CN106330868A - Encrypted storage key management system and method of high-speed network - Google Patents

Encrypted storage key management system and method of high-speed network Download PDF

Info

Publication number
CN106330868A
CN106330868A CN201610666670.6A CN201610666670A CN106330868A CN 106330868 A CN106330868 A CN 106330868A CN 201610666670 A CN201610666670 A CN 201610666670A CN 106330868 A CN106330868 A CN 106330868A
Authority
CN
China
Prior art keywords
key
equipment
encryption
network storage
working
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610666670.6A
Other languages
Chinese (zh)
Other versions
CN106330868B (en
Inventor
朱云
李元骅
张晓囡
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Shield Mdt Infotech Ltd
Original Assignee
Beijing Shield Mdt Infotech Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Shield Mdt Infotech Ltd filed Critical Beijing Shield Mdt Infotech Ltd
Priority to CN201610666670.6A priority Critical patent/CN106330868B/en
Publication of CN106330868A publication Critical patent/CN106330868A/en
Application granted granted Critical
Publication of CN106330868B publication Critical patent/CN106330868B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage

Abstract

The invention is based on network storage encryption equipment, and provides an encrypted storage key management system of a high-speed network, which is characterized in that the key management system completes the key management of to-be-encrypted equipment by adopting a step-by-step protection method via four keys, specific management contents comprise production, distribution, storage, backup, replacement, recovery and destruction, the key management system comprises an equipment root key, an equipment identity key, a key encryption key and a working work, a centralized key maintenance strategy is adopted, and the key management is secure and controllable. A remote online key distribution mechanism is adopted, the key configuration is flexible and convenient, and safe, reliable and fast arrangement and adjustment of an encryption system can be realized.

Description

A kind of express network encryption storage key management system and method
Technical field
The invention belongs to field of information security technology, be specifically related to a kind of express network encryption storage key management system and Method.
Background technology
In field of storage, FC SAN (optical fiber storage area network) occupies based on its inborn high-performance, stability always Major part market.Along with the outburst of the most various information security events, people ensure certainly in the urgent need to there being a kind of approach Oneself data safety, especially as units such as banks.The applied environment of FC logical volume transfer method and storage network system, FC agreement feature for user And high-availability requirement, the most reliable and the most stable, safely controllable, solve user quickly and efficiently and store the privacy problem of network data And cipher key management considerations, develop background and the meaning of express network storage encryption equipment just.Express network storage encryption Owner to resolve the application server in FC SAN network (hereinafter referred to as by a kind of data encrypting and deciphering based on FC agreement mechanism Server end) and disk array (hereinafter referred to as memorizer end) between FC agreement, between server end and memorizer end pass Defeated data carry out encryption and decryption.Network storage encryption equipment uses the mode of transparent transmission to add network, adds in real time except providing above-mentioned The major function of sector data in deciphering FCP agreement, also support high availability, log audit, disk management, key management, Access the functions such as control.Advanced design, integrated reasonable, reliable and stable, safely controllable, rapidly and efficiently, security intensity high, be to meet Country's commercial cipher technical specification and management requires, can be used for FC network storage encryption and decryption, there is independent intellectual property right Security equipments.
Summary of the invention
In order to solve the problems referred to above, the present invention provides a kind of express network encryption storage key management system, described key Management system passes through four kinds of keys, uses the method protected step by step, treats encryption device and complete key management, specifically manage content Including producing, distribute, store, back up, change, recover and destroying;
Further, described key management system includes equipment root key, equipment identities key, key-encrypting key and work Make key;
Equipment root key, described equipment root key is for realizing the storage encipherment protection to key parameter, key etc.;
Equipment identities key, described equipment identities key is used for the machine authentication, for the Authentication code mistake of cluster device Journey provides cryptoguard;
Key-encrypting key, described key-encrypting key is used for the realization encryption to working key in key distribution procedure Protection;
Working key, described working key is for realizing the encipherment protection to service data information transmission;
Further, described equipment root key is divided into three parts of S1, S2, S3 by equipment after being generated, wherein S1 is solid when producing Change in the safety chip within network storage encryption equipment;S2 is saved in component key1;S3 is saved in component key2;
Further, described equipment identities key is asymmetric cryptographic algorithm key, described asymmetric cryptographic algorithm key Be one group of public private key-pair, wherein a length of 256 bits of private key, a length of 512 bits of PKI, described PKI by USB Key or Configuration management interface is derived, and private key is saved in the safety chip in network storage encryption equipment;
Further, described key-encrypting key is the symmetric block ciphers algorithm secret key of length 128 bit, for collection In group, sharing of working key carries out encryption and decryption protection, and described key-encrypting key is each network storage encryption in every time to cluster When machine carries out Authentication code, the random number generation unit of promoter producing in real time and use after inspection, key has been distributed After i.e. destroy, do not preserve;
Further, described working key is the symmetric block ciphers algorithm secret key of length 128 bit, for optical-fibre channel Middle data in magnetic disk encryption and decryption in transmitting procedure, when changing working key, needs first the former encryption data in disk to be used Store after re-using new working key encryption after the deciphering of former working key, then re-use new working key and replace former work Key, described working key obtains and comes from safety chip, and described safety chip obtains two from two WNG9 randomizers Individual random number, using the XOR result of two randoms number as the working key of LUN, after then using equipment root key to be encrypted Store in data base;
Further, a kind of express network encryption storage key management method, described method includes;
1) key generates, and described equipment root key, equipment identities key and working key are by double in network storage encryption equipment The noise maker of safety chip produces;
2) key is distributed, and described equipment root key is not distributed, and described equipment identities key is by each network storage encryption equipment Generating, private key is not derived, and PKI generates the certificate request file of equipment after deriving from network storage encryption equipment, then to inject Key is carrier, unified after KMC signs and issues is issued to each device node, and described working key is by KMC or close Key produces end equipment and initiates, on the premise of authentication, by the way of digital envelope, through public key signature and described key The protection distribution of encryption key;
3) key storage, described equipment root key, through over-segmentation, obtains 3 parts of different pieces, and 1 part is maintained at the network storage and adds In close machine safety chip, other 2 parts of encryptions are independently saved on 2 USB Key, and equipment root key is present in use In safety chip internal SRAM, power down is i.e. lost, described equipment identities key once generate just with equipment root key as key, Use SM4 algorithm, be stored in after encryption in network storage encryption equipment in the internal FLASH of network storage encryption equipment safety chip, During use, safety chip is by equipment identities secret key decryption to internal SRAM, and power down is i.e. lost;Described key-encrypting key is interim Using, destroy immediately, do not preserve, described working key makes to preserve in two ways after generating;
4) key uses, and described key uses and includes: equipment root key uses and working key uses;
Described equipment root key use step:
411) subscriber authentication is passed through: user needs when authentication to insert two in five-minute period is spaced USB Key;
412) at least two USB Key is by after authentication, and the root key component in component Key is read into the network storage In the SRAM of encryption equipment safety chip;
413) add a root key component within network storage encryption equipment, add computing through mould 2, be calculated and set The plaintext of standby root key;
414) ad-hoc location of the SRAM of safety chip it is saved in after the recovery of equipment root key, until power down is lost;
415) after equipment root key has injected, component key extracts or continues to preserve;
Described working key use step:
421) by obtaining authority after operator's authentication;
422) manner of decryption is determined according to the appointment of user;
423) the working key ciphertext that will be stored in FLASH is read in SRAM;
424) with equipment root key as key, use SM4 algorithm, or obtain the plaintext of working key with private key deciphering;
425) ad-hoc location of SRAM it is saved in, until power down is lost;
426) reuse and need again to decipher;
5) cipher key backup:
51) segmentation of equipment root key is left in 2 usb key;
52) equipment identities cipher key backup is after obtaining manager's identity authority, uses the equipment root in safety chip SRAM Key, as key, uses SM4 algorithm, is stored in backup and is situated between after the equipment identities key encryption stored by network storage encryption equipment In matter, PKI and private key are independently preserved by two backup mediums;
53) key-encrypting key is not backed up;
54) working key is that the equipment root key made in safety chip in SRAM does after obtaining manager's identity authority For key, use SM4 algorithm, be stored in after encryption in USB key;
6) key is changed and is included that equipment root key is changed, equipment identities key changes and working key is changed;
Key recovery, described key recovery includes that the recovery of equipment root key, equipment identities key recovery and working key are extensive Multiple;
Further, two kinds of store methods after described working key generates include;
31) with private key as key, use SM4 algorithm for encryption to be stored in the internal FLASH of network storage encryption equipment, need Time decipher again in network storage encryption equipment CACHE;
32) it is stored in the internal FLASH of network storage encryption equipment with the equipment root key encryption of encrypted card, uses again when needing Equipment root key is deciphered in network storage encryption equipment CACHE;
Further, described cipher key backup specifically includes: equipment root key is changed;
Described cipher key backup specifically includes: equipment root key is changed:
611) replacing apparatus root key when initializing network storage encryption equipment for the first time;
612) public private key pair and all sensitive informations regenerate when being present in the SRAM of network storage encryption equipment and set Standby root key, and regenerate 2 USB Key;
Equipment identities key is changed: user obtains after administrator right, by interface or order line generate a pair new Public and private key pair, and override old public and private key pair, it is then led off new PKI and generates new certificate request file, through key Administrative center is issued to each network storage encryption equipment with USB Key for carrier, the most also to new double secret key the most again after signing and issuing Back up;
Working key is changed: disk Central Plains encryption data being backed up is clear data, re-uses new working key encryption For carrying out disk storage after ciphertext data;
Further, described key is changed and is specifically included:
71) equipment root key recovers: manager is sequentially inserted into 2 USB Key, and safety chip is by the root on USB key card It is merged into the plaintext of equipment root key with the component in card after key components reading network storage encryption equipment internal memory;
72) equipment identities key recovery: the cipher-text information stored in backup medium is read in network storage encryption by manager Machine, safety chip uses equipment root key as decruption key, uses SM4 algorithm, ciphertext believed in network storage encryption equipment Corresponding SRAM region is left in after breath deciphering;
73) working key recovers: the cipher-text information stored in backup medium is read in network storage encryption equipment, peace by manager Full chip uses equipment root key as decruption key, uses SM4 algorithm, re-downloads working key;
Beneficial effects of the present invention is as follows:
1) the key management allocation plan divided according to LUN is used.Different LUN uses different data encrypting and deciphering keys, Ensure that data in magnetic disk encryption is split by different LUN;Each network storage encryption equipment only has and oneself LUN encryption and decryption phase The key of association, the security threat of a network storage encryption equipment only affects the peace of the business information being associated with this encryption equipment Entirely, the safety of other user service informations of the whole network is unaffected;
2) using the key maintenance strategy concentrated, key management security is controlled.Use remote online key distribution mechanism, close Key flexible configuration is convenient, can realize safe and reliable quickly the arranging and adjust of encryption system.
3) there is key and the ability of key parameter in remote destroying network storage encryption equipment, can be in case of emergency to net Network storage encryption equipment is implemented to be effectively isolated, it is ensured that the safety of whole storage system;
4) core that the SM4 standard cipher algorithm selecting the approval of close office of state to use is encrypted as information encryption and decryption and storage protection Heart carrier, and carry out system development work according to country's commercial cipher equipment preparation specification;
5) in the development of secrecy system, employing machine, the start certification of card separation, key and parameter storage encipherment protection, Special purpose system algorithm chip, linux system kernel/specific drivers/special purpose system service management module/private key distribution The safe practices such as management agreement so that secrecy system self has the strongest self-safety precautions, individual equipment out of control Security of system will not be caused lethal damage.
Accompanying drawing explanation
Fig. 1 is the hardware structure diagram of heretofore described network storage encryption equipment;
Fig. 2 is the hierarchical relationship of heretofore described key structure;
Fig. 3 is cryptographic key security system structure in the present invention.
Detailed description of the invention
In order to make the purpose of the present invention, technical scheme and advantage clearer, below in conjunction with drawings and Examples, right The present invention is explained in further detail.Should be appreciated that specific embodiment described herein is used only for explaining the present invention, and It is not used in the restriction present invention.On the contrary, the present invention contain any be defined by the claims do in the spirit and scope of the present invention Replacement, amendment, equivalent method and scheme.Further, in order to make the public that the present invention to be had a better understanding, below to this During the details of invention describes, detailed describe some specific detail sections.Do not have these thin for a person skilled in the art The description of joint part can also understand the present invention completely.
The invention will be further described with specific embodiment below in conjunction with the accompanying drawings, but not as a limitation of the invention. Below for the most preferred embodiment of enumerating of the present invention:
As shown in Figure 1-2, the present invention is based on network storage encryption equipment, it is provided that a kind of express network encryption storage key management System, it is characterised in that described key management system passes through four kinds of keys, uses the method protected step by step, treats encryption device Completing key management, concrete management content includes producing, distribute, store, back up, change, recover and destroying, described key management System includes equipment root key, equipment identities key, key-encrypting key and working key;
Equipment root key, described equipment root key is for realizing the storage encipherment protection to key parameter, key etc.;
Equipment identities key, described equipment identities key is used for the machine authentication, for the Authentication code mistake of cluster device Journey provides cryptoguard;
Key-encrypting key, described key-encrypting key is used for the realization encryption to working key in key distribution procedure Protection;
Working key, described working key is for realizing the encipherment protection to service data information transmission, described equipment root Key is divided into three parts of S1, S2, S3 by equipment after being generated, wherein S1 is solidificated in the safety within network storage encryption equipment when producing In chip;S2 is saved in component key1;S3 is saved in component key2, and described equipment identities key is asymmetric cryptographic algorithm Key, described asymmetric cryptographic algorithm key is one group of public private key-pair, and wherein a length of 256 bits of private key, PKI is a length of 512 bits, described PKI is by USB Key or the derivation of configuration management interface, and private key is saved in the peace in network storage encryption equipment In full chip, described key-encrypting key is the symmetric block ciphers algorithm secret key of length 128 bit, for working in cluster Sharing of key carries out encryption and decryption protection, and described key-encrypting key each network storage encryption equipment in every time to cluster carries out close When key is shared, the random number generation unit of promoter producing in real time and use after inspection, key is i.e. destroyed after having distributed, Not preserving, described working key is the symmetric block ciphers algorithm secret key of length 128 bit, data in magnetic disk in optical-fibre channel Encryption and decryption in transmitting procedure, when changing working key, needs first the former encryption data in disk to be used former working key Store after re-using new working key encryption after deciphering, then re-use new working key and replace former working key, described Working key obtains and comes from safety chip, and described safety chip obtains two randoms number from two WNG9 randomizers, Using the XOR result of two randoms number as the working key of LUN, equipment root key is then used to store number after being encrypted According in storehouse.
A kind of express network encryption storage key management method, described method includes:
1) key generates, and described equipment root key, equipment identities key and working key are by double in network storage encryption equipment The noise maker of safety chip produces;
2) key is distributed, and described equipment root key is not distributed, and described equipment identities key is by each network storage encryption equipment Generating, private key is not derived, and PKI generates the certificate request file of equipment after deriving from network storage encryption equipment, then to inject Key is carrier, unified after KMC signs and issues is issued to each device node, and described working key is by KMC or close Key produces end equipment and initiates, on the premise of authentication, by the way of digital envelope, through public key signature and described key The protection distribution of encryption key;
3) key storage, described equipment root key, through over-segmentation, obtains 3 parts of different pieces, and 1 part is maintained at the network storage and adds In close machine safety chip, other 2 parts of encryptions are independently saved on 2 USB Key, and equipment root key is present in use In safety chip internal SRAM, power down is i.e. lost, described equipment identities key once generate just with equipment root key as key, Use SM4 algorithm, be stored in after encryption in network storage encryption equipment in the internal FLASH of network storage encryption equipment safety chip, During use, safety chip is by equipment identities secret key decryption to internal SRAM, and power down is i.e. lost;Described key-encrypting key is interim Using, destroy immediately, do not preserve, described working key makes to preserve in two ways after generating;
4) key uses, and described key uses and includes: equipment root key uses and working key uses;
Described equipment root key use step:
411) subscriber authentication is passed through: user needs when authentication to insert two in five-minute period is spaced USB Key;
412) at least two USB Key is by after authentication, and the root key component in component Key is read into the network storage In the SRAM of encryption equipment safety chip;
413) add a root key component within network storage encryption equipment, add computing through mould 2, be calculated and set The plaintext of standby root key;
414) ad-hoc location of the SRAM of safety chip it is saved in after the recovery of equipment root key, until power down is lost;
415) after equipment root key has injected, component key extracts or continues to preserve;
Described working key use step:
421) by obtaining authority after operator's authentication;
422) manner of decryption is determined according to the appointment of user;
423) the working key ciphertext that will be stored in FLASH is read in SRAM;
424) with equipment root key as key, use SM4 algorithm, or obtain the plaintext of working key with private key deciphering;
425) ad-hoc location of SRAM it is saved in, until power down is lost;
426) reuse and need again to decipher;
5) cipher key backup:
51) segmentation of equipment root key is left in 2 usb key;
52) equipment identities cipher key backup is after obtaining manager's identity authority, uses the equipment root in safety chip SRAM Key, as key, uses SM4 algorithm, is stored in backup and is situated between after the equipment identities key encryption stored by network storage encryption equipment In matter, PKI and private key are independently preserved by two backup mediums;
53) key-encrypting key is not backed up;
54) working key is that the equipment root key made in safety chip in SRAM does after obtaining manager's identity authority For key, use SM4 algorithm, be stored in after encryption in USB key;
6) key is changed and is included that equipment root key is changed, equipment identities key changes and working key is changed;
7) key recovery, described key recovery includes the recovery of equipment root key, equipment identities key recovery and working key Recover.
Two kinds of store methods after described working key generates include:
31) with private key as key, use SM4 algorithm for encryption to be stored in the internal FLASH of network storage encryption equipment, need Time decipher again in network storage encryption equipment CACHE;
32) it is stored in the internal FLASH of network storage encryption equipment with the equipment root key encryption of encrypted card, uses again when needing Equipment root key is deciphered in network storage encryption equipment CACHE.
Described cipher key backup specifically includes: equipment root key is changed:
613) replacing apparatus root key when initializing network storage encryption equipment for the first time;
614) public private key pair and all sensitive informations regenerate when being present in the SRAM of network storage encryption equipment and set Standby root key, and regenerate 2 USB Key;
Equipment identities key is changed: user obtains after administrator right, by interface or order line generate a pair new Public and private key pair, and override old public and private key pair, it is then led off new PKI and generates new certificate request file, through key Administrative center is issued to each network storage encryption equipment with USB Key for carrier, the most also to new double secret key the most again after signing and issuing Back up;
Working key is changed: disk Central Plains encryption data being backed up is clear data, re-uses new working key encryption For carrying out disk storage after ciphertext data, described key is changed and is specifically included:
71) equipment root key recovers: manager is sequentially inserted into 2 USB Key, and safety chip is by the root on USB key card It is merged into the plaintext of equipment root key with the component in card after key components reading network storage encryption equipment internal memory;
72) equipment identities key recovery: the cipher-text information stored in backup medium is read in network storage encryption by manager Machine, safety chip uses equipment root key as decruption key, uses SM4 algorithm, ciphertext believed in network storage encryption equipment Corresponding SRAM region is left in after breath deciphering;
73) working key recovers: the cipher-text information stored in backup medium is read in network storage encryption equipment, peace by manager Full chip uses equipment root key as decruption key, uses SM4 algorithm, re-downloads working key.
Network storage encryption equipment mentioned in the present invention have employed standard cipher algorithm configuration, and (approval of close office of state uses SM2, SM3, SM4 algorithm), the cryptographic key security system of three grades of key structures, network storage encryption equipment be 2U height frame Formula equipment, main body is that data process FPGA and configuration management CPU, additionally, also include power module, blower module and monitoring mould Block.Its hardware forms as shown in Figure 1.Key management system of the present invention devises business datum AES, digital signature Algorithm, storage protection AES and key distribution AES.Wherein business datum AES uses SM4 algorithm to realize, Block length is 128bit, and key length is 128bi t;Digital Signature Algorithm uses SM2, SM3 algorithm jointly to realize, public and private key Length is respectively 512 and 256bit;Storage protection AES uses SM4 algorithm to realize, grouping algorithm key length 128bi t;Key distribution AES uses SM2, SM3 and SM4 algorithm to realize, and public private key pair length is respectively 512 and 256bit, packet A length of 128bit, key length is 128bit.Whole cryptographic key security system employs 4 kinds of keys:
Equipment root key (DRK): i.e. manage key, for the password storage protection of other key, every equipment in equipment One.
Equipment identities secret key and private key (DSK): for the machine authentication and the cryptoguard to secret key remote distribution procedure, Every equipment one.
Equipment identities public key (DPK): for the machine authentication and the cryptoguard to secret key remote distribution procedure, Every equipment one.
Key-encrypting key (KEK): the encrypted transmission for key is protected, random number generator produce.
LUN block key (LBK): i.e. working key, session key.For cryptoguard (the SM4 calculation to disk storage data Method) use, every LUN mono-.
The cryptographic key security system structure of encryption module and hierarchical relationship are as shown in Figure 3.
The major function of network storage encryption equipment is: complete the deciphering work that application server fetches data from RAID Read Work, application server are to the encrypted work of disk array write data;Accept the unified management of KMC.Wherein key The function of administrative center is as follows.
For guarantee network storage encryption equipment can all the time in the environment of safety and attack resistance reliable and stable, quickly and efficiently Complete every cryptographic service task, be necessary for the overall safety angle from system, and take into account enterprise customer network information system System characteristics of demand, to network storage encryption equipment cipher key configuration and use strategy etc. aspect carry out comprehensive, comprehensive design with Implement.
In view of application with use environment, network storage encryption equipment employs the most perfect key structure, configuration And Managed Solution.
Key management module of the present invention includes:
1) equipment root key
The symmetric cryptographic algorithm key of a length of 128, uses SM4 algorithm, stores FLASH in network storage encryption equipment Equipment identities key, the sensitive data such as LUN working key be encrypted protection.Equipment root key is divided into three after being generated by equipment Part S1, S2, S3, wherein S1 is solidificated in the safety chip within network storage encryption equipment when producing;S2 is saved in component In key1;S3 is saved in component key2.If needing more new equipment root key, it is ensured that equipment identities key and all working The sensitive informations such as key are all deciphered in network storage encryption equipment sram memory, then reuse new equipment root key encryption After, then delete old root key principal component.
Table 1 key kind and purposes
2) equipment identities key
Asymmetric cryptographic algorithm key.The equipment identities key of network storage encryption equipment is one group of public private key-pair, a length of Private key 256 bit, PKI 512 bit, use SM2 algorithm, share in working key remote cluster for the machine authentication Time the encipherment protection of key-encrypting key.
The public private key-pair of equipment identities key is produced by equipment, and PKI can be led by USB Key or configuration management interface Going out, private key can not go out network storage encryption equipment, can only be saved in the safety chip in network storage encryption equipment.The network storage adds Close machine is separate, different with the identity key of its equipment.
3) key-encrypting key
The symmetric block ciphers algorithm secret key of a length of 128 bits.Use SM4 algorithm, for working key in cluster Share and carry out encryption and decryption protection.
Key-encrypting key is time only in every time to cluster, each network storage encryption equipment carries out Authentication code, by promoter's Random number generation unit produces in real time and uses after inspection, and key is i.e. destroyed after having distributed, do not preserved.
4) working key
The symmetric block ciphers algorithm secret key of a length of 128 bits, uses SM4 algorithm, disk number in optical-fibre channel According to the encryption and decryption in transmitting procedure.Each LUN uses different working keys, and each sector also uses different work close Key.Due to the special nature of storage encryption, working key can not at will be changed.When user needs to change working key, need elder generation Store, the most just after re-using new working key encryption after former encryption data in disk is used the deciphering of former working key New working key can be used to replace former working key.It is close that the working key table of network storage encryption equipment can store 1024 work The ciphertext of key.
Network storage encryption equipment working key is by oneself generating and can also inject by noting close key, and user is adding disk During array LUN information, encryption equipment calls the key of safety chip and obtains interface, and safety chip is from two WNG9 randomizers Obtain two randoms number, using the XOR result of two randoms number as the working key of LUN, then use equipment root key to carry out Return to encryption equipment after encryption, finally store in data base.
2 hierarchical relationships
The hierarchical relationship of the key structure that network storage encryption equipment uses is as shown in Figure 2.
Network storage encryption equipment key takes the mode protected step by step:
1) using Secret splitting mode to back up and restorer root key, the mode that is physically present of equipment root key is segmentation Becoming 3 parts, 1 part is saved in network storage encryption equipment safety chip, and 1 part is saved in component key1, and 1 part is saved in component key2 On.When normally working, equipment root key exists only in the SRAM of safety chip in plain text, and power down is i.e. lost, and reloads equipment root Key needs to insert correct component key;
2) in equipment identities key is present in network storage encryption equipment in the FLASH of safety chip.When needs use equipment During identity key, from the FLASH of safety chip, reading and saving is in the SRAM of safety chip, and power down is i.e. lost;
3) when working key is shared, working key is encrypted by key-encrypting key, meanwhile, uses equipment identities key PKI to key-encrypting key encrypt, then together with the ciphertext of working key, in the way of digital envelope, be distributed to cluster Interior network storage encryption equipment.
Working key is present in the FLASH of network storage encryption equipment with ciphertext form, reads close during use from FLASH Literary composition, using equipment root key as secret key decryption, uses being configured in the SRAM of FPGA in plain text after deciphering, and power down is i.e. lost.
Configuration design
In network storage encryption equipment, cipher key configuration briefly describes as shown in table 2.
Wherein, equipment identities public and private key, root key press network storage encryption equipment separate configurations, add with other network storage Close machine is different;Working key presses LUN configuration, and every LUN is different.
Managed Solution
The key management of the network storage encryption equipment side such as (include producing, distribute, store, back up, change, recover, destruction) Case is as shown in table 4.
Table 3 key management
Key generates
Equipment root key, equipment identities key and working key are the keys of protection data, its at random etc. general property to closing weight Wanting, it is ensured that its randomness, nonrepeatability and unpredictability, we mainly use by safety double in network storage encryption equipment The noise maker of chip produces the scheme of key, and after statistical test is qualified, is just used for generating various key.
Equipment root key generates when network storage encryption equipment makes USB key, each from two WNG9 noise makers Take 3 16 byte randoms number and carry out after XOR 3 components as equipment root key, be temporarily stored in the SRAM of safety chip, connect And need to make 2 USB Key, 1 component exists in the FLASH of the interior safety chip of card, and 2 components are respectively present 2 USB On Key, this is the unique non-volatile carrier of equipment root key.A root has been generated close before network storage encryption equipment dispatches from the factory Key, as the root key that dispatches from the factory, is saved in 3 positions after segmentation;User, be by 2 when using network storage encryption equipment for the first time Individual USB Key obtains administrator right, again generates an equipment root key, and wipes 2 the USB Key dispatched from the factory, more again Generate the splitting factor preserving new equipment root key in 2 USB Key.The root key that dispatches from the factory lost efficacy immediately.
Equipment identities key is in network storage encryption equipment, in the safety chip by the certification of Password Management office of country SM2 algorithm produces;Equipment identities key uses and is stored in the FLASH of safety chip in network storage encryption equipment after root key encryption In, PKI can be derived, and PKI is used for generating the certificate request of this equipment after deriving, after KMC signs and issues under unification It is dealt into each device node.
Key-encrypting key and working key are produced by network storage encryption equipment, and by producing by KMC, concrete condition needs To be determined by Application Design.The generation of key can must use after passing through randomness test, Repeatability checking.
Key is distributed
Equipment root key generates when network storage encryption equipment makes USB key, it is not necessary to distribution.Equipment identities key by Each network storage encryption equipment generates, and private key can not be derived, and PKI generates the card of equipment after deriving from network storage encryption equipment Book demand file, then thinks that injection key is carrier, and after KMC signs and issues, unification is issued to each device node. The distribution of working key is produced end equipment by KMC or key and initiates, on the premise of authentication, by the side of digital envelope Formula, the protection through public key signature and key-encrypting key is distributed.
Key stores
Equipment root key, through over-segmentation, obtains 3 parts of different pieces, and 1 part is maintained in network storage encryption equipment safety chip, On other 2 parts of encrypting storing to 2 USB Key, it is desirable to these 2 USB Key independently preserve.Equipment root key in use Being present in safety chip internal SRAM, power down is i.e. lost.
Equipment identities key, once generating with regard to using equipment root key as key, uses SM4 algorithm, encrypts in the network storage Machine is stored in after encryption in the internal FLASH of network storage encryption equipment safety chip.During use, safety chip is close by equipment identities Key is deciphered in internal SRAM, and power down is i.e. lost.
Key-encrypting key uses temporarily, destroys immediately, does not preserves.
Working key uses two kinds of optional modes of user to preserve after generating:
With private key as key, SM4 algorithm for encryption is used to be stored in the internal FLASH of network storage encryption equipment, when needing Decipher again in network storage encryption equipment CACHE.
It is stored in the internal FLASH of network storage encryption equipment with the equipment root key encryption of encrypted card, again with setting when needing Standby root key is deciphered in network storage encryption equipment CACHE.
Key uses
Equipment root key use step:
1) it is first necessary to pass through subscriber authentication: user needs when authentication to insert in five-minute period is spaced Two USB Key;
2) at least two USB Key is by after authentication, and the root key component in component Key can be read into the network storage In the SRAM of encryption equipment safety chip;
3) add a root key component within network storage encryption equipment, add computing through mould 2, be calculated equipment The plaintext of root key;
4) ad-hoc location of the SRAM of safety chip is remained stored in after the recovery of equipment root key, until power down is lost;Under Secondary use needs refill;
5) after equipment root key has injected, component key can extract, and continues to preserve;
The use step of equipment identities key:
1) two USB Key are used to pass through authentication, it is thus achieved that authority;
2) will be stored in the SRAM that the equipment identities key in the FLASH of safety chip reads safety chip;
3) ad-hoc location of the SRAM of safety chip it is saved in after the reading of equipment identities key, until power down is lost;Next time Use needs re-read;
4) after equipment identities key authentication completes, component Key can extract, and continues to preserve.
The use step of working key:
1) by obtaining authority after operator's authentication;
2) which kind of manner of decryption is used according to the appointment of user;
3) the working key ciphertext that will be stored in FLASH is read in SRAM;
4) with equipment root key as key, use SM4 algorithm, or obtain the plaintext of working key with private key deciphering;
5) ad-hoc location of SRAM it is saved in, until power down is lost;Next time uses to be needed again to decipher.
Cipher key backup
The backup of network storage encryption equipment is primarily referred to as in backup network storage encryption equipment for storing key and protectiveness number According to FLASH in key message.The back-up job sustainability to maintaining operation system is extremely important, network storage encryption equipment Support other medium (usbkey) backup of internal information.The backup of network storage encryption equipment must be by the pipe of network storage encryption equipment Reason person is carried out under system maintenance pattern, and backup medium should be responsible for keeping by special messenger.
The storage form of root key is that segmentation is left in 2 usb key, does not has other to back up.
Equipment identities cipher key backup needs, after obtaining manager's identity authority, to use the equipment root in safety chip SRAM Key, as key, uses SM4 algorithm, is stored in backup and is situated between after the equipment identities key encryption stored by network storage encryption equipment In matter.When requiring to back up, PKI and private key independently preserve by two backup mediums.
Key-encrypting key is not backed up.
Working key is the key of deciphering data in magnetic disk, it is necessary to select backup, the most currently used working key Destroyed or file corruption, the data in magnetic disk of user will be unable to recover.Need during backup after obtaining manager's identity authority, make In safety chip, the equipment root key in SRAM is as key, uses SM4 algorithm, is stored in USB key after encryption.
Key can schedule backup or irregularly back up as required.
Key is changed
Equipment root key generates when network storage encryption equipment produces, and once write, the external world can not read;User is for the first time Need to regenerate equipment root key when initializing network storage encryption equipment, and equipment root key when displacing factory;May be used later To be changed without.If needing more exchange device root key, it is ensured that public private key pair and all sensitive informations are present in the network storage In the SRAM of encryption equipment, then regenerate equipment root key, and regenerate 2 USB Key.
Equipment identities key, after exceeding the use time, is manually changed by user, i.e. user first obtains administrator right, logical Cross interface or a pair new public and private key pair of order line regeneration, and override old public and private key pair, be then led off new public affairs Key generates new certificate request file, is issued to each network storage with USB Key for carrier after KMC signs and issues Encryption equipment.Also need to new double secret key is re-started backup operation simultaneously.
Working key is manually updated by user, and needing the backup of disk Central Plains encryption data before renewal is clear data, so After to re-use new working key encryption be to carry out disk storage after ciphertext data.
Key recovery
Restorer root key: manager needs to be sequentially inserted into 2 USB Key, and safety chip is by the root on USB key card It is merged into the plaintext of equipment root key with the component in card after key components reading network storage encryption equipment internal memory.
Restorer identity key: the cipher-text information stored in backup medium is read in network storage encryption equipment by manager, Safety chip uses equipment root key as decruption key, uses SM4 algorithm, by cipher-text information solution in network storage encryption equipment Corresponding SRAM region is left in for use after close.
Resume work key: the cipher-text information that manager will store in backup medium reads in network storage encryption equipment, safety Chip uses equipment root key as decruption key, uses SM4 algorithm, re-downloads working key the most renewable.
Except the cryptographic algorithm using state close office to specify, configure multistage key, implement non-parametric segmentation in addition to, the network storage is encrypted Machine is also devised with multiple safety protection mechanism, it is ensured that communication data and the safety of system self.
The encryption and decryption point of network storage encryption equipment is embedded in the FC data between inintial and target of storage system On frame, the transmission in a link of all of FC Frame can be implemented effective Confidentiality protection.
Use the key management allocation plan divided according to LUN.Different LUN uses different data encrypting and deciphering keys, really Protect data in magnetic disk encryption to split by different LUN;Each network storage encryption equipment only has relevant to oneself LUN encryption and decryption The key of connection, the security threat of a network storage encryption equipment only affects the safety of the business information being associated with this encryption equipment, The safety of other user service informations of the whole network is unaffected.
Using the key maintenance strategy concentrated, key management security is controlled.Use remote online key distribution mechanism, key Flexible configuration is convenient, can realize safe and reliable quickly the arranging and adjust of encryption system.
There is key and the ability of key parameter in remote destroying network storage encryption equipment, can be in case of emergency to network Storage encryption equipment is implemented to be effectively isolated, it is ensured that the safety of whole storage system.Select the SM4 standard cipher that the approval of close office of state uses The core carrier that algorithm is encrypted as information encryption and decryption and storage protection, and open according to country's commercial cipher equipment preparation specification Exhibition system development work.In the development of secrecy system, use start certification, key and parameter storage encryption that machine, card separate Protection, special purpose system algorithm chip, security customization linux system kernel/specific drivers/special purpose system Service Management mould The safe practices such as block/private key distribution management agreement so that secrecy system self has the strongest self-safety precautions, Security of system will not be caused lethal damage by the out of control of individual equipment.
Embodiment described above, the simply one of the present invention more preferably detailed description of the invention, those skilled in the art The usual variations and alternatives that member is carried out in the range of technical solution of the present invention all should comprise within the scope of the present invention.

Claims (10)

1. an express network encryption storage key management system, it is characterised in that described key management system is close by four kinds Key, uses the method protected step by step, treats encryption device and complete key management, and concrete management content includes producing, distributes, deposits Store up, back up, change, recover and destroy.
Key management system the most according to claim 1, it is characterised in that described key management system includes that equipment root is close Key, equipment identities key, key-encrypting key and working key;
Equipment root key, described equipment root key is for realizing the storage encipherment protection to key parameter, key etc.;
Equipment identities key, described equipment identities key is used for the machine authentication, and the Authentication code process for cluster device carries For cryptoguard;
Key-encrypting key, described key-encrypting key adds password protection to working key for realization in key distribution procedure Protect;
Working key, described working key is for realizing the encipherment protection to service data information transmission.
Key management system the most according to claim 2, it is characterised in that described equipment root key divides after being generated by equipment Being three parts of S1, S2, S3, wherein S1 is solidificated in the safety chip within network storage encryption equipment when producing;S2 is saved in point In amount key1;S3 is saved in component key2.
Key management system the most according to claim 2, it is characterised in that described equipment identities key is asymmetric cryptography Algorithm secret key, described asymmetric cryptographic algorithm key is one group of public private key-pair, wherein a length of 256 bits of private key, PKI length Being 512 bits, described PKI is derived by USB Key or configuration management interface, and private key is saved in network storage encryption equipment In safety chip.
Key management system the most according to claim 2, it is characterised in that described key-encrypting key is that length 128 compares Special symmetric block ciphers algorithm secret key, carries out encryption and decryption protection for sharing working key in cluster, and described key adds Decryption key is time in every time to cluster, each network storage encryption equipment carries out Authentication code, real by the random number generation unit of promoter Time produce and through inspection after use, key is i.e. destroyed after having distributed, is not preserved.
Key management system the most according to claim 2, it is characterised in that described working key is length 128 bit Symmetric block ciphers algorithm secret key, data in magnetic disk encryption and decryption in transmitting procedure in optical-fibre channel, when change work is close During key, deposit after re-using new working key encryption after needing first the former encryption data in disk to be used the deciphering of former working key Storage, then re-uses new working key and replaces former working key, and described working key obtains and comes from safety chip, described safety Chip obtains two randoms number from two WNG9 randomizers, using the XOR result of two randoms number as the work of LUN Key, then uses equipment root key to store in data base after being encrypted.
7. an express network encryption storage key management method, based on the key management one of the claims 1-6 Suo Shu System, it is characterised in that described method includes:
1) key generates, and described equipment root key, equipment identities key and working key are by safety double in network storage encryption equipment The noise maker of chip produces;
2) key is distributed, and described equipment root key is not distributed, and described equipment identities key is generated by each network storage encryption equipment, Private key is not derived, and PKI generates the certificate request file of equipment after deriving from network storage encryption equipment, then with injection key be Carrier, after KMC signs and issues, unification is issued to each device node, and described working key is produced by KMC or key End equipment is initiated, and on the premise of authentication, by the way of digital envelope, encrypts close through public key signature and described key The protection distribution of key;
3) key storage, described equipment root key, through over-segmentation, obtains 3 parts of different pieces, and 1 part is maintained at network storage encryption equipment In safety chip, other 2 parts of encryptions are independently saved on 2 USB Key, and equipment root key is present in safety in use In chip internal SRAM, power down is i.e. lost, and described equipment identities key, once generating with regard to using equipment root key as key, uses SM4 algorithm, is stored in after encryption in network storage encryption equipment in the internal FLASH of network storage encryption equipment safety chip, uses Time safety chip by equipment identities secret key decryption to internal SRAM, power down is i.e. lost;Described key-encrypting key uses temporarily, Destroying immediately, do not preserve, described working key makes to preserve in two ways after generating;
4) key uses, and described key uses and includes: equipment root key uses and working key uses;
Described equipment root key use step:
411) subscriber authentication is passed through: user needs to insert two USB in five-minute period is spaced when authentication Key;
412) at least two USB Key is by after authentication, and the root key component in component Key is read into network storage encryption In the SRAM of machine safety chip;
413) add a root key component within network storage encryption equipment, add computing through mould 2, be calculated equipment root The plaintext of key;
414) ad-hoc location of the SRAM of safety chip it is saved in after the recovery of equipment root key, until power down is lost;
415) after equipment root key has injected, component key extracts or continues to preserve;
Described working key use step:
421) by obtaining authority after operator's authentication;
422) manner of decryption is determined according to the appointment of user;
423) the working key ciphertext that will be stored in FLASH is read in SRAM;
424) with equipment root key as key, use SM4 algorithm, or obtain the plaintext of working key with private key deciphering;
425) ad-hoc location of SRAM it is saved in, until power down is lost;
426) reuse and need again to decipher;
5) cipher key backup:
51) segmentation of equipment root key is left in 2 usb key;
52) equipment identities cipher key backup is after obtaining manager's identity authority, uses the equipment root key in safety chip SRAM As key, use SM4 algorithm, after the equipment identities key encryption stored by network storage encryption equipment, be stored in backup medium In, PKI and private key are independently preserved by two backup mediums;
53) key-encrypting key is not backed up;
54) working key is that the equipment root key made in safety chip in SRAM is as close after obtaining manager's identity authority Key, uses SM4 algorithm, is stored in USB key after encryption;
6) key is changed and is included that equipment root key is changed, equipment identities key changes and working key is changed;
7) key recovery, described key recovery includes that the recovery of equipment root key, equipment identities key recovery and working key recover.
Key management method the most according to claim 7, it is characterised in that two kinds of preservations after the generation of described working key Method includes:
31) with private key as key, SM4 algorithm for encryption is used to be stored in the internal FLASH of network storage encryption equipment, when needing again Deciphering is in network storage encryption equipment CACHE;
32) it is stored in the internal FLASH of network storage encryption equipment with the equipment root key encryption of encrypted card, when needing, uses equipment again Root key is deciphered in network storage encryption equipment CACHE.
Key management method the most according to claim 7, it is characterised in that described cipher key backup specifically includes: equipment root Key is changed:
611) replacing apparatus root key when initializing network storage encryption equipment for the first time;
612) public private key pair and all sensitive informations regenerate equipment root when being present in the SRAM of network storage encryption equipment Key, and regenerate 2 USB Key;
Equipment identities key is changed: user obtains after administrator right, by interface or order line generate a pair new public and private Double secret key, and override old public and private key pair, it is then led off new PKI and generates new certificate request file, through key management Center is issued to each network storage encryption equipment with USB Key for carrier after signing and issuing, and the most also re-starts new double secret key Backup;
Working key is changed: disk Central Plains encryption data being backed up is clear data, and it is close for re-using new working key encryption Disk storage is carried out after literary composition data.
Key management method the most according to claim 7, it is characterised in that described key is changed and specifically included:
71) equipment root key recovers: manager is sequentially inserted into 2 USB Key, and safety chip is by the root key on USB key card It is merged into the plaintext of equipment root key with the component in card after component reading network storage encryption equipment internal memory;
72) equipment identities key recovery: the cipher-text information stored in backup medium is read in network storage encryption equipment, peace by manager Full chip uses equipment root key as decruption key, uses SM4 algorithm, cipher-text information is deciphered in network storage encryption equipment After leave corresponding SRAM region in;
73) working key recovers: the cipher-text information stored in backup medium is read in network storage encryption equipment, safe core by manager Sheet uses equipment root key as decruption key, uses SM4 algorithm, re-downloads working key.
CN201610666670.6A 2016-08-14 2016-08-14 A kind of high speed network encryption storage key management system and method Active CN106330868B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610666670.6A CN106330868B (en) 2016-08-14 2016-08-14 A kind of high speed network encryption storage key management system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610666670.6A CN106330868B (en) 2016-08-14 2016-08-14 A kind of high speed network encryption storage key management system and method

Publications (2)

Publication Number Publication Date
CN106330868A true CN106330868A (en) 2017-01-11
CN106330868B CN106330868B (en) 2019-11-26

Family

ID=57739521

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610666670.6A Active CN106330868B (en) 2016-08-14 2016-08-14 A kind of high speed network encryption storage key management system and method

Country Status (1)

Country Link
CN (1) CN106330868B (en)

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106953732A (en) * 2017-03-10 2017-07-14 南方城墙信息安全科技有限公司 The key management system and method for chip card
CN108400868A (en) * 2018-01-17 2018-08-14 深圳市文鼎创数据科技有限公司 Storage method, device and the mobile terminal of seed key
CN108566325A (en) * 2018-04-28 2018-09-21 江苏中安智信通信科技股份有限公司 Ciphering type ring exchanger system
CN108650242A (en) * 2018-04-23 2018-10-12 中国石油天然气集团公司 A kind of secrecy topographic map transmission method, system and System Utilization Procedure
CN108768636A (en) * 2018-05-31 2018-11-06 上海万向区块链股份公司 A method of restoring private key using multi-party collaboration
CN109474429A (en) * 2018-12-24 2019-03-15 无锡市同威科技有限公司 A kind of cipher key configuration strategy process towards FC storage encryption gateway
CN109787756A (en) * 2018-12-24 2019-05-21 吉林微思智能科技有限公司 A kind of car-mounted terminal key distribution management method based on whitepack encryption technology
CN110166458A (en) * 2019-05-23 2019-08-23 王怀尊 A kind of three-level code key encryption system
CN110166236A (en) * 2019-05-31 2019-08-23 北京中金国信科技有限公司 Cipher key processing method, device and system and electronic equipment
CN110474768A (en) * 2019-08-22 2019-11-19 上海豆米科技有限公司 A kind of information safety transmission system and method having the control of group's decrypted rights
CN110635908A (en) * 2019-09-29 2019-12-31 杭州尚尚签网络科技有限公司 Management method for supporting billions of keys for electronic contract
CN110912684A (en) * 2018-09-14 2020-03-24 北京京东尚科信息技术有限公司 System and method for authentication encryption based on device fingerprint
CN110932853A (en) * 2019-12-06 2020-03-27 深圳市纽创信安科技开发有限公司 Key management device and key management method based on trusted module
CN111010275A (en) * 2019-12-31 2020-04-14 嘉兴太美医疗科技有限公司 Key management method, method for generating key and key management system
CN112000975A (en) * 2020-10-28 2020-11-27 湖南天琛信息科技有限公司 Key management system
CN112257119A (en) * 2020-10-20 2021-01-22 河北素数信息安全有限公司 Identity authentication method and protection method for ensuring security of encryption device
CN112436937A (en) * 2020-11-25 2021-03-02 公安部交通管理科学研究所 Radio frequency tag initialization key distribution system and method
CN112738083A (en) * 2020-12-28 2021-04-30 福建正孚软件有限公司 Cross-network cross-border data transmission based secure access key management system and method
CN113037483A (en) * 2021-04-20 2021-06-25 重庆九格慧科技有限公司 Distributed key management method based on threshold
CN113824560A (en) * 2021-11-24 2021-12-21 北京亿赛通科技发展有限责任公司 Data encryption protection method, system, storage medium and terminal
CN114124373A (en) * 2021-11-02 2022-03-01 广东省通信产业服务有限公司 Video key management method and system for automatic backup and recovery
CN114765546A (en) * 2020-12-30 2022-07-19 海能达通信股份有限公司 End-to-end hard encryption method, system, encryption equipment and key management server
CN114978774A (en) * 2022-07-28 2022-08-30 四川九洲空管科技有限责任公司 Multi-level key management method based on nested protection structure
CN116055048A (en) * 2023-03-31 2023-05-02 成都四方伟业软件股份有限公司 Method and device for storing and restoring scattered keys
CN116400199A (en) * 2023-06-05 2023-07-07 中国汽车技术研究中心有限公司 Chip clock burr fault injection cross-validation test method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101841412A (en) * 2010-04-09 2010-09-22 兰州韦尔斯信息科技有限公司 Method and device for encrypting network environment of storage domain
CN101986596A (en) * 2010-10-21 2011-03-16 无锡江南信息安全工程技术中心 Key management mechanism
US8111828B2 (en) * 2007-07-31 2012-02-07 Hewlett-Packard Development Company, L.P. Management of cryptographic keys for securing stored data
US8590042B2 (en) * 2008-01-31 2013-11-19 Hitachi, Ltd. Storage system, and encryption key management method and encryption key management program thereof
CN105656621A (en) * 2014-11-12 2016-06-08 江苏威盾网络科技有限公司 Safety management method for cryptographic device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8111828B2 (en) * 2007-07-31 2012-02-07 Hewlett-Packard Development Company, L.P. Management of cryptographic keys for securing stored data
US8590042B2 (en) * 2008-01-31 2013-11-19 Hitachi, Ltd. Storage system, and encryption key management method and encryption key management program thereof
CN101841412A (en) * 2010-04-09 2010-09-22 兰州韦尔斯信息科技有限公司 Method and device for encrypting network environment of storage domain
CN101986596A (en) * 2010-10-21 2011-03-16 无锡江南信息安全工程技术中心 Key management mechanism
CN105656621A (en) * 2014-11-12 2016-06-08 江苏威盾网络科技有限公司 Safety management method for cryptographic device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
黄容: "FC加密存储交换机的密钥管理系统的研究与设计", 《中国优秀硕士学位论文全文数据库信息科技辑》 *

Cited By (37)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106953732B (en) * 2017-03-10 2020-02-07 南方城墙信息安全科技有限公司 Key management system and method for chip card
CN106953732A (en) * 2017-03-10 2017-07-14 南方城墙信息安全科技有限公司 The key management system and method for chip card
CN108400868A (en) * 2018-01-17 2018-08-14 深圳市文鼎创数据科技有限公司 Storage method, device and the mobile terminal of seed key
CN108650242A (en) * 2018-04-23 2018-10-12 中国石油天然气集团公司 A kind of secrecy topographic map transmission method, system and System Utilization Procedure
CN108650242B (en) * 2018-04-23 2020-07-10 中国石油天然气集团有限公司 Confidential topographic map transmission method, system and system using method
CN108566325A (en) * 2018-04-28 2018-09-21 江苏中安智信通信科技股份有限公司 Ciphering type ring exchanger system
CN108566325B (en) * 2018-04-28 2021-01-12 江苏中安智信通信科技股份有限公司 Encryption type ring network switch system
CN108768636A (en) * 2018-05-31 2018-11-06 上海万向区块链股份公司 A method of restoring private key using multi-party collaboration
CN110912684B (en) * 2018-09-14 2023-04-07 北京京东尚科信息技术有限公司 Method, system and computer readable medium for encryption and decryption
CN110912684A (en) * 2018-09-14 2020-03-24 北京京东尚科信息技术有限公司 System and method for authentication encryption based on device fingerprint
CN109474429A (en) * 2018-12-24 2019-03-15 无锡市同威科技有限公司 A kind of cipher key configuration strategy process towards FC storage encryption gateway
CN109787756A (en) * 2018-12-24 2019-05-21 吉林微思智能科技有限公司 A kind of car-mounted terminal key distribution management method based on whitepack encryption technology
CN109787756B (en) * 2018-12-24 2021-11-26 吉林微思智能科技有限公司 Vehicle-mounted terminal key distribution management method based on white-box encryption technology
CN110166458A (en) * 2019-05-23 2019-08-23 王怀尊 A kind of three-level code key encryption system
CN110166236A (en) * 2019-05-31 2019-08-23 北京中金国信科技有限公司 Cipher key processing method, device and system and electronic equipment
CN110166236B (en) * 2019-05-31 2022-01-18 北京中金国信科技有限公司 Key processing method, device and system and electronic equipment
CN110474768A (en) * 2019-08-22 2019-11-19 上海豆米科技有限公司 A kind of information safety transmission system and method having the control of group's decrypted rights
CN110635908A (en) * 2019-09-29 2019-12-31 杭州尚尚签网络科技有限公司 Management method for supporting billions of keys for electronic contract
CN110932853A (en) * 2019-12-06 2020-03-27 深圳市纽创信安科技开发有限公司 Key management device and key management method based on trusted module
CN110932853B (en) * 2019-12-06 2022-12-06 深圳市纽创信安科技开发有限公司 Key management device and key management method based on trusted module
CN111010275A (en) * 2019-12-31 2020-04-14 嘉兴太美医疗科技有限公司 Key management method, method for generating key and key management system
CN112257119A (en) * 2020-10-20 2021-01-22 河北素数信息安全有限公司 Identity authentication method and protection method for ensuring security of encryption device
CN112000975B (en) * 2020-10-28 2021-02-09 湖南天琛信息科技有限公司 Key management system
CN112000975A (en) * 2020-10-28 2020-11-27 湖南天琛信息科技有限公司 Key management system
CN112436937A (en) * 2020-11-25 2021-03-02 公安部交通管理科学研究所 Radio frequency tag initialization key distribution system and method
CN112738083B (en) * 2020-12-28 2023-05-19 福建正孚软件有限公司 System and method for managing secure access key based on cross-network and cross-border data transmission
CN112738083A (en) * 2020-12-28 2021-04-30 福建正孚软件有限公司 Cross-network cross-border data transmission based secure access key management system and method
CN114765546A (en) * 2020-12-30 2022-07-19 海能达通信股份有限公司 End-to-end hard encryption method, system, encryption equipment and key management server
CN114765546B (en) * 2020-12-30 2023-07-18 海能达通信股份有限公司 End-to-end hard encryption method, system, encryption equipment and key management server
CN113037483A (en) * 2021-04-20 2021-06-25 重庆九格慧科技有限公司 Distributed key management method based on threshold
CN114124373A (en) * 2021-11-02 2022-03-01 广东省通信产业服务有限公司 Video key management method and system for automatic backup and recovery
CN113824560A (en) * 2021-11-24 2021-12-21 北京亿赛通科技发展有限责任公司 Data encryption protection method, system, storage medium and terminal
CN114978774A (en) * 2022-07-28 2022-08-30 四川九洲空管科技有限责任公司 Multi-level key management method based on nested protection structure
CN116055048B (en) * 2023-03-31 2023-05-30 成都四方伟业软件股份有限公司 Method and device for storing and restoring scattered keys
CN116055048A (en) * 2023-03-31 2023-05-02 成都四方伟业软件股份有限公司 Method and device for storing and restoring scattered keys
CN116400199A (en) * 2023-06-05 2023-07-07 中国汽车技术研究中心有限公司 Chip clock burr fault injection cross-validation test method and device
CN116400199B (en) * 2023-06-05 2023-09-15 中国汽车技术研究中心有限公司 Chip clock burr fault injection cross-validation test method and device

Also Published As

Publication number Publication date
CN106330868B (en) 2019-11-26

Similar Documents

Publication Publication Date Title
CN106330868B (en) A kind of high speed network encryption storage key management system and method
US20190318356A1 (en) Offline storage system and method of use
CN101159556B (en) Group key server based key management method in sharing encryption file system
CN106789052B (en) Remote key issuing system based on quantum communication network and use method thereof
CN102402664B (en) Data access control device and data access control method
CN101986596B (en) Key management mechanism
CN105656864B (en) Key management system and management method based on TCM
US20150019870A1 (en) Master key generation and distribution for storage area network devices
CN105681031B (en) A kind of storage encryption gateway key management system and method
CN105100083B (en) A kind of secret protection and support user's revocation based on encryption attribute method and system
CN111143870B (en) Distributed encryption storage device, system and encryption and decryption method
CN102761521A (en) Cloud security storage and sharing service platform
EP2745212A1 (en) Virtual zeroisation system and method
CN101983385A (en) Distribution of storage area network encryption keys across data centers
CN107154848A (en) A kind of data encryption based on CPK certifications and storage method and device
CN109981255A (en) The update method and system of pool of keys
CN106712943A (en) Secure storage system
KR20120132708A (en) Distributed access priviledge management apparatus and method in cloud computing environments
CA2446364C (en) Secure group secret distribution
WO2017126571A1 (en) Ciphertext management method, ciphertext management device, and program
CN112787996B (en) Password equipment management method and system
CN103916237A (en) Method and system for managing user encrypted-key retrieval
CN109726583A (en) Cloud data base encryption server system
CN110493259A (en) A kind of encrypting and deciphering system and method ensureing cloud electronic data security
CN115412236A (en) Method for key management and password calculation, encryption method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: A high speed network encryption storage key management system and method

Effective date of registration: 20210312

Granted publication date: 20191126

Pledgee: Beijing Yanhong Financing Guarantee Co.,Ltd.

Pledgor: BEIJING SHUDUN INFORMATION TECHNOLOGY Co.,Ltd.

Registration number: Y2021990000232

PE01 Entry into force of the registration of the contract for pledge of patent right
PC01 Cancellation of the registration of the contract for pledge of patent right

Date of cancellation: 20220325

Granted publication date: 20191126

Pledgee: Beijing Yanhong Financing Guarantee Co.,Ltd.

Pledgor: BEIJING SHUDUN INFORMATION TECHNOLOGY CO.,LTD.

Registration number: Y2021990000232

PC01 Cancellation of the registration of the contract for pledge of patent right
CP02 Change in the address of a patent holder

Address after: 100000 901, Floor 9, Building 7, Yard 8, Auto Museum East Road, Fengtai District, Beijing

Patentee after: BEIJING SHUDUN INFORMATION TECHNOLOGY CO.,LTD.

Address before: Room 101-502, 5 / F, building 10, courtyard 3, fengxiu Middle Road, Haidian District, Beijing 100083

Patentee before: BEIJING SHUDUN INFORMATION TECHNOLOGY CO.,LTD.

CP02 Change in the address of a patent holder