened to allow people through passage
JP2002276222A (en) * 2001-01-12 2002-09-25 Nippon Telegr & Teleph Corp <Ntt> Biological information authentication cabinet and locking and unlocking method
CN101178802A (en) * 2006-11-08 2008-05-14 李东声 Dynamic password realization method in network bank trading and electronic signing device
CN101183456A (en) * 2007-12-18 2008-05-21 中国工商银行股份有限公司 Encryption device, system and method for encryption, identification using the encryption device
CN103117853A (en) * 2011-11-16 2013-05-22 航天信息股份有限公司 Account input and authentication method of safe storing device
CN103297413A (en) * 2012-01-28 2013-09-11 查平 Sharable online file secure safe
CN202970174U (en) * 2012-06-01 2013-06-05 杭州双华智能家居有限公司 Remote wake-up smart lock system with low power consumption
CN104113437A (en) * 2014-07-12 2014-10-22 浙商银行股份有限公司 An account transfer machine remote management method based on dynamic passwords
CN105138891A (en) * 2015-07-30 2015-12-09 山东超越数控电子有限公司 USBKey based drive-free encryption and decryption certification communication circuit and method
CN205713658U (en) * 2016-03-15 2016-11-23 江苏群杰软件有限公司 Seal Internet of Things and intelligent management system
CN106101159A (en) * 2016-08-27 2016-11-09 谢志豪 Dynamic cipher generating method, dynamic cipher authentication method and device
CN106683286A (en) * 2016-12-26 2017-05-17 上海传英信息技术有限公司 Intelligent article storage method and intelligent storage system
CN106789024A (en) * 2016-12-30 2017-05-31 深圳市文鼎创数据科技有限公司 A kind of remote de-locking method, device and system
CN206574191U (en) * 2017-03-17 2017-10-20 桂林电子科技大学 A kind of double-encryption device of locker
CN106973056A (en) * 2017-03-30 2017-07-21 中国电力科学研究院 The safety chip and its encryption method of a kind of object-oriented
CN107426155A (en) * 2017-04-17 2017-12-01 浙江德塔森特数据技术有限公司 A kind of method for unlocking of integrated cabinet
CN107672931A (en) * 2017-09-20 2018-02-09 深圳怡化电脑股份有限公司 A kind of cash box, financial self-service equipment and cassette management system
CN107633588A (en) * 2017-10-24 2018-01-26 北京金储自动化技术有限公司 Control method, system, lockset, electronic equipment and readable storage medium storing program for executing

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于红外热成像技术的配电柜故障监测与诊断;时誉宁;《中国优秀硕士学位论文全文数据库工程科技Ⅱ辑》;全文 *

Also Published As

Publication number Publication date
CN108257319A (en) 2018-07-06

Similar Documents

Publication Publication Date Title
US11212264B1 (en) Systems and methods for third party data protection
CN101291224B (en) Method and system for processing data in communication system
CN109804374A (en) Digital Right Management based on block chain
US20150120569A1 (en) Virtual currency address security
CN105900375A (en) Efficient methods for protecting identity in authenticated transmissions
US20190370483A1 (en) Data Protection Method and System
CN101483654A (en) Method and system for implementing authentication and data safe transmission
CN107563213A (en) A kind of safe and secret control device of anti-storage device data extraction
CN102457373A (en) Bidirectional verification system and method for handheld device
US11941610B2 (en) Cryptocurrency securing system and method
CN103108028A (en) Cloud computing processing system with security architecture
CN101840478B (en) Password management method
CN105678598A (en) Method and system for issuing online invoice with two-dimension code
CN108882030A (en) A kind of monitor video classification encryption and decryption method and system based on time-domain information
CN108257319B (en) USBKEY safe storage cabinet with encryption and decryption functions and application method thereof
CN112217636A (en) Data processing method and device based on block chain, computer equipment and medium
US11120438B1 (en) Cryptocurrency address security
CN103310159A (en) Method and system for safely taking out electronic file with mobile intelligent terminal
CN106599697A (en) Method and system for safe upgrade of programs in PCI password card
CN111817856B (en) Identity authentication method and system based on zero-knowledge proof and password technology
JPWO2016084822A1 (en) Server system and method for controlling a plurality of service systems
KR102055888B1 (en) Encryption and decryption method for protecting information
CN108304735A (en) A kind of authorization sequence application method, system and delivery of cargo system, application server
CN105897730A (en) User name and password information encryption and verification method
KR102053993B1 (en) Method for Authenticating by using Certificate

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant