CN105591738B - A kind of key updating method and device - Google Patents

A kind of key updating method and device Download PDF

Info

Publication number
CN105591738B
CN105591738B CN201510980172.4A CN201510980172A CN105591738B CN 105591738 B CN105591738 B CN 105591738B CN 201510980172 A CN201510980172 A CN 201510980172A CN 105591738 B CN105591738 B CN 105591738B
Authority
CN
China
Prior art keywords
data
key
member device
quantity threshold
flow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510980172.4A
Other languages
Chinese (zh)
Other versions
CN105591738A (en
Inventor
梁栋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN201510980172.4A priority Critical patent/CN105591738B/en
Publication of CN105591738A publication Critical patent/CN105591738A/en
Application granted granted Critical
Publication of CN105591738B publication Critical patent/CN105591738B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/068Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The application provides a kind of key updating method and device, is applied to key server, this method comprises: the data volume that each member device uses current key to encrypt in acquisition group;The data volume summation that all member devices are encrypted using the current key in statistics group;When the encryption data amount summation is greater than or equal to preset first data-quantity threshold, into group, each member device issues new key.It can effectively reduce the risk of Key Exposure under big flow background by the application, improve security of system.

Description

A kind of key updating method and device
Technical field
This application involves network communication technology field more particularly to a kind of key updating method and devices.
Background technique
GD VPN (Group Domain Virtual Private Network organizes domain virtual private networks) is a kind of reality The solution of existing key and security strategy centralized management.GD VPN network is mainly by KS (Key Server, key server) It is formed with GM (Group Member, group membership), wherein KS is responsible for creation and maintenance key, and issues key and safety to GM Strategy;GM is the routing forwarding equipment using key and security strategy.
In order to improve the safety of service traffics, key used in GM needs timing to update.Key updating mode at present New key is mainly issued from KS to the GM period.For the key updating mode in the case where big service traffics, same key may It is used for encrypted most evidences, to increase the risk of Key Exposure.
Summary of the invention
In view of this, the application provides a kind of key updating method and device.
Specifically, the application is achieved by the following technical solution:
The application provides a kind of key updating method, is applied to key server, this method comprises:
The data volume that each member device uses current key to encrypt in acquisition group;
The data volume summation that all member devices are encrypted using the current key in statistics group;
When the encryption data amount summation is greater than or equal to preset first data-quantity threshold, each member into group Equipment issues new key.
The application also provides a kind of key update device, is applied to key server, which includes:
Acquiring unit, the data volume for using current key to encrypt for each member device in acquisition group;
Statistic unit, the data volume summation encrypted for all member devices in statistics group using the current key;
Issuance unit is used for when the encryption data amount summation is greater than or equal to preset first data-quantity threshold, to Each member device issues new key in group.
The application passes through the encryption data amount of statistics group member's equipment it can be seen from above description, to same key The data volume of encryption is limited, to reduce the risk of Key Exposure under big flow background, improves security of system.
Detailed description of the invention
Fig. 1 is GD VPN networking schematic diagram;
Fig. 2 is a kind of key updating method flow chart shown in one exemplary embodiment of the application;
Fig. 3 is a kind of underlying hardware structure of key update device place equipment shown in one exemplary embodiment of the application Schematic diagram;
Fig. 4 is a kind of structural schematic diagram of key update device shown in one exemplary embodiment of the application.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with as appended The example of the consistent device and method of some aspects be described in detail in claims, the application.
It is only to be not intended to be limiting the application merely for for the purpose of describing particular embodiments in term used in this application. It is also intended in the application and the "an" of singular used in the attached claims, " described " and "the" including majority Form, unless the context clearly indicates other meaning.It is also understood that term "and/or" used herein refers to and wraps It may be combined containing one or more associated any or all of project listed.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application A little information should not necessarily be limited by these terms.These terms are only used to for same type of information being distinguished from each other out.For example, not departing from In the case where the application range, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as One information.Depending on context, word as used in this " if " can be construed to " ... when " or " when ... When " or " in response to determination ".
GD VPN is a kind of solution for realizing key and security strategy centralized management, is a kind of point-to-multipoint no tunnel Road connection.GD VPN provides a kind of IPsec (Internet Protocol Security, network protocol safety) based on group Security model, all members in same group share identical security strategy and key.
Fig. 1 show GD VPN networking schematic diagram, the network mainly by key server KS and member device GM (GM1~ GM3 it) forms, wherein KS is responsible for creation and maintenance key, and issues key and security strategy to GM;GM is to use key and peace The routing forwarding equipment of full strategy.
In order to improve the safety of GM service traffics, the key that GM is used needs timing to update.Key updating mode at present New key is mainly issued from KS to the GM period.For the key updating mode in the case where big service traffics, same key may It is used for encrypted most evidences, to increase the risk of Key Exposure.
In view of the above-mentioned problems, the embodiment of the present application proposes that a kind of key updating method, this method count group member's equipment Encryption data amount, and based on the encryption data amount to member device carry out key updating.
It referring to fig. 2, is one embodiment flow chart of the application key updating method, the embodiment is to key updating process It is described.
Step 201, the data volume that each member device uses current key to encrypt in acquisition group.
Key server can at least obtain the encryption data of member device by following two mode in the embodiment of the present application Amount:
Mode one, member device are actively noticed
Often reach the second data-quantity threshold (example in the data volume encrypted using current key specifically, receiving member device Such as, N number of byte) when the flow notification packet that sends.Wherein, the second data-quantity threshold can be determined as follows: firstly, The second data-quantity threshold is pre-configured on key server, when member device is registered to key server, by key server Second data-quantity threshold is pushed to member device.
In one embodiment, key server can be by increasing load type (Traffic Announcement newly Payload, abbreviation TA load), the second data-quantity threshold is added in TA load corresponding field, and send and carry to member device The GROUPKEY-PUSH of TA load exchanges message, to realize the purpose for pushing the second data-quantity threshold to member device.Wherein, It is GDOI (Group Domain of Interpretation organizes the domain of interpretation) protocol massages that GROUPKEY-PUSH, which exchanges message,.
The second data-quantity threshold of key server push can be used as transmitted traffic notification packet in member device Foundation can also voluntarily configure the second data-quantity threshold according to network environment, the second data volume threshold for replacing key server to issue Value.
For example, it is assumed that the second data-quantity threshold configured on key server KS be 1000 bytes, member device GM1~ GM3 is registered to KS respectively, and in registration process, GM1~GM3 receives the second data-quantity threshold (1000 words of KS push Section).The second data-quantity threshold that member device can push key server uses the second data volume threshold as default value It is worth transmitted traffic notification packet, i.e. 1000 bytes of every encryption send a flow notification packet to key server.Due to this Second data-quantity threshold is configured by key server, and therefore, member device is when to key server transmitted traffic notification packet The second data-quantity threshold can not be carried.If network administrator is according to the second data volume of the quasi- modification GM1 of network operation situation Threshold value is 2000 bytes, then can individually configure on GM1, and with postponing, GM1 2000 bytes of every encryption are sent out to key server A flow notification packet is sent, and the second currently used data-quantity threshold is carried in flow notification packet, so that KS root According to the second data-quantity threshold carried in flow notification packet
In one embodiment, member device also can be by adding currently employed second in TA load corresponding field Data-quantity threshold sends the GROUPKEY-PULL exchange message for carrying the TA load to key server as flow notice report Text, wherein it is GDOI protocol massages that the GROUPKEY-PULL, which exchanges message,.
The quantity of the flow notification packet received under key server statistics current key, further according to the second data volume threshold Value and the quantity of flow notification packet calculate the data volume that member device uses current key to encrypt, for example, the second data volume Threshold value is 1000 bytes, and received flow notification packet quantity is 5, then encryption number of the member device under current key It is 1000*5=5000 byte according to amount.
Mode two, key server active inquiry
Specifically, key server is periodical to group member's equipment transmitted traffic query message, in a kind of embodiment In, the key server of the embodiment of the present application can be by increasing load type (Enquire Traffic Payload, abbreviation ET newly Load), the GROUPKEY-PUSH exchange message for carrying ET load is sent to member device as flow query message.
Member device voluntarily counts the data volume encrypted using current key, and based on the received flow query message to close Key server response flow response message carries the number of the current key encryption of member device statistics in the flow response message According to amount.In one embodiment, member device can be by adding in ET load corresponding field using current key encryption Data volume sends the GROUPKEY-PULL exchange message for carrying the ET load to key server as flow response message.
After key server receives flow response message, member device statistics is directly acquired from the flow response message Current key encryption data amount.
Step 202, encryption data amount summation of all member devices under current key in statistics group.
Step 203, when the encryption data amount summation be greater than or equal to preset data-quantity threshold when, into group each Member device issues new key.
The key server encryption data amount total according to group member's equipment judges whether to need more new key.By pre- If data-quantity threshold, the data volume that control is encrypted using same key, to reduce the risk of Key Exposure.
It can be seen from foregoing description under big service traffics, the data of same key encryption can be effectively reduced in the application Amount, especially in key updating period longer situation, can effectively improve security of system.
Corresponding with the embodiment of aforementioned key update method, present invention also provides the embodiments of key update device.
The embodiment of the application key update device can be applied on encryption server or member device.Installation practice It can also be realized by way of hardware or software and hardware combining by software realization.Taking software implementation as an example, as one Device on a logical meaning is corresponding computer program instructions shape in the processor run memory by equipment where it At.For hardware view, as shown in figure 3, being removed for a kind of hardware structure diagram of the application key update device place equipment Except processor shown in Fig. 3, network interface and memory, the equipment in embodiment where device sets generally according to this Standby actual functional capability can also include other hardware, repeat no more to this.
Referring to FIG. 4, for the structural schematic diagram of the key update device in the application one embodiment.Key updating dress It sets including acquiring unit 401, statistic unit 402 and issuance unit 403, in which:
Acquiring unit 401, the data volume for using current key to encrypt for each member device in acquisition group;
Statistic unit 402, the data volume summation encrypted for all member devices in statistics group using the current key;
Issuance unit 403 is used for when the encryption data amount summation is greater than or equal to preset first data-quantity threshold, Into group, each member device issues new key.
Further,
The acquiring unit 401, specifically for receiving the member device in the data encrypted using the current key The flow notification packet sent when often reaching the second data-quantity threshold is measured, carries second data in the flow notification packet Measure threshold value;The quantity of the flow notification packet received under statistics current key;According to second data-quantity threshold with And the quantity of the flow notification packet of statistics calculates the data volume that the member device uses current key to encrypt.
Further, described device further include:
Configuration unit, in the 401 acquisition group of acquiring unit each member device encrypted using current key Data volume before, configure the second data-quantity threshold;Second data-quantity threshold is pushed to the member device;
The acquiring unit 401, specifically for receiving the member device in the data encrypted using the current key The flow notification packet that amount is sent when often reaching second data-quantity threshold;The flow received under statistics current key The quantity of notification packet;The member is calculated according to the quantity of second data-quantity threshold and the flow notification packet of statistics The data volume that equipment uses current key to encrypt.
Further,
The acquiring unit 401 is specifically used for the member device transmitted traffic query message;The member is received to set For the flow response message responded according to the process query message, carrying the member device in the flow response message makes The data volume encrypted with current key.
The function of each unit and the realization process of effect are specifically detailed in the above method and correspond to step in above-mentioned apparatus Realization process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separation unit The unit of explanation may or may not be physically separated, and component shown as a unit can be or can also be with It is not physical unit, it can it is in one place, or may be distributed over multiple network units.It can be according to actual The purpose for needing to select some or all of the modules therein to realize application scheme.Those of ordinary skill in the art are not paying Out in the case where creative work, it can understand and implement.
The foregoing is merely the preferred embodiments of the application, not to limit the application, all essences in the application Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the application protection.

Claims (6)

1. a kind of key updating method is applied to key server, which is characterized in that this method comprises:
Each member device in organizing is performed the following operations: it is every in the data volume encrypted using current key to receive member device The flow notification packet sent when reaching the second data-quantity threshold;The flow notification packet received under statistics current key Quantity;Member device is calculated according to the quantity of second data-quantity threshold and the flow notification packet of statistics to use currently The data volume of key encryption;
Alternatively,
Each member device in organizing is performed the following operations: to member device transmitted traffic query message;Receive the member The flow response message that equipment is responded according to the flow query message carries the member device in the flow response message The data volume encrypted using current key;
The data volume summation that all member devices are encrypted using the current key in statistics group;
When the encryption data amount summation is greater than or equal to preset first data-quantity threshold, each member device into group Issue new key.
2. the method as described in claim 1, it is characterised in that:
Second data-quantity threshold is carried in the flow notification packet.
3. the method as described in claim 1, which is characterized in that the member device that receives is in the number encrypted using current key Before the flow notification packet sent when often reaching the second data-quantity threshold according to amount, further includes:
Configure the second data-quantity threshold;
Second data-quantity threshold is pushed to the member device.
4. a kind of key update device, it is applied to key server, which is characterized in that the device includes:
Acquiring unit, for receiving member device when the data volume encrypted using current key often reaches the second data-quantity threshold The flow notification packet of transmission;The quantity of the flow notification packet received under statistics current key;According to described second The quantity of data-quantity threshold and the flow notification packet of statistics calculates the data volume that member device uses current key to encrypt;Or Person, to member device transmitted traffic query message;Receive the flow that the member device is responded according to the flow query message Response message carries the data volume that the member device uses current key to encrypt in the flow response message;
Statistic unit, the data volume summation encrypted for all member devices in statistics group using the current key;
Issuance unit is used for when the encryption data amount summation is greater than or equal to preset first data-quantity threshold, into group Each member device issues new key.
5. device as claimed in claim 4, it is characterised in that:
Second data-quantity threshold is carried in the flow notification packet.
6. device as claimed in claim 4, which is characterized in that described device further include:
Configuration unit, for configuring the second data-quantity threshold;Second data-quantity threshold is pushed to the member device.
CN201510980172.4A 2015-12-22 2015-12-22 A kind of key updating method and device Active CN105591738B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510980172.4A CN105591738B (en) 2015-12-22 2015-12-22 A kind of key updating method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510980172.4A CN105591738B (en) 2015-12-22 2015-12-22 A kind of key updating method and device

Publications (2)

Publication Number Publication Date
CN105591738A CN105591738A (en) 2016-05-18
CN105591738B true CN105591738B (en) 2018-12-25

Family

ID=55931014

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510980172.4A Active CN105591738B (en) 2015-12-22 2015-12-22 A kind of key updating method and device

Country Status (1)

Country Link
CN (1) CN105591738B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108494722A (en) * 2018-01-23 2018-09-04 国网浙江省电力有限公司电力科学研究院 Intelligent substation communication message completeness protection method

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102281535A (en) * 2010-06-10 2011-12-14 华为技术有限公司 Key updating method and apparatus thereof
CN102694647A (en) * 2011-03-25 2012-09-26 株式会社东芝 Node and group key updating method
CN103209072A (en) * 2013-04-27 2013-07-17 杭州华三通信技术有限公司 MACsec (Multi-Access Computer security) key updating method and equipment
CN103326853A (en) * 2012-03-22 2013-09-25 中兴通讯股份有限公司 Method and device for upgrading secret key
CN104394123A (en) * 2014-11-06 2015-03-04 成都卫士通信息产业股份有限公司 A data encryption transmission system and method based on an HTTP
CN104935593A (en) * 2015-06-16 2015-09-23 杭州华三通信技术有限公司 Data message transmitting method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102281535A (en) * 2010-06-10 2011-12-14 华为技术有限公司 Key updating method and apparatus thereof
CN102694647A (en) * 2011-03-25 2012-09-26 株式会社东芝 Node and group key updating method
CN103326853A (en) * 2012-03-22 2013-09-25 中兴通讯股份有限公司 Method and device for upgrading secret key
CN103209072A (en) * 2013-04-27 2013-07-17 杭州华三通信技术有限公司 MACsec (Multi-Access Computer security) key updating method and equipment
CN104394123A (en) * 2014-11-06 2015-03-04 成都卫士通信息产业股份有限公司 A data encryption transmission system and method based on an HTTP
CN104935593A (en) * 2015-06-16 2015-09-23 杭州华三通信技术有限公司 Data message transmitting method and device

Also Published As

Publication number Publication date
CN105591738A (en) 2016-05-18

Similar Documents

Publication Publication Date Title
US10135829B2 (en) System and method for secure machine-to-machine communications
CN104219218B (en) A kind of method and device of active safety defence
CN109756450A (en) A kind of methods, devices and systems of Internet of Things Network Communication
da Silva et al. Capitalizing on SDN-based SCADA systems: An anti-eavesdropping case-study
CN105119911B (en) A kind of safety certifying method and system based on SDN streams
WO2018214701A1 (en) Data message transmission method, network device, control device, and network system
CN105591738B (en) A kind of key updating method and device
CN103209107A (en) Method for realizing user access control
US20120117630A1 (en) Method and System for Secure Management of Co-Located Customer Premises Equipment
CN103401751B (en) Internet safety protocol tunnel establishing method and device
CN103581034B (en) Message mirroring and encrypted transmitting method
CN102299942B (en) Method and system for managing agent network device
CN101814987B (en) Method and system for establishing key between nodes
CN105208117B (en) A kind of ADC centralized management and data analysis system and its method based on cloud service
WO2021136434A1 (en) Information processing method and apparatus, node device, server, and storage medium
CN104796431B (en) A kind of Telnet system and method
CN105191226A (en) Methods and arrangement for adapting quality of service for a private channel based on service awareness
CN108462681A (en) A kind of communication means of heterogeneous network, equipment and system
CN107612839B (en) Flow distribution method based on firewall equipment
CN106210168B (en) A kind of method and apparatus for replacing egress gateways address
KR20160036690A (en) Mechanism for Handling Multi-Connected M2M/IoT Device using Link
EP2634988A1 (en) A method and a system for performing a security update in a smart grid network
CN110334502B (en) Method for managing edge equipment by cloud authorization
CN103491346B (en) Method and equipment for networking social monitoring resources and monitoring platform
RU2014117681A (en) METHOD OF ACCESS TO LOGIC NETWORK SYSTEMS USING SOFTWARE SERVICE REQUESTS

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Applicant after: Xinhua three Technology Co., Ltd.

Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Applicant before: Huasan Communication Technology Co., Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant