阅读说明：本技术 一种基于pki体系的财务人员操作记录黑匣子保存方法 (Financial staff operation record black box storage method based on PKI system ) 是由 张梦禾 于 2021-09-17 设计创作，主要内容包括：本发明涉及黑匣子技术领域,且公开了一种基于PKI体系的财务人员操作记录黑匣子保存方法,包括以下步骤：第一步：通过数据记录系统将数据进行记录,通过数据存储单元将传递的数据进行本地存储,然后再通过数据发送单元将数据发送到虚拟云端进行多次备份存储；第二步：通过数据校对单元在用户进行调取备份数据信息时,数据校对单元会对数据存储单元本地存储和虚拟云端存储的数据信息进行校对检测,如果校对成功则通过数据接收单元将数据整合对应进行接收并通过数据发送单元发送到备份恢复单元；本发明中,备份恢复单元通过设置有身份认证口令将数据接收单元发送的数据包进行加密,在对数据包进行恢复时保证安全性,避免泄露。(The invention relates to the technical field of black boxes, and discloses a financial staff operation record black box storage method based on a PKI system, which comprises the following steps: the first step is as follows: the data recording system records the data, the data storage unit locally stores the transmitted data, and the data sending unit sends the data to the virtual cloud for multiple backup storage; the second step is that: when a user calls backup data information through the data proofreading unit, the data proofreading unit can carry out proofreading detection on the data information stored locally in the data storage unit and stored in the virtual cloud end, and if the proofreading is successful, the data is received in an integrated and corresponding mode through the data receiving unit and is sent to the backup recovery unit through the data sending unit; in the invention, the backup recovery unit encrypts the data packet sent by the data receiving unit by setting the identity authentication password, thereby ensuring the safety and avoiding the leakage when recovering the data packet.)

1. A financial staff operation record black box storage method based on a PKI system is characterized in that: the method comprises the following steps:

the first step is as follows: the data recording system records the data, the data storage unit locally stores the transmitted data, and the data sending unit sends the data to the virtual cloud for multiple backup storage;

the second step is that: when a user calls backup data information through the data proofreading unit, the data proofreading unit can carry out proofreading detection on the data information stored locally in the data storage unit and stored in the virtual cloud end, and if the proofreading is successful, the data is received in an integrated and corresponding mode through the data receiving unit and is sent to the backup recovery unit through the data sending unit;

the third step: and the backup recovery unit encrypts and backups the data packet sent by the data receiving unit again through the identity authentication password.

2. The method as claimed in claim 1, wherein the black box comprises: and in the first step, the data is subjected to cloud end transmission secondary backup storage through a data sending unit.

3. The method as claimed in claim 1, wherein the black box comprises: and in the second step, if the proofreading integration fails, the data is refused to be received.

4. The method as claimed in claim 1, wherein the black box comprises: and in the third step, the backup recovery unit carries out encryption protection on the data through the identity authentication password, so that random recovery leakage is avoided.

5. The method as claimed in claim 1, wherein the black box comprises: the black box comprises a data recording system, a backup recovery unit and an identity authentication password.

6. The method as claimed in claim 1, wherein the black box comprises: the data recording system comprises a working platform, a data storage unit, a data sending unit and a data checking unit, and the backup recovery unit comprises a receiving unit and a virtual cloud.

7. The method as claimed in claim 6, wherein the black box comprises: the output end of the working platform is electrically connected with the input end of the data storage unit, the output end of the data storage unit is electrically connected with the input end of the data sending unit, and the output end of the data checking unit is electrically connected with the input end of the data sending unit.

8. The method as claimed in claim 5, wherein the black box comprises: the identity authentication password comprises a static password and a dynamic password;

static passwords have been used in the past and are based on the principle that the system has an authentication server. The server stores a set of information of each user in advance, namely a user name ID and a password PW, and when the user requires to access the system, the user inputs the user name and the password on the client or the terminal. The system matches the user name and the password input by the user with the user name and password information pair of the legal user stored in the authentication server, if the matching is successful, the user is proved to be the legal user, the user is allowed to access the system resources, otherwise, the user identity is not verified, and the system refuses the user to log in and access. The static password has the advantages of convenient use, simple operation, low cost and high running speed, but has a plurality of potential safety hazards, such as easy stealing, impersonation, snooping and the like;

dynamic passwords are created to address the security concerns that may arise with static passwords. The dynamic password is also called as a one-time password, and a method of using the password once is adopted, so that a user uses the dynamic password plate to generate a dynamic password each time, and only a legal user can use the dynamic token, so that the authentication server can authenticate the user by verifying the password, and the safety of the identity of the user is ensured. The dynamic password is divided into synchronous authentication technology and asynchronous authentication technology, wherein the synchronous authentication technology has two modes of time-based authentication and event-based authentication; asynchronous authentication techniques are then "challenge-response" based authentication techniques. For example, with the time synchronization based authentication technique, if the time of the client and the time of the server are not consistent, the user may not be able to log in the system.

9. The method as claimed in claim 1, wherein the black box comprises: the backup and recovery unit comprises a certification authority CA, a registration authority RA, a digital certificate bank, a key backup and recovery system and a certificate revocation system.

10. The method as claimed in claim 1, wherein the black box comprises: the certification authority CA: it is the issuing organ of digital certificate, also is the core of PKI system, and is the third party organization with authority and fairness. The certification authority CA firstly confirms the identity of an application user applying for a certificate, and then binds a main body of the certificate to be issued with a public key to generate a digital certificate, so that the application user establishes a corresponding relationship with a pair of the public key and a private key;

registration authority RA: the system is used for receiving the application of the user, checking the real identity of the user, and issuing the digital certificate to the user meeting the certificate issuing condition, otherwise, the digital certificate cannot be obtained;

digital certificate library: the issued certificate and the public key are stored in a centralized way, so that a user can conveniently inquire relevant information such as other certificates in a certificate bank. The digital certificate library is stored in a directory server, a relational database and the like. Usually an LDAP directory;

key backup and recovery system: it is the core of the key management system, and if the user carelessly loses the decryption key of the data, the once encrypted data cannot be decrypted. This system can solve such problems. When the digital certificate is generated, the certification authority CA backups the encryption key and stores the encryption key in the digital certificate library, when a user needs to retrieve the key again due to the loss of the key and the like, the application can be made to the certification authority CA, and the CA recovers the key for the user;

certificate revocation system: because the user loses the key or the identity of the user is changed, the certificate exceeds the valid period, the certificate needs to be correspondingly updated, a new certificate is generated, and the original old certificate is revoked. The certificate revocation processing system is an indispensable component in the PKI system, and requires the PKI system to provide a whole set of management mechanism for the certificate revocation system. After the certificate is generated, the PKI system automatically checks whether the certificate exceeds the valid period, automatically updates the certificate every time, and before the certificate expires, the CA starts an updating program to generate a new certificate and then revokes the expired certificate.

Technical Field

The invention relates to the technical field of black boxes, in particular to a PKI (public key infrastructure) -based method for storing a black box for operating records of financial staff.

Background

The black box is a popular name, originates from the aviation field, develops to other vehicles (ships, trains and the like) after the name, refers to a type of equipment which is used for recording real-time operation data of the black box and has high damage resistance, and is commonly used for investigation and analysis of accident causes. In automobiles, people sometimes also refer to the vehicle-mounted driving video recorder as a "black box". And when the data is stored as a file backup inside some electronic devices, the data can also be called as a black box.

Some existing electronic financial equipment in the market at present are provided with black boxes for temporarily backing up and processing data of the electronic equipment, when the traditional electronic equipment is accidentally damaged, the black boxes can restore and export the data after the black boxes are backed up, and the traditional backup data is not encrypted by external instructions and the like, so that external personnel can call the restored data, the data is leaked, and the secrecy is not strict.

Disclosure of Invention

The invention mainly solves the technical problems in the prior art and provides a financial staff operation record black box storage method and a preparation method based on a PKI system.

In order to achieve the purpose, the invention adopts the following technical scheme that the method for storing the black box based on the PKI system for the operation records of the financial staff comprises the following steps:

the first step is as follows: the data recording system records the data, the data storage unit locally stores the transmitted data, and the data sending unit sends the data to the virtual cloud for multiple backup storage;

the second step is that: when a user calls backup data information through the data proofreading unit, the data proofreading unit can carry out proofreading detection on the data information stored locally in the data storage unit and stored in the virtual cloud end, and if the proofreading is successful, the data is received in an integrated and corresponding mode through the data receiving unit and is sent to the backup recovery unit through the data sending unit;

the third step: and the backup recovery unit encrypts and backups the data packet sent by the data receiving unit again through the identity authentication password.

Preferably, in the first step, the data is subjected to cloud-end transmission secondary backup storage through the data sending unit.

Preferably, the second step refuses to receive the data if the collation integration fails.

Preferably, the backup recovery unit in the third step performs encryption protection on the data through the identity authentication password, so as to avoid random recovery leakage.

Preferably, the black box comprises a data recording system, a backup recovery unit and an identity authentication password.

Preferably, the data recording system comprises a working platform, a data storage unit, a data sending unit and a data checking unit, and the backup recovery unit comprises a receiving unit and a virtual cloud.

Preferably, the output end of the working platform is electrically connected with the input end of the data storage unit, the output end of the data storage unit is electrically connected with the input end of the data sending unit, and the output end of the data checking unit is electrically connected with the input end of the data sending unit.

Preferably, the identity authentication password comprises a static password and a dynamic password;

static passwords have been used in the past and are based on the principle that the system has an authentication server. The server stores a set of information of each user in advance, namely a user name ID and a password PW, and when the user requires to access the system, the user inputs the user name and the password on the client or the terminal. The system matches the user name and the password input by the user with the user name and password information pair of the legal user stored in the authentication server, if the matching is successful, the user is proved to be the legal user, the user is allowed to access the system resources, otherwise, the user identity is not verified, and the system refuses the user to log in and access. The static password has the advantages of convenient use, simple operation, low cost and high running speed, but has a plurality of potential safety hazards, such as easy stealing, impersonation, snooping and the like;

dynamic passwords are created to address the security concerns that may arise with static passwords. The dynamic password is also called as a one-time password, and a method of using the password once is adopted, so that a user uses the dynamic password plate to generate a dynamic password each time, and only a legal user can use the dynamic token, so that the authentication server can authenticate the user by verifying the password, and the safety of the identity of the user is ensured. The dynamic password is divided into synchronous authentication technology and asynchronous authentication technology, wherein the synchronous authentication technology has two modes of time-based authentication and event-based authentication; asynchronous authentication techniques are then "challenge-response" based authentication techniques. For example, with the time synchronization based authentication technique, if the time of the client and the time of the server are not consistent, the user may not be able to log in the system.

Preferably, the backup and recovery unit includes a certification authority CA, a registration authority RA, a digital certificate repository, a key backup and recovery system, and a certificate revocation system.

Preferably, the certification authority CA: it is the issuing organ of digital certificate, also is the core of PKI system, and is the third party organization with authority and fairness. The certification authority CA firstly confirms the identity of an application user applying for a certificate, and then binds a main body of the certificate to be issued with a public key to generate a digital certificate, so that the application user establishes a corresponding relationship with a pair of the public key and a private key;

registration authority RA: the system is used for receiving the application of the user, checking the real identity of the user, and issuing the digital certificate to the user meeting the certificate issuing condition, otherwise, the digital certificate cannot be obtained;

digital certificate library: the issued certificate and the public key are stored in a centralized way, so that a user can conveniently inquire relevant information such as other certificates in a certificate bank. The digital certificate library is stored in a directory server, a relational database and the like. Usually an LDAP directory;

key backup and recovery system: it is the core of the key management system, and if the user carelessly loses the decryption key of the data, the once encrypted data cannot be decrypted. This system can solve such problems. When the digital certificate is generated, the certification authority CA backups the encryption key and stores the encryption key in the digital certificate library, when a user needs to retrieve the key again due to the loss of the key and the like, the application can be made to the certification authority CA, and the CA recovers the key for the user;

certificate revocation system: because the user loses the key or the identity of the user is changed, the certificate exceeds the valid period, the certificate needs to be correspondingly updated, a new certificate is generated, and the original old certificate is revoked. The certificate revocation processing system is an indispensable component in the PKI system, and requires the PKI system to provide a whole set of management mechanism for the certificate revocation system. After the certificate is generated, the PKI system automatically checks whether the certificate exceeds the valid period, automatically updates the certificate every time, and before the certificate expires, the CA starts an updating program to generate a new certificate and then revokes the expired certificate.

Advantageous effects

The invention provides a PKI system-based financial staff operation record black box storage method and a preparation method. The method has the following beneficial effects:

(1) according to the financial staff operation record black box storage method based on the PKI system, data are recorded through the data recording system, transmitted data are stored locally through the data storage unit, then the data are sent to the virtual cloud end through the data sending unit to be backed up and stored for multiple times, and data safety is improved.

(2) According to the financial staff operation record black box storage method based on the PKI system, when a user calls backup data information through the data proofreading unit, the data proofreading unit can carry out proofreading detection on the data information stored in the local storage of the data storage unit and stored in the virtual cloud end, if the proofreading is successful, the data are correspondingly received in an integrated mode through the data receiving unit and sent to the backup recovery unit through the data sending unit, and the data backup consistency is improved.

(3) According to the financial staff operation record black box storage method based on the PKI system, the backup recovery unit encrypts and backups the data packet sent by the data receiving unit through the identity authentication password again, and in the third step, the backup recovery unit can encrypt and protect the data through the identity authentication password, so that random recovery leakage is avoided, and the data confidentiality is improved.

(4) The financial staff operation record black box storage method based on the PKI system comprises the steps that an identity authentication password comprises a static password and a dynamic password; the static password has an authentication server for the system. The server stores a group of information of each user in advance, namely a user name ID and a password PW, when the user requires to access the system, the user inputs a user name and a password on a client or a terminal, the dynamic password is also called a one-time password, a method of using the password once is adopted, the user uses the dynamic password plate to generate the dynamic password each time, and only a legal user can use the dynamic token, so the authentication server can authenticate the user by verifying the password, the safety of the user identity is ensured, and the whole confidentiality of backup data is improved.

(5) The black box storage method based on the PKI system comprises a backup recovery unit, a key backup and recovery unit and a certificate revocation system, wherein the backup recovery unit comprises a certification authority CA, a registration authority RA, a digital certificate bank, the key backup and recovery system and the certificate revocation system;

the certification authority CA: it is the issuing organ of digital certificate, also is the core of PKI system, and is the third party organization with authority and fairness. The certification authority CA firstly confirms the identity of an application user applying for a certificate, and then binds a main body of the certificate to be issued with a public key to generate a digital certificate, so that the application user establishes a corresponding relationship with a pair of the public key and a private key;

registration authority RA: the system is used for receiving the application of the user, checking the real identity of the user, and issuing the digital certificate to the user meeting the certificate issuing condition, otherwise, the digital certificate cannot be obtained;

digital certificate library: the issued certificate and the public key are stored in a centralized way, so that a user can conveniently inquire relevant information such as other certificates in a certificate bank. The digital certificate library is stored in a directory server, a relational database and the like. Usually an LDAP directory;

key backup and recovery system: it is the core of the key management system, and if the user carelessly loses the decryption key of the data, the once encrypted data cannot be decrypted. This system can solve such problems. When the digital certificate is generated, the certification authority CA backups the encryption key and stores the encryption key in the digital certificate library, when a user needs to retrieve the key again due to the loss of the key and the like, the application can be made to the certification authority CA, and the CA recovers the key for the user; therefore, when the backup recovery unit forgets to remember the identity authentication password, the user can recover the key through the mutual cooperation of the authentication mechanism CA, the registration mechanism RA, the digital certificate bank, the key backup and recovery system.

Detailed Description

It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Example (b): a financial staff operation record black box storage method based on a PKI system comprises the following steps:

the first step is as follows: the data recording system records the data, the data storage unit locally stores the transmitted data, and the data sending unit sends the data to the virtual cloud for multiple backup storage;

the second step is that: when a user calls backup data information through the data proofreading unit, the data proofreading unit can carry out proofreading detection on the data information stored locally in the data storage unit and stored in the virtual cloud end, and if the proofreading is successful, the data is received in an integrated and corresponding mode through the data receiving unit and is sent to the backup recovery unit through the data sending unit;

the third step: and the backup recovery unit encrypts and backups the data packet sent by the data receiving unit again through the identity authentication password.

And in the first step, the data is subjected to cloud end transmission secondary backup storage through a data sending unit.

And in the second step, if the proofreading integration fails, the data is refused to be received.

And in the third step, the backup recovery unit carries out encryption protection on the data through the identity authentication password, so that random recovery leakage is avoided.

The black box comprises a data recording system, a backup recovery unit and an identity authentication password.

The data recording system comprises a working platform, a data storage unit, a data sending unit and a data checking unit, and the backup recovery unit comprises a receiving unit and a virtual cloud.

The output end of the working platform is electrically connected with the input end of the data storage unit, the output end of the data storage unit is electrically connected with the input end of the data sending unit, and the output end of the data checking unit is electrically connected with the input end of the data sending unit.

The identity authentication password comprises a static password and a dynamic password;

static passwords have been used in the past and are based on the principle that the system has an authentication server. The server stores a set of information of each user in advance, namely a user name ID and a password PW, and when the user requires to access the system, the user inputs the user name and the password on the client or the terminal. The system matches the user name and the password input by the user with the user name and password information pair of the legal user stored in the authentication server, if the matching is successful, the user is proved to be the legal user, the user is allowed to access the system resources, otherwise, the user identity is not verified, and the system refuses the user to log in and access. The static password has the advantages of convenient use, simple operation, low cost and high running speed, but has a plurality of potential safety hazards, such as easy stealing, impersonation, snooping and the like;

dynamic passwords are created to address the security concerns that may arise with static passwords. The dynamic password is also called as a one-time password, and a method of using the password once is adopted, so that a user uses the dynamic password plate to generate a dynamic password each time, and only a legal user can use the dynamic token, so that the authentication server can authenticate the user by verifying the password, and the safety of the identity of the user is ensured. The dynamic password is divided into synchronous authentication technology and asynchronous authentication technology, wherein the synchronous authentication technology has two modes of time-based authentication and event-based authentication; asynchronous authentication techniques are then "challenge-response" based authentication techniques. For example, with the time synchronization based authentication technique, if the time of the client and the time of the server are not consistent, the user may not be able to log in the system.

The backup and recovery unit comprises a certification authority CA, a registration authority RA, a digital certificate bank, a key backup and recovery system and a certificate revocation system.

The certification authority CA: it is the issuing organ of digital certificate, also is the core of PKI system, and is the third party organization with authority and fairness. The certification authority CA firstly confirms the identity of an application user applying for a certificate, and then binds a main body of the certificate to be issued with a public key to generate a digital certificate, so that the application user establishes a corresponding relationship with a pair of the public key and a private key;

registration authority RA: the system is used for receiving the application of the user, checking the real identity of the user, and issuing the digital certificate to the user meeting the certificate issuing condition, otherwise, the digital certificate cannot be obtained;

digital certificate library: the issued certificate and the public key are stored in a centralized way, so that a user can conveniently inquire relevant information such as other certificates in a certificate bank. The digital certificate library is stored in a directory server, a relational database and the like. Usually an LDAP directory;

key backup and recovery system: it is the core of the key management system, and if the user carelessly loses the decryption key of the data, the once encrypted data cannot be decrypted. This system can solve such problems. When the digital certificate is generated, the certification authority CA backups the encryption key and stores the encryption key in the digital certificate library, when a user needs to retrieve the key again due to the loss of the key and the like, the application can be made to the certification authority CA, and the CA recovers the key for the user;

certificate revocation system: because the user loses the key or the identity of the user is changed, the certificate exceeds the valid period, the certificate needs to be correspondingly updated, a new certificate is generated, and the original old certificate is revoked. The certificate revocation processing system is an indispensable component in the PKI system, and requires the PKI system to provide a whole set of management mechanism for the certificate revocation system. After the certificate is generated, the PKI system automatically checks whether the certificate exceeds the valid period, automatically updates the certificate every time, and before the certificate expires, the CA starts an updating program to generate a new certificate and then revokes the expired certificate.

The working principle of the invention is as follows:

the data is recorded through the data recording system, the transmitted data is locally stored through the data storage unit, and then the data is sent to the virtual cloud end through the data sending unit to be backed up and stored for multiple times, so that the data safety is improved; when a user calls backup data information through the data proofreading unit, the data proofreading unit can carry out proofreading detection on the data information stored locally in the data storage unit and stored in the virtual cloud end, and if the proofreading is successful, the data is received in an integrated and corresponding mode through the data receiving unit and is sent to the backup recovery unit through the data sending unit, so that the data backup consistency is improved; the backup recovery unit encrypts and backs up the data packet sent by the data receiving unit again through the identity authentication password, and in the third step, the backup recovery unit can encrypt and protect the data through the identity authentication password, so that random recovery leakage is avoided, and the data confidentiality is improved; the identity authentication password comprises a static password and a dynamic password; the static password has an authentication server for the system. The server stores a group of information of each user in advance, namely a user name ID and a password PW, when the user requires to access the system, the user inputs a user name and a password on a client or a terminal, the dynamic password is also called a one-time password, a method of using the password once is adopted, the user uses a dynamic password plate to generate the dynamic password each time, and only a legal user can use the dynamic token, so the authentication server can authenticate the user by verifying the password, the safety of the identity of the user is ensured, and the integral confidentiality of backup data is improved; when the backup recovery unit forgets to remember the identity authentication password, the user can recover the key through the mutual cooperation of the authentication agency CA, the registration agency RA, the digital certificate bank, the key backup and recovery system.

The foregoing shows and describes the general principles and broad features of the present invention and advantages thereof. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are described in the specification and illustrated only to illustrate the principle of the present invention, but that various changes and modifications may be made therein without departing from the spirit and scope of the present invention, which fall within the scope of the invention as claimed. The scope of the invention is defined by the appended claims and equivalents thereof.