CN105591738B - A kind of key updating method and device - Google Patents
A kind of key updating method and device Download PDFInfo
- Publication number
- CN105591738B CN105591738B CN201510980172.4A CN201510980172A CN105591738B CN 105591738 B CN105591738 B CN 105591738B CN 201510980172 A CN201510980172 A CN 201510980172A CN 105591738 B CN105591738 B CN 105591738B
- Authority
- CN
- China
- Prior art keywords
- data
- key
- member device
- quantity threshold
- flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/068—Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Telephonic Communication Services (AREA)
Abstract
The application provides a kind of key updating method and device, is applied to key server, this method comprises: the data volume that each member device uses current key to encrypt in acquisition group;The data volume summation that all member devices are encrypted using the current key in statistics group;When the encryption data amount summation is greater than or equal to preset first data-quantity threshold, into group, each member device issues new key.It can effectively reduce the risk of Key Exposure under big flow background by the application, improve security of system.
Description
Technical field
This application involves network communication technology field more particularly to a kind of key updating method and devices.
Background technique
GD VPN (Group Domain Virtual Private Network organizes domain virtual private networks) is a kind of reality
The solution of existing key and security strategy centralized management.GD VPN network is mainly by KS (Key Server, key server)
It is formed with GM (Group Member, group membership), wherein KS is responsible for creation and maintenance key, and issues key and safety to GM
Strategy;GM is the routing forwarding equipment using key and security strategy.
In order to improve the safety of service traffics, key used in GM needs timing to update.Key updating mode at present
New key is mainly issued from KS to the GM period.For the key updating mode in the case where big service traffics, same key may
It is used for encrypted most evidences, to increase the risk of Key Exposure.
Summary of the invention
In view of this, the application provides a kind of key updating method and device.
Specifically, the application is achieved by the following technical solution:
The application provides a kind of key updating method, is applied to key server, this method comprises:
The data volume that each member device uses current key to encrypt in acquisition group;
The data volume summation that all member devices are encrypted using the current key in statistics group;
When the encryption data amount summation is greater than or equal to preset first data-quantity threshold, each member into group
Equipment issues new key.
The application also provides a kind of key update device, is applied to key server, which includes:
Acquiring unit, the data volume for using current key to encrypt for each member device in acquisition group;
Statistic unit, the data volume summation encrypted for all member devices in statistics group using the current key;
Issuance unit is used for when the encryption data amount summation is greater than or equal to preset first data-quantity threshold, to
Each member device issues new key in group.
The application passes through the encryption data amount of statistics group member's equipment it can be seen from above description, to same key
The data volume of encryption is limited, to reduce the risk of Key Exposure under big flow background, improves security of system.
Detailed description of the invention
Fig. 1 is GD VPN networking schematic diagram;
Fig. 2 is a kind of key updating method flow chart shown in one exemplary embodiment of the application;
Fig. 3 is a kind of underlying hardware structure of key update device place equipment shown in one exemplary embodiment of the application
Schematic diagram;
Fig. 4 is a kind of structural schematic diagram of key update device shown in one exemplary embodiment of the application.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to
When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with as appended
The example of the consistent device and method of some aspects be described in detail in claims, the application.
It is only to be not intended to be limiting the application merely for for the purpose of describing particular embodiments in term used in this application.
It is also intended in the application and the "an" of singular used in the attached claims, " described " and "the" including majority
Form, unless the context clearly indicates other meaning.It is also understood that term "and/or" used herein refers to and wraps
It may be combined containing one or more associated any or all of project listed.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application
A little information should not necessarily be limited by these terms.These terms are only used to for same type of information being distinguished from each other out.For example, not departing from
In the case where the application range, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as
One information.Depending on context, word as used in this " if " can be construed to " ... when " or " when ...
When " or " in response to determination ".
GD VPN is a kind of solution for realizing key and security strategy centralized management, is a kind of point-to-multipoint no tunnel
Road connection.GD VPN provides a kind of IPsec (Internet Protocol Security, network protocol safety) based on group
Security model, all members in same group share identical security strategy and key.
Fig. 1 show GD VPN networking schematic diagram, the network mainly by key server KS and member device GM (GM1~
GM3 it) forms, wherein KS is responsible for creation and maintenance key, and issues key and security strategy to GM;GM is to use key and peace
The routing forwarding equipment of full strategy.
In order to improve the safety of GM service traffics, the key that GM is used needs timing to update.Key updating mode at present
New key is mainly issued from KS to the GM period.For the key updating mode in the case where big service traffics, same key may
It is used for encrypted most evidences, to increase the risk of Key Exposure.
In view of the above-mentioned problems, the embodiment of the present application proposes that a kind of key updating method, this method count group member's equipment
Encryption data amount, and based on the encryption data amount to member device carry out key updating.
It referring to fig. 2, is one embodiment flow chart of the application key updating method, the embodiment is to key updating process
It is described.
Step 201, the data volume that each member device uses current key to encrypt in acquisition group.
Key server can at least obtain the encryption data of member device by following two mode in the embodiment of the present application
Amount:
Mode one, member device are actively noticed
Often reach the second data-quantity threshold (example in the data volume encrypted using current key specifically, receiving member device
Such as, N number of byte) when the flow notification packet that sends.Wherein, the second data-quantity threshold can be determined as follows: firstly,
The second data-quantity threshold is pre-configured on key server, when member device is registered to key server, by key server
Second data-quantity threshold is pushed to member device.
In one embodiment, key server can be by increasing load type (Traffic Announcement newly
Payload, abbreviation TA load), the second data-quantity threshold is added in TA load corresponding field, and send and carry to member device
The GROUPKEY-PUSH of TA load exchanges message, to realize the purpose for pushing the second data-quantity threshold to member device.Wherein,
It is GDOI (Group Domain of Interpretation organizes the domain of interpretation) protocol massages that GROUPKEY-PUSH, which exchanges message,.
The second data-quantity threshold of key server push can be used as transmitted traffic notification packet in member device
Foundation can also voluntarily configure the second data-quantity threshold according to network environment, the second data volume threshold for replacing key server to issue
Value.
For example, it is assumed that the second data-quantity threshold configured on key server KS be 1000 bytes, member device GM1~
GM3 is registered to KS respectively, and in registration process, GM1~GM3 receives the second data-quantity threshold (1000 words of KS push
Section).The second data-quantity threshold that member device can push key server uses the second data volume threshold as default value
It is worth transmitted traffic notification packet, i.e. 1000 bytes of every encryption send a flow notification packet to key server.Due to this
Second data-quantity threshold is configured by key server, and therefore, member device is when to key server transmitted traffic notification packet
The second data-quantity threshold can not be carried.If network administrator is according to the second data volume of the quasi- modification GM1 of network operation situation
Threshold value is 2000 bytes, then can individually configure on GM1, and with postponing, GM1 2000 bytes of every encryption are sent out to key server
A flow notification packet is sent, and the second currently used data-quantity threshold is carried in flow notification packet, so that KS root
According to the second data-quantity threshold carried in flow notification packet
In one embodiment, member device also can be by adding currently employed second in TA load corresponding field
Data-quantity threshold sends the GROUPKEY-PULL exchange message for carrying the TA load to key server as flow notice report
Text, wherein it is GDOI protocol massages that the GROUPKEY-PULL, which exchanges message,.
The quantity of the flow notification packet received under key server statistics current key, further according to the second data volume threshold
Value and the quantity of flow notification packet calculate the data volume that member device uses current key to encrypt, for example, the second data volume
Threshold value is 1000 bytes, and received flow notification packet quantity is 5, then encryption number of the member device under current key
It is 1000*5=5000 byte according to amount.
Mode two, key server active inquiry
Specifically, key server is periodical to group member's equipment transmitted traffic query message, in a kind of embodiment
In, the key server of the embodiment of the present application can be by increasing load type (Enquire Traffic Payload, abbreviation ET newly
Load), the GROUPKEY-PUSH exchange message for carrying ET load is sent to member device as flow query message.
Member device voluntarily counts the data volume encrypted using current key, and based on the received flow query message to close
Key server response flow response message carries the number of the current key encryption of member device statistics in the flow response message
According to amount.In one embodiment, member device can be by adding in ET load corresponding field using current key encryption
Data volume sends the GROUPKEY-PULL exchange message for carrying the ET load to key server as flow response message.
After key server receives flow response message, member device statistics is directly acquired from the flow response message
Current key encryption data amount.
Step 202, encryption data amount summation of all member devices under current key in statistics group.
Step 203, when the encryption data amount summation be greater than or equal to preset data-quantity threshold when, into group each
Member device issues new key.
The key server encryption data amount total according to group member's equipment judges whether to need more new key.By pre-
If data-quantity threshold, the data volume that control is encrypted using same key, to reduce the risk of Key Exposure.
It can be seen from foregoing description under big service traffics, the data of same key encryption can be effectively reduced in the application
Amount, especially in key updating period longer situation, can effectively improve security of system.
Corresponding with the embodiment of aforementioned key update method, present invention also provides the embodiments of key update device.
The embodiment of the application key update device can be applied on encryption server or member device.Installation practice
It can also be realized by way of hardware or software and hardware combining by software realization.Taking software implementation as an example, as one
Device on a logical meaning is corresponding computer program instructions shape in the processor run memory by equipment where it
At.For hardware view, as shown in figure 3, being removed for a kind of hardware structure diagram of the application key update device place equipment
Except processor shown in Fig. 3, network interface and memory, the equipment in embodiment where device sets generally according to this
Standby actual functional capability can also include other hardware, repeat no more to this.
Referring to FIG. 4, for the structural schematic diagram of the key update device in the application one embodiment.Key updating dress
It sets including acquiring unit 401, statistic unit 402 and issuance unit 403, in which:
Acquiring unit 401, the data volume for using current key to encrypt for each member device in acquisition group;
Statistic unit 402, the data volume summation encrypted for all member devices in statistics group using the current key;
Issuance unit 403 is used for when the encryption data amount summation is greater than or equal to preset first data-quantity threshold,
Into group, each member device issues new key.
Further,
The acquiring unit 401, specifically for receiving the member device in the data encrypted using the current key
The flow notification packet sent when often reaching the second data-quantity threshold is measured, carries second data in the flow notification packet
Measure threshold value;The quantity of the flow notification packet received under statistics current key;According to second data-quantity threshold with
And the quantity of the flow notification packet of statistics calculates the data volume that the member device uses current key to encrypt.
Further, described device further include:
Configuration unit, in the 401 acquisition group of acquiring unit each member device encrypted using current key
Data volume before, configure the second data-quantity threshold;Second data-quantity threshold is pushed to the member device;
The acquiring unit 401, specifically for receiving the member device in the data encrypted using the current key
The flow notification packet that amount is sent when often reaching second data-quantity threshold;The flow received under statistics current key
The quantity of notification packet;The member is calculated according to the quantity of second data-quantity threshold and the flow notification packet of statistics
The data volume that equipment uses current key to encrypt.
Further,
The acquiring unit 401 is specifically used for the member device transmitted traffic query message;The member is received to set
For the flow response message responded according to the process query message, carrying the member device in the flow response message makes
The data volume encrypted with current key.
The function of each unit and the realization process of effect are specifically detailed in the above method and correspond to step in above-mentioned apparatus
Realization process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality
Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separation unit
The unit of explanation may or may not be physically separated, and component shown as a unit can be or can also be with
It is not physical unit, it can it is in one place, or may be distributed over multiple network units.It can be according to actual
The purpose for needing to select some or all of the modules therein to realize application scheme.Those of ordinary skill in the art are not paying
Out in the case where creative work, it can understand and implement.
The foregoing is merely the preferred embodiments of the application, not to limit the application, all essences in the application
Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the application protection.
Claims (6)
1. a kind of key updating method is applied to key server, which is characterized in that this method comprises:
Each member device in organizing is performed the following operations: it is every in the data volume encrypted using current key to receive member device
The flow notification packet sent when reaching the second data-quantity threshold;The flow notification packet received under statistics current key
Quantity;Member device is calculated according to the quantity of second data-quantity threshold and the flow notification packet of statistics to use currently
The data volume of key encryption;
Alternatively,
Each member device in organizing is performed the following operations: to member device transmitted traffic query message;Receive the member
The flow response message that equipment is responded according to the flow query message carries the member device in the flow response message
The data volume encrypted using current key;
The data volume summation that all member devices are encrypted using the current key in statistics group;
When the encryption data amount summation is greater than or equal to preset first data-quantity threshold, each member device into group
Issue new key.
2. the method as described in claim 1, it is characterised in that:
Second data-quantity threshold is carried in the flow notification packet.
3. the method as described in claim 1, which is characterized in that the member device that receives is in the number encrypted using current key
Before the flow notification packet sent when often reaching the second data-quantity threshold according to amount, further includes:
Configure the second data-quantity threshold;
Second data-quantity threshold is pushed to the member device.
4. a kind of key update device, it is applied to key server, which is characterized in that the device includes:
Acquiring unit, for receiving member device when the data volume encrypted using current key often reaches the second data-quantity threshold
The flow notification packet of transmission;The quantity of the flow notification packet received under statistics current key;According to described second
The quantity of data-quantity threshold and the flow notification packet of statistics calculates the data volume that member device uses current key to encrypt;Or
Person, to member device transmitted traffic query message;Receive the flow that the member device is responded according to the flow query message
Response message carries the data volume that the member device uses current key to encrypt in the flow response message;
Statistic unit, the data volume summation encrypted for all member devices in statistics group using the current key;
Issuance unit is used for when the encryption data amount summation is greater than or equal to preset first data-quantity threshold, into group
Each member device issues new key.
5. device as claimed in claim 4, it is characterised in that:
Second data-quantity threshold is carried in the flow notification packet.
6. device as claimed in claim 4, which is characterized in that described device further include:
Configuration unit, for configuring the second data-quantity threshold;Second data-quantity threshold is pushed to the member device.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510980172.4A CN105591738B (en) | 2015-12-22 | 2015-12-22 | A kind of key updating method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510980172.4A CN105591738B (en) | 2015-12-22 | 2015-12-22 | A kind of key updating method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105591738A CN105591738A (en) | 2016-05-18 |
CN105591738B true CN105591738B (en) | 2018-12-25 |
Family
ID=55931014
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510980172.4A Active CN105591738B (en) | 2015-12-22 | 2015-12-22 | A kind of key updating method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105591738B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108494722A (en) * | 2018-01-23 | 2018-09-04 | 国网浙江省电力有限公司电力科学研究院 | Intelligent substation communication message completeness protection method |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102281535A (en) * | 2010-06-10 | 2011-12-14 | 华为技术有限公司 | Key updating method and apparatus thereof |
CN102694647A (en) * | 2011-03-25 | 2012-09-26 | 株式会社东芝 | Node and group key updating method |
CN103209072A (en) * | 2013-04-27 | 2013-07-17 | 杭州华三通信技术有限公司 | MACsec (Multi-Access Computer security) key updating method and equipment |
CN103326853A (en) * | 2012-03-22 | 2013-09-25 | 中兴通讯股份有限公司 | Method and device for upgrading secret key |
CN104394123A (en) * | 2014-11-06 | 2015-03-04 | 成都卫士通信息产业股份有限公司 | A data encryption transmission system and method based on an HTTP |
CN104935593A (en) * | 2015-06-16 | 2015-09-23 | 杭州华三通信技术有限公司 | Data message transmitting method and device |
-
2015
- 2015-12-22 CN CN201510980172.4A patent/CN105591738B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102281535A (en) * | 2010-06-10 | 2011-12-14 | 华为技术有限公司 | Key updating method and apparatus thereof |
CN102694647A (en) * | 2011-03-25 | 2012-09-26 | 株式会社东芝 | Node and group key updating method |
CN103326853A (en) * | 2012-03-22 | 2013-09-25 | 中兴通讯股份有限公司 | Method and device for upgrading secret key |
CN103209072A (en) * | 2013-04-27 | 2013-07-17 | 杭州华三通信技术有限公司 | MACsec (Multi-Access Computer security) key updating method and equipment |
CN104394123A (en) * | 2014-11-06 | 2015-03-04 | 成都卫士通信息产业股份有限公司 | A data encryption transmission system and method based on an HTTP |
CN104935593A (en) * | 2015-06-16 | 2015-09-23 | 杭州华三通信技术有限公司 | Data message transmitting method and device |
Also Published As
Publication number | Publication date |
---|---|
CN105591738A (en) | 2016-05-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10135829B2 (en) | System and method for secure machine-to-machine communications | |
CN104219218B (en) | A kind of method and device of active safety defence | |
CN109756450A (en) | A kind of methods, devices and systems of Internet of Things Network Communication | |
da Silva et al. | Capitalizing on SDN-based SCADA systems: An anti-eavesdropping case-study | |
CN105119911B (en) | A kind of safety certifying method and system based on SDN streams | |
WO2018214701A1 (en) | Data message transmission method, network device, control device, and network system | |
CN105591738B (en) | A kind of key updating method and device | |
CN103209107A (en) | Method for realizing user access control | |
US20120117630A1 (en) | Method and System for Secure Management of Co-Located Customer Premises Equipment | |
CN103401751B (en) | Internet safety protocol tunnel establishing method and device | |
CN103581034B (en) | Message mirroring and encrypted transmitting method | |
CN102299942B (en) | Method and system for managing agent network device | |
CN101814987B (en) | Method and system for establishing key between nodes | |
CN105208117B (en) | A kind of ADC centralized management and data analysis system and its method based on cloud service | |
WO2021136434A1 (en) | Information processing method and apparatus, node device, server, and storage medium | |
CN104796431B (en) | A kind of Telnet system and method | |
CN105191226A (en) | Methods and arrangement for adapting quality of service for a private channel based on service awareness | |
CN108462681A (en) | A kind of communication means of heterogeneous network, equipment and system | |
CN107612839B (en) | Flow distribution method based on firewall equipment | |
CN106210168B (en) | A kind of method and apparatus for replacing egress gateways address | |
KR20160036690A (en) | Mechanism for Handling Multi-Connected M2M/IoT Device using Link | |
EP2634988A1 (en) | A method and a system for performing a security update in a smart grid network | |
CN110334502B (en) | Method for managing edge equipment by cloud authorization | |
CN103491346B (en) | Method and equipment for networking social monitoring resources and monitoring platform | |
RU2014117681A (en) | METHOD OF ACCESS TO LOGIC NETWORK SYSTEMS USING SOFTWARE SERVICE REQUESTS |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: Huasan Communication Technology Co., Ltd. |
|
CB02 | Change of applicant information | ||
GR01 | Patent grant | ||
GR01 | Patent grant |