CN103391188A - Secret key management method based on symmetric secret key mechanism - Google Patents
Secret key management method based on symmetric secret key mechanism Download PDFInfo
- Publication number
- CN103391188A CN103391188A CN2013102993989A CN201310299398A CN103391188A CN 103391188 A CN103391188 A CN 103391188A CN 2013102993989 A CN2013102993989 A CN 2013102993989A CN 201310299398 A CN201310299398 A CN 201310299398A CN 103391188 A CN103391188 A CN 103391188A
- Authority
- CN
- China
- Prior art keywords
- transaction
- key
- terminal
- business
- cipher machine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention provides a secret key management method based on a symmetric secret key mechanism. By means of the secret key management method, independent secret keys are generated after each trade and canceled after using, the problem that management number under the symmetric secret key mechanism is huge can be solved, and secret key management is easier due to decrease of the number of the secret keys. Further, no special secret key database is used for storing the secret keys, so that complexity in secret key management and expenditure in secret key management can be remarkably reduced.
Description
Technical field
The present invention relates to a kind of key management method, particularly relate to a kind of key management method based on symmetric key mechanisms of information security field protection financial business data security.
Background technology
Cryptographic technique is the basic technology of information security, and key is the basis of cryptographic technique safety applications and the core element of informatization security., along with the high speed of the information-based industry of China is all-round developing,, as the encryption device of information security basis core, when safe cryptographic technique is provided for information industry and Developing Track for Modern Service Industry always, also face more and more stricter safety requirements.
In the financial business network, the business main frame needs to communicate by letter safely with a large amount of transaction terminals, the different keys of the security requirement of system must be separated use, i.e. different keys are adopted in the secure communication of each transaction terminal, and the different function of safety protection in each transaction adopt different keys.In addition, the exclusive key of this transaction is adopted in each transaction, and this key is separated can prevent influencing each other of Key Exposure between different the transaction, can further strengthen the fail safe of financial service system.But the finance data cipher machine of key segregation requirement business main frame adapted is preserved a large amount of keys, this increased that the finance data cipher machine realizes complexity.Simultaneously, the increase of number of keys also increases the complexity of key management, and complicated key management not only causes the increase of key management expense, also can reduce the fail safe of key management simultaneously.
Usually in financial service system; adopt symmetric key mechanisms to realize the high efficiency that service security is processed, still, symmetric key mechanisms need to be managed the key of enormous amount; thereby cause the storage of key, protection expense large, and also corresponding increase of the security protection technology difficulty of key self.
The notable feature of symmetric key mechanisms is that safe operation efficiency is high, and speed is fast, but key management is complicated, particularly after nearly step employing key isolation technique, usually needs the number of keys of management huge especially.In addition, key itself also needs stronger safeguard protection, thereby has further increased the weight of the complexity of key management.Generally, adopt a private database to preserve the huge key of quantity in symmetric key mechanisms, but the scheme that adopts the private database storage key to solve the key management complexity exists complex management, shortcoming that administration overhead is large, and has the mixed potential safety hazard of different keys.The management of key database in addition, maintenance costs are large, and the reliability of key database also may affect the reliability of whole operation system.
Summary of the invention
The technical problem to be solved in the present invention is to provide the less and simpler key management method based on symmetric key mechanisms of key management of a kind of number of keys, the each transaction of the method all generates independently key and deletion after using, the method has solved the problem of key management enormous amount under the symmetric key mechanisms, the minimizing of number of keys makes key management simpler, and, due to adapted private key database storage key not, the complexity of key management and key management expense also can be reduced significantly.
The technical problem that the present invention further solves has been to provide a kind of dynamic key management method, transaction key is along with the transaction counter dynamic change, adopt modern cryptographic technique to produce, security intensity is high, the leakage of a transaction key can not affect other transaction key, and reliability can be significantly improved.
The technical solution used in the present invention is as follows: a kind of key management method based on symmetric key mechanisms, and its method step is:
Step 1, finance data cipher machine produce each transaction terminal initial key, by the business main frame, initial key are distributed to each transaction terminal, delete simultaneously initial key;
Step 2, transaction terminal are stored in initial key in the terminal password module, and with transaction counter zero setting;
When step 3, first transaction, transaction terminal adopts initial key to complete first transaction as transaction key, and transaction terminal produces the transaction key of transaction next time according to initial key and transaction counter again, deletes simultaneously initial key;
Step 4, when carrying out financial business when transaction, transaction terminal is completed this transaction according to the exclusive transaction key that last transaction key and transaction counter produce transaction;
After step 5, each transaction were completed, transaction counter added 1, then with this transaction key, encrypts the value of transaction counter, and the ciphertext of generation, as the transaction key of transaction next time, is destroyed the transaction key of this transaction simultaneously;
Step 6, when transaction counter reaches maximum, upgrade initial key and repeat said process.
As preferably, the finance data cipher machine generates initial key according to terminal number, and initial key is comprised of root key, transaction terminal number, transaction terminal group number and transaction counter.
As preferably, the derivative algorithm of described initial key is: IKEY=SM4 (RKEY) [T_group||T_number||0].
As preferably, described step 1 is divided into key a plurality of key components in the initial key distribution procedure, and then the combination key component becomes the initial key of final transmission.
As preferably, the derivative algorithm of described transaction key is: SKEY=SM4 (SKEY_p) (T_group||T_number||TC).
As preferably, the concrete grammar step during described each transaction is:
A, while concluding the business at every turn, the terminal password module that the business main frame answers transaction terminal requests to call transaction terminal produces the terminal transaction key of this transaction;
B, terminal transaction secret key safety protection transaction business data, form safe packet, and safe packet is sent to the business main frame by network;
The secure packet forwarding that C, business main frame will receive is to the finance data cipher machine, and the finance data cipher machine produces the cipher machine transaction key of this transaction;
D, finance data cipher machine be with the integrality of cipher machine transaction key verification business datum, and the business datum by the message completeness check just sends the Batch Processing system to and carries out accounting processing, otherwise abandons;
The result that E, Batch Processing system are processed, be encapsulated as the response message loopback of employing terminal transaction secret key safety protection to transaction terminal;
F, transaction terminal call the fail safe of terminal password module check transaction response message, process by the business datum transmission terminal traffic system of security inspection, thereby realize safe financial business transaction.
As preferably, the algorithm of described terminal transaction key and cipher machine transaction key all adopts the transaction key derivative algorithm.
As preferably; the process that described cipher machine transaction key produces is: the finance data cipher machine is after receiving the transaction data of safeguard protection; at first find the transaction terminal group number from internet message; transaction terminal number; produce the initial key of terminal according to these data; then according to the transaction terminal group number, transaction terminal number, transaction counter produce the transaction key of this transaction.
Compared with prior art, the invention has the beneficial effects as follows: the method has solved the problem of key management enormous amount, makes key management simpler, and, owing to there is no the private key database, the complexity of key management, the key management expense also can be reduced significantly.
Its further beneficial effect is: transaction key is along with the transaction counter dynamic change; adopt modern cryptographic technique to produce; security intensity is high; the leakage of a transaction key can not affect other transaction key; reliability can be significantly improved, and has protected integrality, confidentiality and the data source authentication of financial business data.Carry out independent key component leakage and can not cause the leakage of whole key, thereby realize the safety prevention measure that the multiple control right to know is discrete.
Description of drawings
Fig. 1 is for realizing application system block diagram of the present invention.
Fig. 2 represents in key management method of the present invention, transaction key distribution flow schematic diagram.
Embodiment
, in order to make purpose of the present invention, technical scheme and advantage clearer, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein, only in order to explain the present invention, is not intended to limit the present invention.
Disclosed all features in this specification, except the feature of mutual eliminating, all can make up by any way.
Disclosed arbitrary feature in this specification (comprising any accessory claim, summary and accompanying drawing), unless special narration all can be replaced by other equivalences or the alternative features with similar purpose.That is, unless special narration, each feature is an example in a series of equivalences or similar characteristics.
As shown in Figure 1, business main frame and transaction terminal exchange the financial business data by trade network, and business main frame and transaction terminal network service adopt modern cryptographic technique to carry out safeguard protection.Wired, wireless network connected mode that trade network can adopt.Transaction terminal comprises the financial business terminals such as POS/ATM/ automatic teller machine, but is not limited to the POS/ATM/ automatic teller machine.
The business main frame is realized operation flow, the business rule of financial business, for the user provides financial service.Finance data cipher machine of every business main frame adapted; the business main frame provides the business datum that needs safeguard protection to the finance data cipher machine; the finance data cipher machine carries out safeguard protection to data as requested, then returns by the business datum of safeguard protection to the business main frame.Transaction terminal and user carry out alternately, after safe handling user request, by trade network, user's request are transferred to the business main frame safely, then replying of business main frame are presented to the user, thereby realize the financial business process.
A kind of key management method based on symmetric key mechanisms, its method step is:
Step 1, finance data cipher machine produce each transaction terminal initial key, by the business main frame, initial key are distributed to each transaction terminal, delete simultaneously initial key;
Step 2, transaction terminal are stored in initial key in the terminal password module, and with transaction counter zero setting;
When step 3, first transaction, transaction terminal adopts initial key to complete first transaction as transaction key, and transaction terminal produces the transaction key of transaction next time according to initial key and transaction counter again, deletes simultaneously initial key;
Step 4, when carrying out financial business when transaction, transaction terminal is completed this transaction according to the exclusive transaction key that last transaction key and transaction counter produce transaction;
After step 5, each transaction were completed, transaction counter added 1, then with this transaction key, encrypts the value of transaction counter, and the ciphertext of generation, as the transaction key of transaction next time, is destroyed the transaction key of this transaction simultaneously;
Step 6, when transaction counter reaches maximum, upgrade initial key and repeat said process.
The finance data key machine that is connected with the business main frame produces the initial key (initial password of each transaction terminal is different) of All Activity terminal, in order to reduce the memory space of finance data cipher machine storage key, the finance data cipher machine is not preserved initial key.
The finance data cipher machine generates initial key according to terminal number, and initial key is comprised of root key, transaction terminal number, transaction terminal group number and transaction counter.
The financial business main frame calls the finance data cipher machine and produces the initial key of All Activity terminal, and initial key is distributed to transaction terminal by escape way, and transaction terminal is stored in initial key in the terminal password module safely.
Encrypt the splicing string of transaction terminal group number, transaction terminal number and transaction counter with initial key, ciphertext, as the transaction key of the first sum of business, is completed the initialization of transaction terminal.
When carrying out the financial business transaction, at first with the transaction key of preserving, protect the transaction data of this transaction.
Transaction terminal is after the transaction data with this this transaction of transaction key safeguard protection; transaction counter is added 1; then encrypt the value of transaction counter with this transaction key; the ciphertext that produces is as the transaction key of transaction next time; and store this transaction key and use as subsequent transaction, destroy simultaneously the transaction key of this transaction.Within the life cycle of key, transaction terminal repeats above-mentioned financial business data security protecting process.
The derivative algorithm of described initial key is: IKEY=SM4 (RKEY) [T_group||T_number||0].Wherein, IKEY is national Password Management office symmetric key algorithm for transaction initial key, SM4 algorithm, and T_group is the transaction terminal group number, and T_number is transaction terminal number, and 0 is the initial transaction counter, and RK is root key.
As shown in Figure 2, described step 1 is divided into key a plurality of key components in the initial key distribution procedure, and then the combination key component becomes the initial key of final transmission.Independent key component leakage is carried out in the safety measure can not cause the leakage of whole key, thereby realizes the safety prevention measure that the multiple control right to know is discrete.
The derivative algorithm of described transaction key is: SKEY=SM4 (SKEY_p) (T_group||T_number||TC).SKEY is this transaction key; SKEY_p is last transaction key (if first transaction; be the initial transaction key); the SM4 algorithm is national Password Management office symmetric key algorithm; T_group is the transaction terminal group number; T_number is transaction terminal number, and TC is transaction counter, integrality, confidentiality and the data source authentication of protection financial business data.
Concrete grammar step during described each transaction is:
A, while concluding the business at every turn, the terminal password module that the business main frame answers transaction terminal requests to call transaction terminal produces the terminal transaction key of this transaction;
B, terminal transaction secret key safety protection transaction business data, form safe packet, and safe packet is sent to the business main frame by network;
The secure packet forwarding that C, business main frame will receive is to the finance data cipher machine, and the finance data cipher machine produces the cipher machine transaction key of this transaction;
D, finance data cipher machine be with the integrality of cipher machine transaction key verification business datum, and the business datum by the message completeness check just sends the Batch Processing system to and carries out accounting processing, otherwise abandons;
The result that E, Batch Processing system are processed, be encapsulated as the response message loopback of employing terminal transaction secret key safety protection to transaction terminal;
F, transaction terminal call the fail safe of terminal password module check transaction response message, process by the business datum transmission terminal traffic system of security inspection, thereby realize safe financial business transaction.
Transaction terminal when receiving the customer transaction request, starts a financial business trade transactions, calls the terminal password module and produces the transaction key of this transaction.
The algorithm of described terminal transaction key and cipher machine transaction key all adopts the transaction key derivative algorithm.
The process that described cipher machine transaction key produces is: the finance data cipher machine is after receiving the transaction data of safeguard protection; at first find the transaction terminal group number from internet message; transaction terminal number; produce the initial key of terminal according to these data; then according to the transaction terminal group number; transaction terminal number, transaction counter produce the transaction key of this transaction.
In each actual process of exchange, the finance data cipher machine generates initial key according to terminal number.
After each transaction was completed, transaction counter added 1, and transaction terminal is deleted this and handed over wield key; Transaction terminal is after the transaction data with this this transaction of transaction key safeguard protection; transaction counter is added 1; then encrypt the value of transaction counter with this transaction key; the ciphertext that produces is as the transaction key of transaction next time; and store this transaction key and use as subsequent transaction, destroy simultaneously the transaction key of this transaction.
The finance data cipher machine is after receiving the transaction data of safeguard protection; at first find the transaction terminal group number from internet message; transaction terminal number; produce the initial key of terminal according to these data; then according to the transaction terminal group number; transaction terminal number; transaction counter produces the transaction key of this transaction; the Internet Transmission fail safe of checking transaction data; the business main frame that the transaction data that security verification passes through just sends rear end to carries out Business Processing, and the transaction data by security verification will not abandon.Simultaneously, the finance data cipher machine is done same safeguard protection to the transaction response message of transaction main frame.
Claims (8)
1. key management method based on symmetric key mechanisms, it is characterized in that: its method step is:
Step 1, finance data cipher machine produce each transaction terminal initial key, by the business main frame, initial key are distributed to each transaction terminal, delete simultaneously initial key;
Step 2, transaction terminal are stored in initial key in the terminal password module, and with transaction counter zero setting;
When step 3, first transaction, transaction terminal adopts initial key to complete first transaction as transaction key, and transaction terminal produces the transaction key of transaction next time according to initial key and transaction counter again, deletes simultaneously initial key;
Step 4, when carrying out financial business when transaction, transaction terminal is completed this transaction according to the exclusive transaction key that last transaction key and transaction counter produce transaction;
After step 5, each transaction were completed, transaction counter added 1, then with this transaction key, encrypts the value of transaction counter, and the ciphertext of generation, as the transaction key of transaction next time, is destroyed the transaction key of this transaction simultaneously;
Step 6, when transaction counter reaches maximum, upgrade initial key and repeat said process.
2. method according to claim 1, it is characterized in that: the finance data cipher machine generates initial key according to terminal number, and initial key is comprised of root key, transaction terminal number, transaction terminal group number and transaction counter.
3. method according to claim 2, it is characterized in that: the derivative algorithm of described initial key is: IKEY=SM4 (RKEY) [T_group||T_number||0].
4. method according to claim 1, is characterized in that: in described step 1, key is divided into a plurality of key components in the initial key distribution procedure, and then the combination key component becomes the initial key of final transmission.
5. method according to claim 1, it is characterized in that: the derivative algorithm of described transaction key is: SKEY=SM4 (SKEY_p) (T_group||T_number||TC).
6. method according to claim 5 is characterized in that: the concrete grammar step during described each transaction is:
A, while concluding the business at every turn, the terminal password module that the business main frame answers transaction terminal requests to call transaction terminal produces the terminal transaction key of this transaction;
B, terminal transaction secret key safety protection transaction business data, form safe packet, and safe packet is sent to the business main frame by network;
The secure packet forwarding that C, business main frame will receive is to the finance data cipher machine, and the finance data cipher machine produces the cipher machine transaction key of this transaction;
D, finance data cipher machine be with the integrality of cipher machine transaction key verification business datum, and the business datum by the message completeness check just sends the Batch Processing system to and carries out accounting processing, otherwise abandons;
The result that E, Batch Processing system are processed, be encapsulated as the response message loopback of employing terminal transaction secret key safety protection to transaction terminal;
F, transaction terminal call the fail safe of terminal password module check transaction response message, process by the business datum transmission terminal traffic system of security inspection, thereby realize safe financial business transaction.
7. method according to claim 6, it is characterized in that: the algorithm of described terminal transaction key and cipher machine transaction key all adopts the transaction key derivative algorithm.
8. method according to claim 6; it is characterized in that: the process that described cipher machine transaction key produces is: the finance data cipher machine is after receiving the transaction data of safeguard protection; at first find the transaction terminal group number from internet message; transaction terminal number; produce the initial key of terminal according to these data; then according to the transaction terminal group number, transaction terminal number, transaction counter produce the transaction key of this transaction.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2013102993989A CN103391188A (en) | 2013-07-17 | 2013-07-17 | Secret key management method based on symmetric secret key mechanism |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2013102993989A CN103391188A (en) | 2013-07-17 | 2013-07-17 | Secret key management method based on symmetric secret key mechanism |
Publications (1)
Publication Number | Publication Date |
---|---|
CN103391188A true CN103391188A (en) | 2013-11-13 |
Family
ID=49535353
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2013102993989A Pending CN103391188A (en) | 2013-07-17 | 2013-07-17 | Secret key management method based on symmetric secret key mechanism |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103391188A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104618355A (en) * | 2015-01-19 | 2015-05-13 | 北京海泰方圆科技有限公司 | Safe data storage and transmission method |
CN105741117A (en) * | 2016-01-25 | 2016-07-06 | 恒宝股份有限公司 | Method and off-line transaction device based on security key |
JP2019527950A (en) * | 2016-06-30 | 2019-10-03 | イプコ 2012 リミテッドIpco 2012 Limited | Communication device, point-of-sale terminal, payment device, and method |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102043937A (en) * | 2010-12-31 | 2011-05-04 | 上海众人网络安全技术有限公司 | Card reader capable of generating dynamic passwords as well as dynamic password authentication system and method |
CN102970288A (en) * | 2012-11-09 | 2013-03-13 | 江苏乐买到网络科技有限公司 | Network transaction system with dynamic password generator |
-
2013
- 2013-07-17 CN CN2013102993989A patent/CN103391188A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102043937A (en) * | 2010-12-31 | 2011-05-04 | 上海众人网络安全技术有限公司 | Card reader capable of generating dynamic passwords as well as dynamic password authentication system and method |
CN102970288A (en) * | 2012-11-09 | 2013-03-13 | 江苏乐买到网络科技有限公司 | Network transaction system with dynamic password generator |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104618355A (en) * | 2015-01-19 | 2015-05-13 | 北京海泰方圆科技有限公司 | Safe data storage and transmission method |
CN105741117A (en) * | 2016-01-25 | 2016-07-06 | 恒宝股份有限公司 | Method and off-line transaction device based on security key |
JP2019527950A (en) * | 2016-06-30 | 2019-10-03 | イプコ 2012 リミテッドIpco 2012 Limited | Communication device, point-of-sale terminal, payment device, and method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2020259635A1 (en) | Method and apparatus for sharing blockchain data | |
CN100487715C (en) | Date safety storing system, device and method | |
CN101159556B (en) | Group key server based key management method in sharing encryption file system | |
US5231666A (en) | Cryptographic method for updating financial records | |
US8528104B2 (en) | Security and ticketing system control and management | |
CN109361517A (en) | A kind of virtualization cloud cipher machine system and its implementation based on cloud computing | |
US10915897B2 (en) | Token management for enhanced omni-channel payments experience and analytics | |
CN202663444U (en) | Cloud safety data migration model | |
WO2020192285A1 (en) | Key management method, security chip, service server and information system | |
CN105610837B (en) | For identity authentication method and system between SCADA system main website and slave station | |
CN103023657B (en) | Security verification system based on distributed network transaction | |
CN109428867A (en) | A kind of message encipher-decipher method, network equipment and system | |
CN105577639A (en) | Trusted device control messages | |
CN109245894A (en) | A kind of distributed cloud storage system based on intelligent contract | |
CN104618096A (en) | Method and device for protecting secret key authorized data, and TPM (trusted platform module) secrete key management center | |
CN104065485A (en) | Power grid dispatching mobile platform safety guaranteeing and controlling method | |
CN108270739A (en) | A kind of method and device of managing encrypted information | |
CN109697370A (en) | Database data encipher-decipher method, device, computer equipment and storage medium | |
CN104144174B (en) | Protect method, user equipment and the server of privacy of user data | |
CN103684759A (en) | Terminal data encrypting method and device | |
CN108765230A (en) | A kind of resident's household register approaches to IM and server | |
CN103391188A (en) | Secret key management method based on symmetric secret key mechanism | |
CN108574573A (en) | Method, encryption device and the virtual VPN service systems of cryptographic service are provided for virtual VPN | |
CN110086789A (en) | A kind of method, apparatus, equipment and the medium of data transmission | |
CN105472030A (en) | Remote mirror image method and system based on iSCSI |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20131113 |
|
WD01 | Invention patent application deemed withdrawn after publication |