CN108270739B - Method and device for managing encryption information - Google Patents
Method and device for managing encryption information Download PDFInfo
- Publication number
- CN108270739B CN108270739B CN201611264624.XA CN201611264624A CN108270739B CN 108270739 B CN108270739 B CN 108270739B CN 201611264624 A CN201611264624 A CN 201611264624A CN 108270739 B CN108270739 B CN 108270739B
- Authority
- CN
- China
- Prior art keywords
- encryption
- key
- information
- service
- service subsystem
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/51—Discovery or management thereof, e.g. service location protocol [SLP] or web services
Abstract
The embodiment of the application provides a method and a device for managing encryption information, relates to the field of information security, and solves the problems that service interface parameters of a distributed system are complex and difficult to maintain. The method comprises the following steps: the first business subsystem determines an encryption version used by a service interface to be called, inquires an encryption definition corresponding to the encryption version in encryption management information acquired in advance and inquires a first key used for encryption at this time from the encryption management information; the encryption definition is used for indicating parameters needing encryption in the service interface and an identifier of an encryption scheme to be adopted; the first service subsystem encrypts parameters needing to be encrypted in the service interface indicated in the encryption definition by adopting a first key and a first encryption scheme indicated in the encryption definition to obtain ciphertext information; the ciphertext information comprises an identifier of the first key and ciphertext data encrypted by the parameter; and the first service subsystem sends a service message to the second service subsystem, wherein the service message comprises the identification of the encrypted version and the ciphertext information.
Description
Technical Field
The present application relates to the field of information security, and in particular, to a method and an apparatus for managing encrypted information.
Background
With the rapid development of the internet and information technology, the security threat faced by software systems is continuously upgraded. In order to prevent information leakage, information tampering and the like caused by confidential information in an information transmission link or an information storage link, most software systems carry out transmission encryption and storage encryption on the confidential information.
At present, in a distributed software system architecture, a system is composed of a plurality of relatively independent subsystems, and when the plurality of subsystems are safely upgraded, the services of the plurality of subsystems are usually stopped, and the plurality of subsystems are upgraded simultaneously in a unified and synchronized manner by maintenance personnel. Or, a certain subsystem is upgraded first, and after the subsystem is upgraded, other subsystems are upgraded step by step. However, the first method directly causes the communication between subsystems to be interrupted, thereby causing the service interruption of the user and requiring a long upgrade time. Although the second method can upgrade each subsystem step by step, avoiding the problem of communication interruption between subsystems, since different subsystems are upgraded step by step, upgraded and non-upgraded subsystems exist in the service system at the same time, the service interface is required to meet compatibility, that is, many identifiers are required to be added for distinguishing whether the parameters are encrypted, and the adopted encryption algorithm and key are required to be used, so that the service interface parameters are complex and difficult to maintain.
Disclosure of Invention
The embodiment of the application provides a method and a device for managing encryption information, and solves the problems that in the prior art, service interface parameters are complex and difficult to maintain.
In order to achieve the above purpose, the embodiment of the present application adopts the following technical solutions:
in a first aspect, a method for managing encryption information is provided, which is applied to a distributed service system, where the service system at least includes a first service subsystem and a second service subsystem, and the method includes: the first business subsystem determines an encryption version used by a service interface to be called, inquires an encryption definition corresponding to the encryption version in encryption management information acquired in advance and inquires a first key used for encryption at this time from the encryption management information; the encryption definition is used for indicating parameters needing encryption in the service interface and an identifier of an encryption scheme to be adopted; the first service subsystem encrypts parameters needing to be encrypted in the service interface indicated in the encryption definition by adopting a first key and a first encryption scheme indicated in the encryption definition to obtain ciphertext information; the ciphertext information comprises the identifier of the first key and ciphertext data encrypted by the parameter; and the first service subsystem sends the service message comprising the identification of the encrypted version and the ciphertext information to the second service subsystem. In the technical scheme, the service interface and the encrypted version used by the service interface are bound, corresponding encryption is carried out after the encryption definition and the key corresponding to the encrypted version are determined, and then the identifier of the key used for encryption and the identifier of the encrypted version are sent out through the service message, so that the problems that the parameters of the service interface are complex and difficult to maintain can be solved.
In a possible implementation manner of the first aspect, the querying, by the first service subsystem, a first key used for the current encryption from the encryption management information includes: the first service subsystem inquires a key group used for transmitting encryption between the first service subsystem and the second service subsystem from the encryption management information; the key group comprises at least one key, and each key corresponds to an encryption validity period; and the first service subsystem selects the currently effective key as the first key according to the encryption validity period of each key. In the possible implementation manner, when the first key is queried from the encryption management information, the current effective key is selected as the first key, and the identifier of the first key is sent out through the service message, so that the second service subsystem can determine the correct key according to the identifier of the first key, thereby realizing correct decryption and avoiding the problem of service interruption in the encryption upgrading process.
In a possible implementation manner of the first aspect, before the first service subsystem queries the encryption definition corresponding to the encrypted version in the pre-obtained encryption management information, the method further includes: the first service subsystem sends an information acquisition request to the information management equipment and receives encrypted management information sent by the information management equipment; or, the first service subsystem receives the encryption management information pushed by the information management device; wherein the encryption management information includes: the encryption definition corresponding to different encryption versions, different encryption schemes, key group information used for transmitting encryption between different service subsystems, and key information in each key group. In the possible implementation manner, the encryption management information in the distributed service system is managed in a centralized manner by the single information management device, and the encryption management information corresponding to each service subsystem can be sent to each service subsystem when the encryption algorithm is upgraded, the key is periodically updated, or the encryption management information of the service subsystem is damaged or lost, so that the centralized management and encryption upgrade of the encryption information of each service subsystem are realized.
In a possible implementation manner of the first aspect, the method further includes: the first service subsystem inquires a second encryption scheme and a second key for encrypting the specified data item from the encryption management information; the first service subsystem encrypts the specified data item according to the second encryption scheme and the second key to obtain encrypted storage data item information; wherein the encrypted storage data item information includes a second encryption scheme identification and a second key identification.
In a possible implementation manner of the first aspect, after the first service subsystem encrypts the specified data item according to the second encryption scheme and the second key to obtain the encrypted storage data item information, the method further includes: the first service subsystem acquires a second encryption scheme and a second key from the encryption management information according to a second encryption scheme identifier and a second key identifier included in the encrypted storage data item information; and the first service subsystem decrypts the encrypted storage data item information according to the second encryption scheme and the second key to obtain the specified data item.
In the two possible implementation manners, the service subsystem stores the encryption scheme identifier and the key identifier used for encryption in the encrypted and stored data item information by using an encryption and storage data item mechanism, so that the upgrading of the encryption algorithm of the encrypted and stored data item information or the change of the encryption key can be realized without interrupting the service.
In a second aspect, a method for managing encryption information is provided, and is applied to a distributed service system, where the service system includes at least a first service subsystem and a second service subsystem, and the method includes: the second service subsystem receives the service message; the service message comprises an encrypted version identification and ciphertext information; the ciphertext information comprises a first key identifier and ciphertext data encrypted by parameters needing to be encrypted in a service interface called by the first service subsystem; the encrypted version identification is used for indicating the encrypted version used by the service interface called by the first business subsystem; the second service subsystem inquires an encryption definition corresponding to the encryption version in encryption management information acquired in advance according to the identification of the encryption version and inquires a first key used for decryption at this time from the encryption management information according to the identification of the first key; the encryption definition is used for indicating parameters needing encryption in the service interface and an identifier of an encryption scheme to be adopted; and the second service subsystem decrypts the encrypted text data after the parameter encryption by adopting the first key and the first encryption scheme indicated in the encryption definition. In the technical scheme, the service interface and the encrypted version used by the service interface are bound, and the corresponding encryption scheme and the corresponding key are determined according to the identifier of the key and the identifier of the encrypted version included in the service message, so that correct decryption is realized, and the problems of complex parameters and difficult maintenance of the service interface are solved.
In a possible implementation manner of the second aspect, the querying, by the second service subsystem, the first key used for the decryption of this time from the encryption management information according to the identifier of the first key includes: the second service subsystem inquires a key group used for transmitting encryption between the first service subsystem and the second service subsystem; the key group comprises at least one key, and each key corresponds to an encryption validity period; and the second service subsystem selects a first key corresponding to the identifier of the first key from the at least one key according to the identifier of the first key. In the possible implementation manner, the second service subsystem determines the correct key according to the identifier of the first key, so that correct decryption is realized, and the problem of service interruption in the encryption upgrading process is avoided.
In a possible implementation manner of the second aspect, before the second service subsystem receives the service message, the method further includes: the second service subsystem sends an information acquisition request to the information management equipment and receives encrypted management information sent by the information management equipment; or, the second service subsystem receives the encrypted management information pushed by the information management device; wherein the encryption management information includes: the encryption definition corresponding to different encryption versions, different encryption schemes, key group information used for transmitting encryption between different service subsystems, and key information in each key group. In the possible implementation manner, the encryption management information in the distributed service system is managed in a centralized manner by the single information management device, and the encryption management information corresponding to each service subsystem can be sent to each service subsystem when the encryption algorithm is upgraded, the key is periodically updated, or the encryption management information of the service subsystem is damaged or lost, so that the centralized management and encryption upgrade of the encryption information of each service subsystem are realized.
In one possible implementation manner of the second aspect, the method further includes: the second service subsystem inquires a second encryption scheme and a second key for encrypting the specified data item from the encryption management information; the second service subsystem encrypts the specified data item according to the second encryption scheme and the second key to obtain encrypted storage data item information; wherein the encrypted storage data item information includes a second encryption scheme identification and a second key identification.
In a possible implementation manner of the second aspect, after the second service subsystem encrypts the specified data item according to the second encryption scheme and the second key, and obtains the information of the encrypted storage data item, the method further includes: the second service subsystem acquires a second encryption scheme and a second key from the encryption management information according to a second encryption scheme identifier and a second key identifier included in the encrypted storage data item information; and the second service subsystem decrypts the encrypted storage data item information according to the second encryption scheme and the second key to obtain the specified data item.
In the two possible implementation manners, the service subsystem stores the encryption scheme identifier and the key identifier used for encryption in the encrypted and stored data item information by using an encryption and storage data item mechanism, so that the upgrading of the encryption algorithm of the encrypted and stored data item information or the change of the encryption key can be realized without interrupting the service.
In a third aspect, a method for managing encrypted information is provided, where the method is applied to an information management device, the information management device is used to manage a distributed service system, and the service system includes at least two service subsystems, and the method includes: the information management equipment receives an information acquisition request sent by the service subsystem and sends encryption management information to the service subsystem; or, the information management device pushes the encryption management information to the service subsystem; wherein the encryption management information includes: the encryption definition corresponding to different encryption versions, different encryption schemes, key group information used for transmitting encryption between different service subsystems, and key information in each key group; the encrypted version is an encrypted version used by the service interface, and the encryption definition corresponding to the encrypted version is used for indicating parameters needing to be encrypted in the service interface and an identifier of an encryption scheme to be adopted. In the above technical solution, the encryption management information in the distributed service system is managed centrally by the separate information management device, and the encryption management information corresponding to each service subsystem can be sent to each service subsystem when the encryption algorithm is upgraded, or the key is periodically updated, or the encryption management information of the service subsystem is damaged or lost, so as to implement centralized management and encryption upgrade of the encryption information of each service subsystem.
In a possible implementation manner of the third aspect, the method further includes: the information management apparatus inquires of the encryption management information about a second encryption scheme and a second key for encrypting the specified data item; the information management equipment encrypts the specified data item according to the second encryption scheme and the second key to obtain encrypted storage data item information; wherein the encrypted storage data item information includes a second encryption scheme identification and a second key identification.
In a possible implementation manner of the third aspect, after the information management device encrypts the specified data item according to the second encryption scheme and the second key to obtain encrypted storage data item information, the method further includes: the information management device acquires a second encryption scheme and a second key from the encryption management information according to a second encryption scheme identifier and a second key identifier included in the encrypted storage data item information; and the information management equipment decrypts the encrypted storage data item information according to the second encryption scheme and the second key to obtain the specified data item.
In the possible implementation manner, the business information management device stores the encryption scheme identifier and the key identifier used for encryption in the encrypted and stored data item information by using an encryption and storage data item mechanism, so that the upgrading of the encryption algorithm of the encrypted and stored data item information or the change of the encryption key can be realized without interrupting the service.
In a fourth aspect, a service subsystem is provided, where the service subsystem is a first service subsystem in a distributed service system, and the service system at least further includes a second service subsystem, and the service subsystem includes: the determining unit is used for determining an encryption version used by the service interface to be called, inquiring an encryption definition corresponding to the encryption version in encryption management information acquired in advance and inquiring a first key used for encryption at this time from the encryption management information; the encryption definition is used for indicating parameters needing encryption in the service interface and an identifier of an encryption scheme to be adopted; the encryption unit is used for encrypting the parameters needing to be encrypted in the service interface indicated in the encryption definition by adopting a first key and a first encryption scheme indicated in the encryption definition to obtain ciphertext information; the ciphertext information comprises the identifier of the first key and ciphertext data encrypted by the parameter; and the sending unit is used for sending a service message to the second service subsystem, wherein the service message comprises the identification of the encrypted version and the ciphertext information.
In a possible implementation manner of the fourth aspect, the determining unit is specifically configured to: inquiring a key group for transmitting encryption between the first service subsystem and the second service subsystem from the encryption management information; the key group comprises at least one key, and each key corresponds to an encryption validity period; and selecting the currently valid key as the first key according to the encryption validity period of each key.
In a possible implementation manner of the fourth aspect, the sending unit is further configured to send an information acquisition request to the information management device; the service subsystem further comprises: a receiving unit configured to receive the encryption management information transmitted by the information management apparatus; or, the service subsystem further comprises: a receiving unit configured to receive encryption management information pushed by an information management apparatus; wherein the encryption management information includes: the encryption definition corresponding to different encryption versions, different encryption schemes, key group information used for transmitting encryption between different service subsystems, and key information in each key group.
In a possible implementation manner of the fourth aspect, the determining unit is further configured to query, from the encryption management information, a second encryption scheme and a second key for encrypting the specified data item; the encryption unit is also used for encrypting the specified data item according to a second encryption scheme and a second key to obtain encrypted storage data item information; wherein the encrypted storage data item information includes a second encryption scheme identification and a second key identification.
In a possible implementation manner of the fourth aspect, the determining unit is further configured to obtain the second encryption scheme and the second key from the encryption management information according to the second encryption scheme identifier and the second key identifier included in the encrypted storage data item information; the service subsystem further comprises: and the decryption unit is used for decrypting the encrypted storage data item information according to the second encryption scheme and the second key to obtain the specified data item.
In a fifth aspect, a service subsystem is provided, where the service subsystem is a second service subsystem in a distributed service system, and the service system further includes a first service subsystem, and the service subsystem includes: a receiving unit, configured to receive a service message; the service message comprises an encrypted version identification and ciphertext information; the ciphertext information comprises a first key identifier and ciphertext data encrypted by parameters needing to be encrypted in a service interface called by the first service subsystem; the encrypted version identification is used for indicating the encrypted version used by the service interface called by the first business subsystem; the determining unit is used for inquiring the encryption definition corresponding to the encryption version in the encryption management information acquired in advance according to the identification of the encryption version, and inquiring the first key used for decryption at this time from the encryption management information according to the identification of the first key; the encryption definition is used for indicating parameters needing encryption in the service interface and an identifier of an encryption scheme to be adopted; and the decryption unit is used for decrypting the encrypted text data after the parameter encryption by adopting the first key and the first encryption scheme indicated in the encryption definition.
In a possible implementation manner of the fifth aspect, the determining unit is specifically configured to: inquiring a key group used for transmitting encryption between the first service subsystem and the second service subsystem; the key group comprises at least one key, and each key corresponds to an encryption validity period; and selecting a first key corresponding to the identification of the first key from the at least one key according to the identification of the first key.
In a possible implementation manner of the fifth aspect, the service subsystem further includes: a sending unit configured to send an information acquisition request to the information management apparatus; the receiving unit is also used for receiving the encryption management information sent by the information management equipment; or, the receiving unit is further configured to receive the encryption management information pushed by the information management device; wherein the encryption management information includes: the encryption definition corresponding to different encryption versions, different encryption schemes, key group information used for transmitting encryption between different service subsystems, and key information in each key group.
In a possible implementation manner of the fifth aspect, the determining unit is further configured to query, from the encryption management information, a second encryption scheme and a second key for encrypting the specified data item; the service subsystem further comprises: the encryption unit is used for encrypting the specified data item according to a second encryption scheme and a second key to obtain encrypted storage data item information; wherein the encrypted storage data item information includes a second encryption scheme identification and a second key identification.
In a possible implementation manner of the fifth aspect, the determining unit is further configured to obtain a second encryption scheme and a second key from the encryption management information according to a second encryption scheme identifier and the second key identifier included in the encrypted storage data item information; and the decryption unit is also used for decrypting the encrypted storage data item information according to the second encryption scheme and the second key to obtain the specified data item.
In a sixth aspect, an information management device is provided, where the information management device is configured to manage a distributed service system, the service system includes at least two service subsystems, and the information management device includes: the storage unit is used for storing the encryption management information of the service subsystem; the receiving and sending unit is used for receiving the information acquisition request sent by the service subsystem and sending encryption management information to the service subsystem; or, the receiving and sending unit is used for pushing the encryption management information to the service subsystem; wherein the encryption management information includes: the encryption definition corresponding to different encryption versions, different encryption schemes, key group information used for transmitting encryption between different service subsystems, and key information in each key group; the encrypted version is an encrypted version used by the service interface, and the encryption definition corresponding to the encrypted version is used for indicating parameters needing to be encrypted in the service interface and an identifier of an encryption scheme to be adopted.
In one possible implementation manner of the sixth aspect, the information management apparatus further includes: a processing unit configured to query a second encryption scheme and a second key for encrypting the specified data item from the encryption management information; the processing unit is also used for encrypting the specified data item according to a second encryption scheme and a second key to obtain encrypted storage data item information; wherein the encrypted storage data item information includes a second encryption scheme identification and a second key identification.
In a possible implementation manner of the sixth aspect, the processing unit is further configured to obtain a second encryption scheme and a second key from the encryption management information according to a second encryption scheme identifier and a second key identifier included in the encrypted storage data item information; and the processing unit is also used for decrypting the encrypted storage data item information according to the second encryption scheme and the second key to obtain the specified data item.
In a seventh aspect, a service subsystem is provided, where the service subsystem includes a memory, a processor, a bus, and a communication interface, the memory stores codes and data, the processor is connected to the memory through the bus, and the processor runs the codes in the memory to enable the service subsystem to execute the method for managing encrypted information provided in any one of the above first aspect or any one of the possible implementations of the first aspect.
In an eighth aspect, a service subsystem is provided, where the service subsystem includes a memory, a processor, a bus, and a communication interface, the memory stores codes and data, the processor is connected to the memory through the bus, and the processor runs the codes in the memory to enable the service subsystem to execute the method for managing encrypted information provided in any one of the second aspect and any one of the possible implementation manners of the second aspect.
In a ninth aspect, an information management device is provided, where the information management device includes a memory, a processor, a bus, and a communication interface, the memory stores codes and data, the processor is connected to the memory through the bus, and the processor runs the codes in the memory to enable the information management device to execute the method for managing encrypted information provided in any one of the possible implementations of the third aspect or the third aspect.
A tenth aspect provides a system comprising a first service subsystem, a second service subsystem and an information management device; the first service subsystem is any one of the fourth aspect, or any possible implementation manner of the fourth aspect, or the service subsystem provided by the seventh aspect, and/or the second service subsystem is any one of the fifth aspect, or any possible implementation manner of the fifth aspect, or the service subsystem provided by the eighth aspect, and/or the information management device is any one of the sixth aspect, or any possible implementation manner of the sixth aspect, or the information management device provided by the ninth aspect.
In an eleventh aspect, a computer-readable storage medium is provided, in which computer-executable instructions are stored, and when executed by at least one processor of a device, the device performs the method for managing cryptographic information provided by any one of the above-mentioned first aspect or any one of the above-mentioned possible implementations of the first aspect, or performs the method for managing cryptographic information provided by any one of the above-mentioned second aspect or any one of the above-mentioned possible implementations of the second aspect, or performs the method for managing cryptographic information provided by any one of the above-mentioned third aspect or any one of the above-mentioned possible implementations of the third aspect.
In a twelfth aspect, a computer program product is provided, the computer program product comprising computer executable instructions, the computer executable instructions being stored in a computer readable storage medium; the at least one processor of the device may read the computer executable instructions from the computer readable storage medium, the execution of which by the at least one processor causes the device to perform the method of managing cryptographic information as provided by the first aspect or any one of the possible implementations of the first aspect described above, or the method of managing cryptographic information as provided by the second aspect or any one of the possible implementations of the second aspect described above, or the method of managing cryptographic information as provided by the third aspect or any one of the possible implementations of the third aspect described above.
Drawings
Fig. 1 is a schematic diagram of a networking structure for implementing encryption management of a distributed service system according to an embodiment of the present application;
fig. 2 is a flowchart of a first method for managing encrypted information according to an embodiment of the present disclosure;
fig. 3 is a flowchart of a second method for managing encrypted information according to an embodiment of the present application;
fig. 4 is a flowchart of a third method for managing encrypted information according to an embodiment of the present disclosure;
fig. 5 is a flowchart of a fourth method for managing encrypted information according to an embodiment of the present disclosure;
fig. 6 is a flowchart of a fifth method for managing encryption information according to an embodiment of the present application;
fig. 7 is a flowchart of a sixth method for managing encryption information according to an embodiment of the present application;
fig. 8 is a flowchart of a seventh method for managing encryption information according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of a first service subsystem according to an embodiment of the present application;
fig. 10 is a schematic structural diagram of another first service subsystem provided in an embodiment of the present application;
fig. 11 is a schematic structural diagram of a second service subsystem according to an embodiment of the present application;
fig. 12 is a schematic structural diagram of another second service subsystem provided in an embodiment of the present application;
fig. 13 is a schematic structural diagram of another information management apparatus according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments.
Fig. 1 is a schematic diagram of a networking structure for implementing encryption management of a distributed service system according to an embodiment of the present application, and referring to fig. 1, the networking includes a distributed service system 101 and an information management device 103 for performing encryption management on the service system.
In the embodiment of the present application, the single information management device 103 is introduced to centrally manage the encryption management information in the distributed service system 101, and the encryption management information corresponding to each service subsystem can be sent to each service subsystem when the encryption algorithm is upgraded, or the key is periodically updated, or the encryption management information of the service subsystem is damaged or lost. The encryption management information can comprise encryption definitions corresponding to different encryption versions, different encryption schemes, key group information used for transmitting encryption between different business subsystems and information of keys in each key group, and the encryption definitions are used for indicating parameters needing encryption in the service interface and identifiers of encryption schemes to be adopted, so that a caller and a provider of the service interface can agree on which parameters need encryption and the encryption schemes and keys used during encryption according to the encryption definitions of the encryption versions, and the problems that parameters of the service interface are complex and difficult to maintain are solved.
The distributed business system 101 includes at least two business subsystems (e.g., a first business subsystem 1011, a second business subsystem 1012) and a storage subsystem 102.
The service system is a system for realizing service functions. The service function can be divided into a plurality of sub-functions, which are respectively realized on each sub-service system of the service system. The cooperation between the sub-functions can be realized by calling between the sub-service systems. The calling party is used as a client, and the called party is used as a server. Such as the first service subsystem 1011 and the second service subsystem 1012 shown in fig. 1. The first service subsystem 1011 may serve as a service client, the second service subsystem 1012 serves as a service server, and the first service subsystem 1011 uses services provided by the second service subsystem 1012. Alternatively, the first service subsystem 1011 serves as a service server, the second service subsystem 1012 serves as a service client, and the first service subsystem 1021 provides an open service for the second service subsystem 1012 to use. Alternatively, the first service subsystem 1011 or the second service subsystem 1012 simultaneously serves as a service server or a service client. In addition, each service subsystem in the service system 101 may include an encryption and decryption Software Development Kit (SDK), where an encryption algorithm is preset in the encryption and decryption SDK, and the encryption and decryption SDK may be used to encrypt or decrypt data.
The storage subsystem 102 is used for persistently storing the service data, for example, the storage subsystem 102 may include a Database (DB) and a file storage unit. The service data can be encrypted and stored, and the service data corresponding to different service subsystems can be encrypted by adopting different encryption algorithms and keys.
The information management apparatus 103 may be used to manage encryption management information of the distributed business system. Specifically, the information management device 103 may transmit a control data stream with a service subsystem of the service system, that is, transmit encryption management information for implementing encryption by the service subsystem. The control data flow needs to be transmitted by adopting a secure transmission channel, so that the transmitted information is prevented from being leaked or tampered during transmission. The information management device 103 may also transmit a service data stream with the storage subsystem 102, and the service subsystem may also transmit a service data stream with the storage subsystem 102, where the service data stream may be used to transmit service data, and since the transmitted data is encrypted data, the data may be transmitted through a non-secure transmission channel.
As shown in fig. 1, the information management apparatus 103 may include a transceiving unit 1031 that encrypts management information, a storage unit 1032 that encrypts management information, and a processing unit 1033 that encrypts storage data items. The transceiving unit 1031 is configured to transmit encryption management information to at least two service subsystems in the service system 101, where the encryption management information may include encryption definitions of different encryption versions, different encryption schemes, key group information used for transmitting encryption between different service subsystems, information of each key, and the like. The storage unit 1032 is used to store encryption management information. In order to protect the security of the encryption management information, the encryption management information may adopt encryption storage, access rights of strictly limited data, storage in a network security area, and the like. The processing unit 1033 is configured to, when the encryption scheme stored in the at least two service subsystems needs to be updated or the encryption key needs to be periodically modified, decrypt the history data that has been encrypted and stored in the storage subsystem 102 by using the old encryption scheme or encryption key, and then re-encrypt the history data by using the new encryption scheme or encryption key, so as to implement encryption updating on the service data of the at least two service subsystems 101. Further, the information management apparatus 103 may further include a management interface 1034 for a security administrator to manage encryption management information such as an encryption scheme, a key group, an encrypted version of a service interface, an encryption definition of an encrypted version, and an encrypted storage data item. The information management apparatus 103 may further include a backup unit 1035 for ensuring reliability of data such as an encryption scheme and an encryption scheme instance, which performs data backup periodically and realizes data recovery in case of data corruption. The information management device 103 may further include a management unit 1036, configured to implement security administrator account management and service subsystem account management, and manage identity authentication and authority control of the security administrator account and the service subsystem account, so as to prevent unauthorized access or operation on the encryption scheme data.
The following describes encryption management information stored in the information management apparatus, specifically, as follows.
As shown in table1 below, the description information of the service subsystem may include a unique identifier of the service subsystem and a login key group identifier, where the login key group identifier is used to indicate a key group for login authentication of the service subsystem.
TABLE1 service subsystem
The service interface may be an Application Program Interface (API), which is an interface for providing a command for executing the application program, and the service subsystem is configured to provide the service application program. Each service interface may correspond to an interface identification, and an identification of the service to which the interface belongs. Each service interface may also correspond to an interface name and an interface path, and the interface path is used to indicate an access path of the service interface.
For example, when the service interface is an API, the description information of the service interface may be as shown in table 2 below. The API ID in table 2 represents a unique identifier of the API, the service ID represents an identifier of a service to which the API belongs, and string represents that the field type is a character string. The definitions of the APIs shown in table 2 are merely exemplary, and do not limit the embodiments of the present application.
TABLE 2API
Wherein, different service interfaces may include different parameters, and the API parameters are exemplified as the following table 3. The definitions of the API parameters shown in table 3 are merely exemplary, and do not limit the embodiments of the present application.
TABLE 3API parameters
In addition, the attribute information of the service provided by the service subsystem can also be illustrated by the following table 4. It should be noted that the definitions of the services shown in table 4 are merely exemplary, and do not limit the embodiments of the present application.
TABLE 4 service
The encrypted version of the service interface refers to an identifier of the encrypted version used by the service interface, different encrypted versions can be identified by different character strings, and encryption definitions corresponding to different encrypted versions are different. For example, the encrypted version of the service interface may be represented by the identities SE1, SE2, etc. in the API encryption definition shown in table 5 below.
The encryption definition corresponding to the encryption version refers to the encryption definition corresponding to the encryption version of the service interface, and is specifically used for specifying the encryption definition of parameters in the service interface, and the encryption version of a specific service interface determines the range of the encrypted parameters and the adopted encryption scheme. The encrypted definition may correspond to a service interface identifier for uniquely identifying a service interface in a distributed business system. The encryption definition can also be used for specifying the encryption version of the service interface, different encryption schemes can be adopted for different encryption versions, and the encryption parameter range can also be different. The encryption definition may also include a list of encryption parameters and an encryption scheme identification for the service interface. Each parameter in the service interface may correspond to a parameter identifier, an identifier of the service interface to which the parameter belongs, a parameter name, a parameter type, a parameter location, and the like.
For example, the API encryption definitions shown in table 5 below exemplify the encryption definitions corresponding to the encrypted versions of the service interfaces. The API encryption definitions shown in table 5 are merely exemplary, and do not limit the embodiments of the present application.
TABLE 5API Cryptographic definitions
The encryption scheme refers to the type of encryption algorithm and the option value required in the encryption algorithm. Each encryption scheme may correspond to an encryption scheme identifier, which may be, for example, a fixed-length string (e.g., 10 characters). The Encryption algorithm refers to an Encryption algorithm used by an Encryption scheme, for example, AES128 (Advanced Encryption Standard), SHA256, PBKDF2, or the like. The option value of the algorithm refers to other attributes which need to be defined in a refinement manner in the encryption algorithm, for example, in the AES128 encryption algorithm, the encryption mode needs to be specified as ECB or CBC, the PBKDF2 encryption algorithm needs to be specified for the number of iterations, and the like. In addition, the encryption scheme may further include an encoding manner of the ciphertext, and the ciphertext after being encrypted is binary and needs to be encoded into a character string, for example, Base64 or HEX encoding is adopted. The encryption scheme may also include the organization of the encrypted auxiliary information in the ciphertext, for example, a salt value randomly generated during encryption, which needs to be stored with the ciphertext and used for decryption.
For example, the definition of the encryption scheme may be as shown in table 6 below. It should be noted that the definition of the encryption scheme shown in table 6 is merely exemplary, and does not limit the embodiments of the present application.
Table 6 encryption scheme
The key group can be used for defining a group of keys, only one key in the key group is a currently valid key at a certain time, and the currently valid key is selected for encryption. The key set may include a key set identifier, which may be a fixed-length string (e.g., 10 characters), and a key list, in which at least one key is included. The key set may also include an identification of the business subsystem to which the key set belongs and a key set name, which may be used for human identification key set purposes.
For example, the definition of the key set may be as shown in table 7 below. It should be noted that the definition of the key set shown in table 7 is merely exemplary and does not limit the embodiments of the present application.
TABLE 7 Key set
A key for specifying an encryption key, the key being attributable to a key set. The keys need to specify a validity period range, the keys in the key group have at a certain time and only one key is a currently valid key, and the currently valid key should be selected for encryption. Each key may correspond to a key identification, which may be a fixed-length string (e.g., 10 characters), and a key group identification to which the key belongs. The validity period of the key may be defined by a validity period start time and end time, which may be dated times, in particular may be accurate to seconds, such as UTC time.
For example, the definition of the key may be as shown in table 8 below, and the field type that the data in table 8 can represent is data. It should be noted that the definition of the key shown in table 8 is merely exemplary, and does not limit the embodiments of the present application.
TABLE 8 secret keys
After the data is encrypted by the encryption scheme and the key, the ciphertext can be structured data. The ciphertext may include the key identification, as well as the encrypted auxiliary information. The ciphertext may also include an encryption scheme identifier, an encryption identifier, and the like. The encrypted identification code is used to identify whether the data is encrypted, and the character string constituting the encrypted identification code is special and cannot be identical to the character string included in normal service data, such as ECYFCAEPCR. The encryption scheme identifier is used for identifying the encryption scheme adopted by the encrypted data, so that decryption is performed according to the corresponding encryption scheme during decryption. The key identifier is used to find the corresponding key for decryption, and if the key does not need to be encrypted, the key identifier can be represented by filling a fixed length of "0" character. The encryption accessory information corresponds to an encryption algorithm, and some additional information needs to be provided during encryption, for example, an initial vector needs to be provided during encryption in the AES128CBC mode, and the initial vector needs to be provided for decryption. The data organization format of the encrypted attached information is defined by the encryption scheme, and different encryption scheme organization formats may be different. The encrypted side information should contain the total length of the encrypted side information in order to locate the start position of the ciphertext. The encrypted ciphertext of the data may be stored after the additional information is encrypted, and the encoding method used for the encrypted ciphertext may be defined by an encryption scheme.
For example, the structure of the ciphertext may be as shown in table 9 below. The components of the ciphertext may be as shown in table 10 below. The following ciphertext structure shown in table 9 and the following ciphertext component shown in table 10 are merely exemplary, and do not limit the embodiments of the present application.
Table 9 ciphertext components
| Encrypted identification code | Encryption scheme ID | Key ID | Encrypting collateral information | Encoded ciphertext |
Table 10 ciphertext components
The data item refers to service data of the service subsystem, and can be stored in a storage subsystem of the service system after being encrypted. Different service subsystems may include different data items. The specified data item refers to a certain fixed data item. The encrypted storage data item information refers to information stored after the data item is encrypted, and may include a data item identifier, a service subsystem identifier to which the data item belongs, an encryption scheme identifier and a key group identifier when the data item is encrypted, a storage location, access authentication information of the data item, and the like.
For example, the encrypted storage data item information may be as shown in table 11 below. It should be noted that the encrypted storage data item information shown in table 10 is merely an example, and table 11 does not limit the embodiment of the present application.
Table 11 encrypted storage data item information
The access authentication information is used for authentication and authentication when a service interface is called between the service subsystem and the information management equipment, and may include a service subsystem identifier for initiating an access request, a timestamp, a random character string, an access authentication digest and an access key identifier. The access authentication digest may be generated by a service subsystem identification, a timestamp, a random string, and an access key. The timestamp refers to the time when the access authentication digest is generated, that is, the current time, and the UTC time may be used as the timestamp. The access key identification is used for identifying which key is adopted for authentication when the key is switched.
For example, the access authentication information may be as shown in table 12 below. It should be noted that the access authentication information shown in table 12 below is only an example and is not limited to the embodiment of the present application.
TABLE 12 Access authentication information
The transmission key configuration refers to transmission key group information configured for a service subsystem as a service caller and a service subsystem as a service provider. The information of the transmission key configuration may include a caller subsystem identification, a server subsystem identification, a transmission key group identification, a service identification, and a service interface identification. For example, if the first service subsystem is a calling subsystem and the second service subsystem is a server subsystem, the information management device may transmit the key configuration information to the first service subsystem and the second service subsystem. The calling subsystem identifier is a first service subsystem identifier, the service subsystem identifier is a second service subsystem identifier, the transmission key group identifier is a key group identifier, the service identifier is a service identifier provided by the second service subsystem, and the service interface identifier is an identifier of a service interface providing the service.
For example, the definition of the transmission key configuration may be as shown in table 13 below. It should be noted that the definition of the transmission key configuration shown in table 13 below is merely exemplary and does not limit the embodiments of the present application.
Table 13 transport key configuration
The encryption management information may include all information related to encryption and decryption used by the service subsystem in the encryption and decryption processes, and the encryption management information may include: the encryption definition corresponding to different encryption versions, different encryption schemes, key group information used for transmitting encryption between different service subsystems, and key information in each key group. The key group information may include a key group and a transmission key configuration. The different encryption schemes include an encryption scheme for encryption of the transmission, and an encryption scheme for encrypting and decrypting the data item. The key information includes a key for transmission encryption and a key for encrypting and decrypting the data item.
Fig. 2 is a flowchart of a method for managing encryption information according to an embodiment of the present application, where the method is applied to the system architecture shown in fig. 1, and the method includes the following steps.
Step 201: the first business subsystem determines an encryption version used by a service interface to be called, inquires an encryption definition corresponding to the encryption version in encryption management information acquired in advance, and inquires a first key used for encryption at this time from the encryption management information. Wherein the encryption definition is used for indicating parameters needing encryption in the service interface and identification of an encryption scheme to be adopted.
When the first service subsystem serves as a client subsystem, the second service subsystem serves as a service subsystem, and the first service subsystem needs to use a service provided by the second service subsystem, the first service subsystem may determine an encryption version used by a service interface where the second service subsystem provides the service, and query an encryption definition corresponding to the encryption version in encryption management information acquired in advance, that is, query a parameter to be encrypted and an identifier of an encryption scheme to be adopted in the service interface, and query a first key used for this time of encryption from the encryption management information.
When the first service subsystem inquires the first key for the current encryption from the encryption management information, the first service subsystem inquires the key group for transmission encryption between the first service subsystem and the second service subsystem from the encryption management information. Since the key set may include at least one key, and each key corresponds to an encryption validity period, that is, only one key of the at least one key defined in the key set is a currently valid key at a certain time, the first service subsystem may select the currently valid key as the first key according to the encryption validity period of each key.
Step 202: the first service subsystem encrypts the parameters needing to be encrypted in the service interface indicated in the encryption definition by adopting a first key and a first encryption scheme indicated in the encryption definition to obtain ciphertext information. The ciphertext information comprises the identifier of the first key and ciphertext data encrypted by the parameter needing to be encrypted.
When the first service subsystem determines the parameter, the first key and the encryption scheme identifier that need to be encrypted in the service interface, the first service subsystem may query the encryption scheme corresponding to the encryption scheme identifier from the encryption management information, and encrypt according to the encryption scheme, the first key and the parameter that needs to be encrypted in the service interface, thereby obtaining ciphertext information, where the ciphertext information includes the identifier of the first key and ciphertext data after the parameter that needs to be encrypted is encrypted.
The ciphertext data may further include data obtained by encrypting service data, and the service message may be a request message. When the service message is a request message, the service data may refer to data that needs to be transmitted when the first service subsystem invokes a service provided by the second service subsystem.
Step 203: and the first service subsystem sends a service message to the second service subsystem, wherein the service message comprises the identification of the encrypted version and the ciphertext information.
After the first service subsystem obtains the ciphertext information, the first service subsystem may send a service message including the encrypted version identifier and the ciphertext information to the second service subsystem, where the service message may be a service request message for requesting the second service subsystem to execute a service logic, so that the first service subsystem uses a service provided by the second service subsystem.
Step 204: when the second service subsystem receives the service message sent by the first service subsystem, the second service subsystem queries the encryption definition corresponding to the encrypted version in the pre-acquired encryption management information according to the identifier of the encrypted version, and queries the first key used for decryption at this time from the encryption management information according to the identifier of the first key.
The service message comprises an encrypted version identifier, so that when the second service subsystem receives the service message, the second service subsystem can determine an encrypted version used by a service interface called by the first service subsystem according to the encrypted version identifier, and determine an encryption definition corresponding to the encrypted version according to the encrypted version of the service interface, thereby determining an encrypted parameter in the service interface and an identifier of an adopted encryption scheme. And the second service subsystem inquires a corresponding encryption scheme from the pre-acquired encryption management information according to the encryption scheme identifier.
When the second service subsystem queries the first key for decryption at this time from the encryption management information according to the identifier of the first key, the second service subsystem may query a key group for transmission encryption between the first service subsystem and the second service subsystem, where the key group includes at least one key, and each key corresponds to an encryption validity period. When the second service subsystem acquires the first key from at least one key included in the key group, the second service subsystem selects the first key corresponding to the identifier of the first key from at least one key instead of selecting the current effective key as the first key, so that the key corresponding to the first service subsystem is selected when the first service subsystem is encrypted, and the problem of inconsistent keys caused by asynchronous upgrading of the first service subsystem and the second service subsystem can be further avoided.
Step 205: and the second service subsystem decrypts the encrypted text data after the parameter encryption required to be encrypted in the service interface by adopting the first key and the first encryption scheme indicated in the encryption definition.
When the second service subsystem determines the first key and the first encryption scheme indicated in the encryption definition, the second service subsystem may decrypt the ciphertext data encrypted by the parameter to be encrypted in the service interface by using the first key and the first encryption scheme, thereby obtaining the corresponding plaintext data.
When the ciphertext data may also include data obtained by encrypting the service data, the second service subsystem may decrypt the ciphertext data to obtain a plaintext of the service data. When the second service subsystem obtains the plaintext of the service data, the second service subsystem may execute a service logic according to the service data, and send a response message to the first service subsystem after completion.
Specifically, the second service subsystem may encrypt the response information according to the method described in the above step 201 to step 203, and the key used in encryption may be the first key or a currently valid key, and send the encrypted response information as a service message to the first service subsystem. Furthermore, when the first service subsystem receives the encrypted response information, the first service subsystem may also decrypt the encrypted response information according to the method described in the above step 204 to step 205, so as to obtain the plaintext of the response information.
Further, the first service subsystem and the second service subsystem may further include encryption and decryption SDKs, so that the encryption and decryption processes of the first service subsystem and the second service subsystem may be executed by the first service subsystem or the second service subsystem calling the corresponding encryption and decryption SDKs.
When the first service subsystem and the second service subsystem include the encryption and decryption SDK, the encryption and decryption SDK may provide a message encryption interface, and if the first service subsystem and the second service subsystem need to perform encryption, the first service subsystem and the second service subsystem may send an encryption request message to the encryption and decryption SDK, as shown in the format of table 14 below, and receive an encryption response message returned by the encryption and decryption SDK, as shown in the format of table 15 below. The encryption request message shown in the format of table 14 may include access authentication information, a service subsystem identifier for providing a service, an address of a service interface home service, an encrypted version of the service interface, data to be encrypted, and the like. The encrypted response message, shown in the format of table 15, may include a result code, a result description, and encrypted data. It should be noted that the encryption request message shown in the format of table 14 and the encryption response message shown in the format of table 15 are only exemplary and do not limit the embodiment of the present application.
Table 14 encryption request message
| Parameter name | Description of values | Type of field |
| Access authentication | Service subsystem access authentication information | string |
| Service subsystem | Service subsystem ID for providing service | string |
| Service path | Address of API home service | string |
| API path | Address of API | string |
| API encrypted version | API encrypted versions, e.g. | string |
| Data to be encrypted | Data to be encrypted | string |
| …… | …… | …… |
Table 15 encrypted response message
In addition, when the first service subsystem and the second service subsystem include the encryption and decryption SDK, the encryption and decryption SDK may further provide a message decryption interface, and if the first service subsystem and the second service subsystem need to perform decryption, the first service subsystem and the second service subsystem may send a decryption request message shown in the format of table 16 below to the encryption and decryption SDK, and receive a decryption response message shown in the format of table 17 below and returned by the encryption and decryption SDK. The decryption request message shown in the format of table 16 may include access authentication information, data to be decrypted, and the like. The decryption response message shown in the format of table 17 may include a result code, a result description, and decrypted data. It should be noted that the decryption request message shown in the format of table 16 and the decryption response message shown in the format of table 17 are only exemplary and do not limit the embodiment of the present application.
Table 16 decryption request message
| Parameter name | Description of values | Type of field |
| Access authentication | Service subsystem access authentication information | string |
| Data to be decrypted | Data to be decrypted | string |
| …… | …… | …… |
Table 17 decrypt response message
When the first service subsystem and the second service subsystem do not include the encryption and decryption SDK, the first service subsystem and the second service subsystem need to encode themselves to implement an encryption scheme supported by the system, and the implementation service interface is used for receiving and storing encryption management information sent by the information management device. Meanwhile, the first service subsystem and the second service subsystem need to realize a message encryption interface, a message decryption interface and the like provided by the encryption and decryption SDK.
In the implementation of the application, the encryption and decryption SDKs included in the first service subsystem or the second service subsystem perform corresponding encryption or decryption operations, thereby simplifying the operations of the first service subsystem or the second service subsystem that need self-encoding and the operations that need self-encoding of various encryption and decryption interfaces.
In the implementation of the application, the service interface and the encrypted version used by the service interface are bound, that is, the identifier of the key used for encryption and the identifier of the encrypted version are sent out through the service message, so that a caller of the service interface and a provider of the service interface can agree on which parameters need to be encrypted according to the encryption definition of the encrypted version, and a corresponding key and an encryption scheme are inquired according to the identifier of the key in the service message and the encryption management information acquired in advance, thereby realizing correct decryption, avoiding the problem of communication interruption of the service subsystem during the safe upgrade operation, and solving the problems of incompatibility of the service interface in the encryption upgrade process, or complex parameters of the service interface and difficult maintenance by binding the service interface and the encrypted version.
Further, referring to fig. 3 and fig. 4, the process of acquiring the encryption management information in advance for the first service subsystem or the second service subsystem is shown, fig. 3 is the process of actively acquiring the encryption management information for the service subsystem, and fig. 4 is the process of actively pushing the encryption management information for the information management device.
As shown in fig. 3, the process of the service subsystem actively acquiring the encryption management information includes step 206 and step 207.
Step 206: and the service subsystem sends an information acquisition request to the information management equipment, wherein the information acquisition request is used for acquiring the encryption management information.
Step 207: when the information management device receives the information acquisition request, the information management device may send the encrypted management information to the service subsystem according to the information acquisition request.
When the service subsystem acquires the encryption management information through the first method, if the information acquisition request sent by the service subsystem carries indication information of the encryption information to be acquired, the information management device may send only the encryption management information corresponding to the indication information of the encryption information to the service subsystem. For example, the information acquisition request sent by the service subsystem carries indication information for acquiring the first encryption scheme, and the information management device only sends the first encryption scheme to the service subsystem. If the information acquisition request sent by the service subsystem does not carry any indication information, the information management device may send all information related to the encryption of the service subsystem to the service subsystem.
Further, when the information management device receives an information acquisition request sent by the service subsystem, the information acquisition request may include a subsystem identifier of the service subsystem, so that the information management device may perform authentication and verification on the service subsystem according to the system identifier, and send the encrypted management information to the service subsystem after the authentication and verification is passed. When the service system receives the encryption management information, the service subsystem can also store the encryption management information in a local file for use in subsequent encryption and decryption. Optionally, the service subsystem encrypts the encrypted management information and stores the encrypted management information in a local file.
For example, when the service subsystem acquires information of the encryption scheme from the information management device, the information acquisition request may be an information acquisition request 1 shown in the format of table 18 below. The encryption management information returned by the information management apparatus to the service subsystem may be transmitted by the information acquisition response 1 shown in the format of table 19 below. It should be noted that the information acquisition request 1 shown in the format of the following table 18 and the information acquisition response 1 shown in the format of the following table 19 are merely exemplary, and do not limit the embodiment of the present application.
Table 18 information acquisition request 1
Table 19 information acquisition response 1
For example, when the service subsystem acquires the information of the key group from the information management device, the information acquisition request may be an information acquisition request 2 shown in the format of table 20 below. The encryption management information returned by the information management apparatus to the service subsystem may be transmitted by the information acquisition response 2 shown in the format of table 21 below. It should be noted that the information acquisition request 2 shown in the format of the following table 20 and the information acquisition response 2 shown in the format of the table 21 are merely exemplary, and do not limit the embodiment of the present application.
Table 20 information acquisition request 2
Table 21 information acquisition response 2
For example, when the service subsystem acquires information defined by encryption of the API from the information management device, the information acquisition request may be the information acquisition request 3 shown in the format of table 22 below. The encryption management information returned by the information management apparatus to the service subsystem may be transmitted by the information acquisition response 3 shown in the format of table 23 below. It should be noted that the information acquisition request 3 shown in the format of the following table 22 and the information acquisition response 3 shown in the format of the table 23 are merely exemplary, and do not limit the embodiment of the present application.
Table 22 information acquisition request 3
| Parameter name | Description of values | Type of field |
| Access authentication | Service subsystem access authentication information | string |
| Service ID | Unique identification of services | string |
| API ID | Unique identification of API | string |
| Encrypted versions | Encrypted versions of API | string |
Table 23 information acquisition response 3
For example, when the service subsystem acquires the information of the transmission key configuration from the information management device, the information acquisition request may be the information acquisition request 4 shown in the format of table 24 below. The encryption management information returned by the information management apparatus to the service subsystem may be transmitted by the information acquisition response 4 shown in the format of table 25 below. It should be noted that the information acquisition request 4 shown in the format of table 24 and the information acquisition response 4 shown in the format of table 25 are merely exemplary, and do not limit the embodiment of the present application.
Table 24 information acquisition request 4
Table 25 information acquisition response 4
For example, when the service subsystem acquires the encrypted storage data item information from the information management apparatus, the information acquisition request may be an information acquisition request 5 shown in the format of table 26 below. The encryption management information returned by the information management apparatus to the service subsystem may be transmitted by the information acquisition response 5 shown in the format of table 27 below. It should be noted that the information acquisition request 5 shown in the format of the following table 26 and the information acquisition response 5 shown in the format of the table 27 are merely exemplary, and do not limit the embodiment of the present application.
Table 26 information acquisition request 5
| Parameter name | Description of values | Type of field |
| Access authentication | Service subsystem access authentication information | string |
| Data item ID | Unique identification of encrypted stored data items | string |
Table 27 information acquisition response 5
As shown in fig. 4, the process of actively pushing encryption management information by the information management device includes: step 208-step 209.
Step 208: and the information management equipment pushes the encryption management information to the service subsystem.
Step 209: when the service subsystem receives the encryption management information, the service subsystem returns a response message indicating whether the reception is successful to the information management device.
When the encryption management information is acquired by the second method, the service subsystem does not need to send an information acquisition request to the information management device, but the information management device actively pushes the encryption management information to the service subsystem, wherein the encryption management information may be the non-updated encryption information or the updated encryption information. For example, the information management device may periodically push encryption management information to the service subsystem, or when one or more of an encrypted version of a service interface of the service subsystem, different encryption schemes, key group information used for transmitting encryption between different service subsystems, key information in each key group, and the like is changed, the information management device may directly push one or more of the encrypted version of the changed service interface, an encryption definition of the updated encrypted version, the encryption scheme, key group information used for transmitting encryption between different service subsystems, key information in each key group, and the like to the service subsystem, so that the service subsystem performs encryption and decryption based on the encryption management information pushed by the information management device.
When the information management device pushes the encryption management information to the service subsystem, the information management device can push all the encryption definitions corresponding to different encryption versions, different encryption schemes, key group information used for transmitting encryption between different service subsystems and key information in each key group to the service subsystem, and can also push part of the key group information to the service subsystem.
Further, when the information management device pushes the interface encryption information to the service subsystem, the information management device may perform authentication and authorization on the service subsystem according to the subsystem identifier of the service subsystem, and push the interface encryption information corresponding to the authentication authority of the service subsystem to the service subsystem after the authentication and authorization is passed. When the service system receives the interface encryption information pushed by the information management device, the service subsystem can also store the interface encryption information in a local file for subsequent use. Optionally, the interface encryption information is encrypted and then stored in a local file.
For example, when the information management device pushes the information of the encryption scheme to the service subsystem, the pushed information of the encryption scheme may be pushed by an information push request shown in the format of table 28 below. The response message returned by the service subsystem to the information management device may be sent via an information push response as shown in the format of table 29 below. It should be noted that the information push request shown in the format of table 28 and the information push response shown in the format of table 29 are only exemplary and do not limit the embodiment of the present application.
Table 28 information push request
Table 29 information push response
In addition, the information management device may also push a key group, an encryption definition of the API, a configuration of a transmission key, information of an encrypted storage data item, and the like to the service subsystem, and a specific request message when the information management device pushes, and a response message returned by the service subsystem to indicate whether the reception is successful are similar to the information push request shown in the format of the table 28 and the information push response shown in the format of the table 29, which are specifically referred to the above explanations, and are not described again in this embodiment of the present application.
In the embodiment of the application, the service subsystem can acquire the encryption management information from the information management device, so that corresponding encryption and decryption are performed according to the acquired encryption management information, and the problem that the encryption management information is leaked or lost to cause incapability of encryption and decryption when the encryption management information is independently stored by the service subsystem is solved. Meanwhile, the changed encryption management information can be uniformly sent to the service subsystem by the way of pushing the encryption management information by the information management equipment, so that the unified configuration and management of the encryption management information are realized, and the configuration operation of the service subsystem is simplified.
Further, referring to fig. 5 and 6, the first service subsystem or the second service subsystem may encrypt and decrypt data items stored in the distributed service system according to the encryption management information acquired in advance. Fig. 5 and fig. 6 illustrate an example of a service subsystem, where fig. 5 is a process in which the service subsystem encrypts a data item, and fig. 6 is a process in which the service subsystem decrypts encrypted and stored data item information.
Specifically, as shown in fig. 5, the process of encrypting, by the service subsystem, the data item stored in the distributed service system according to the encryption management information acquired in advance includes: step 210-step 211.
Step 210: the service subsystem queries a second encryption scheme and a second key for encrypting the specified data item from the encryption management information.
Step 211: and the service subsystem encrypts the specified data item according to the second encryption scheme and the second key to obtain the encrypted storage data item information. Wherein the encrypted storage data item information includes a second encryption scheme identification and a second key identification.
When the service subsystem needs to encrypt the previously decrypted specified data item or encrypt the previously unencrypted specified data item, the service subsystem may query, from the previously acquired encryption management information, a second encryption scheme and a second key used for encrypting the specified data item, and after acquiring the second encryption scheme and the second key, encrypt the specified data item according to the second encryption scheme and the second key, to obtain encrypted stored data item information.
Further, the method further includes step 211 a: the service subsystem may also store the encrypted storage data item information in a storage subsystem included in the distributed service subsystem.
Specifically, as shown in fig. 6, the process of the service subsystem decrypting the local data stored in the distributed service system according to the pre-obtained encryption management information includes: step 212-step 213.
Step 212: and the service subsystem acquires the second encryption scheme and the second key from the encryption management information according to the second encryption scheme identifier and the second key identifier included in the encrypted storage data item information.
Wherein the second encryption scheme identification is used for indicating a second encryption scheme when the specified data item is encrypted; the second key identification is used to indicate a second key when encrypting the specified data item. When the service subsystem needs to read the specified data item, the service subsystem may obtain the second encryption scheme and the second key from the encryption management information according to the second encryption scheme identifier and the second key identifier included in the encrypted storage data item information.
Further, when the encrypted storage data item information is stored in the storage subsystem, before step 212, the method further comprises step 212 a: the service subsystem obtains the encrypted storage data item information from the storage subsystem.
Step 213: and the service subsystem decrypts the encrypted storage data item information according to the second encryption scheme and the second key to obtain the specified data item.
After the service subsystem determines the second encryption scheme and the second key, the service subsystem may decrypt the encrypted stored data item information according to the second encryption scheme and the second key, thereby obtaining the specified data item.
When the encrypted storage of the specified data item of the service subsystem needs to be upgraded, the specified data item can be a data item to which the service subsystem belongs, the encrypted upgrade can include the upgrade of an encryption scheme and/or the change of a key, if the specified data item is encrypted and stored before, the service subsystem can decrypt according to an encryption scheme identifier and a key identifier in the data item information which is encrypted and stored before, then re-encrypt according to a new encryption scheme and a key, and store the identifier of the new encryption scheme and the identifier of the key in the data item information; if the specified data item is stored in the clear text before, the first service subsystem can directly encrypt according to the new encryption scheme and the secret key, and store the identifier of the new encryption scheme and the identifier of the secret key in the data item information together, thereby realizing the safe upgrading operation of the encrypted and stored specified data item information.
It should be noted that, the first service subsystem and the second service subsystem may encrypt the respective designated data items according to the above method, store the encrypted information in the storage subsystem, and perform encryption update and upgrade on the respective encrypted storage data item information, thereby obtaining new encrypted storage data item information.
In addition, the first service subsystem and the second service subsystem may also implement the encryption and decryption processes for the specified data item through the encryption and decryption SDK, and the specific encryption and decryption processes are consistent with the description of the encryption and decryption SDK, which is specifically referred to the above description, and the embodiments of the present application are not described again.
In the implementation of the application, the service subsystem can encrypt and store the specified data item according to the encryption management information acquired in advance, and store the encryption scheme identifier and the key identifier used for encryption in the encrypted and stored data item information, so that when the data item information is read or the encryption of the data item information is upgraded, the corresponding encryption scheme and key can be acquired from the encryption management information according to the identifier of the encryption scheme and the identifier of the key stored before, so as to realize correct decryption, thereby avoiding the interruption problem when the service subsystem accesses the service data in the upgrading process, and improving the user experience.
Further, referring to fig. 7 and 8, for the information management apparatus, when the encryption scheme or the key of the specified data item of the first service subsystem or the second service subsystem changes, the information management apparatus may also encrypt the specified data item that has not been encrypted before, or decrypt the specified data item that has been encrypted before, and re-encrypt and store the specified data item by using the changed encryption scheme and key. The information specifying the data item may be stored in a storage subsystem comprised by the distributed business system. Fig. 7 shows a process of encrypting a data item by the information management apparatus, and fig. 8 shows a process of decrypting data item information stored in an encrypted manner by the information management apparatus.
As shown in fig. 7, the method for encrypting the specified data item by the information management apparatus includes: step 214-step 215.
Step 214: the information management apparatus inquires of the encryption management information about a second encryption scheme and a second key for encrypting the specified data item.
Step 215: and the information management equipment encrypts the specified data item according to the second encryption scheme and the second key to obtain the encrypted storage data item information. Wherein the encrypted storage data item information includes a second encryption scheme identification and a second key identification.
Further, when the encrypted storage data item information is stored in a storage subsystem included in the distributed service subsystem, the method further includes the step 215a of: the information management apparatus may further store the encrypted storage data item information in the storage subsystem.
As shown in fig. 8, the information management device may further decrypt the encrypted storage data item information, and the specific method may include: step 216-step 217.
Step 216: the information management apparatus acquires the second encryption scheme and the second key from the encryption management information based on the second encryption scheme identification and the second key identification included in the encrypted storage data item information.
Further, when the encrypted storage data item information is stored in the storage subsystem, before step 215, the method further comprises step 216 a: the information management apparatus acquires the encrypted storage data item information from the storage subsystem.
Step 217: and the information management equipment decrypts the encrypted storage data item information according to the second encryption scheme and the second key to obtain the specified data item.
It should be noted that, after the information management device encrypts the previously unencrypted specified data item, or decrypts the previously encrypted information of the specified data item, the process of re-encrypting with the new encryption scheme or the new key is consistent with the process of encrypting the specified data item with the first service subsystem, or re-encrypting with the new encryption scheme or the new key after decrypting the previously encrypted stored data item information. For the specific encryption process and decryption process, reference is made to the above description of the first service subsystem, and details of this embodiment are not described again.
In practical applications, when the encrypted storage of a specified data item changes, the information management apparatus may create a data encryption update task according to the identification of the specified data item and periodically check whether the encryption update task exists. And if the encryption updating task exists, finding the storage position of the specified data item according to the identification of the specified data item corresponding to the encryption updating task. If the specified data item is stored in an unencrypted manner, the specified data item can be directly encrypted according to the new encryption scheme and the key and then stored. If the specified data item is encrypted for storage, determining an encryption scheme and a key for decryption according to an encryption scheme identifier and a key identifier stored in the encrypted storage data item information to obtain the specified data item, and then re-encrypting the specified data item according to the new encryption scheme and the key for storage.
For example, the data encryption update task may be defined as shown in table 30 below. The data encryption updating task may correspond to a task identifier and a data item identifier, where the data item identifier refers to a data item that needs to be updated and may also be referred to as a specific data item. In addition, the method can also correspond to a task state to monitor the corresponding state of the data updating task, wherein the state comprises three states of non-starting, in-process and completed, and corresponds to a task progress and is used for representing the processing progress of the data encryption updating task. It should be noted that the data encryption update task shown in table 30 below is only an example, and does not limit the embodiment of the present application.
Table 30 data encryption update task
In the embodiment of the application, when the assigned data item to which the first service subsystem or the second service subsystem belongs needs to be encrypted and upgraded, the information management device may encrypt and store the assigned data item according to the encrypted storage information, and store the identifier of the encryption scheme and the identifier of the key used in the encrypted storage data item information, so that when decrypting is performed, the service subsystem accessing the encrypted storage data item information may determine the corresponding encryption scheme and key according to the stored identifier of the encryption scheme and the stored identifier of the key, thereby implementing correct decryption, avoiding the problem of interruption when the service subsystem accesses the service data in the upgrading process, and improving user experience.
In the following, by taking a specific scenario that a service interface is taken as an API, how a service subsystem as a service caller and a service subsystem as a service provider implement compatibility of the API interface when encryption definition, transmission key configuration, and the like of the API are changed will be described in detail.
Scene 1: API increases parameters that require encryption
Such as: the subsystem 3 provides a service API _1, a parameter 11 in a request message of the API _1 and a parameter 12 in a response message, encryption processing is not performed originally, and an encrypted version of the API _1 is AEV1 originally; if the encrypted version of API _1 is changed to AEV2, parameters 11 and 12 are added to the encrypted parameter list in AEV 2.
Assuming that the subsystem 1 and the subsystem 2 need to call the API _1, the subsystem 1 is upgraded first, the API _1 is called by adopting a new encryption version AEV2, when the subsystem 1 encrypts a request message by using an encryption/decryption SDK, the encryption/decryption SDK finds an encryption definition of the API _1 according to the encryption version AEV2 specified by the subsystem 1, finds a current effective key according to an encryption scheme in the encryption definition and a key group configured in transmission key configuration information between the subsystem 1 and the subsystem 3, encrypts a parameter 11, and stores and sends the encryption version AEV2, a key ID and a ciphertext together. Subsystem 2, as it has not yet been upgraded, still makes calls using the old encrypted version AEV 1.
When the subsystem 3 receives the API _1 request message sent by the subsystem 1, the request message is decrypted by using the encryption and decryption SDK according to the encryption version AEV2 carried in the message, the encryption and decryption SDK finds that the parameter 11 needs to be decrypted according to the encryption version AEV2, finds the key ID from the ciphertext of the parameter 11 and determines the encryption scheme ID according to the encryption definition of the encryption version AEV2, and then performs corresponding decryption. When the subsystem 3 returns the response message to the subsystem 1, the encryption and decryption SDK is used for encrypting the response message, the encryption and decryption SDK finds that the parameter 12 needs to be decrypted according to the encryption version AEV2, the parameter 12 is encrypted according to the encryption scheme ID bound by the AEV2 and the current effective key found from the key group configured by the transmission key, and the encryption version AEV2, the key ID and the ciphertext are stored together and sent. The subsystem 1 receives the response message, decrypts the response message by adopting the encryption and decryption SDK, finds that the parameter 12 needs to be decrypted according to the encryption version AEV2, finds the key ID from the ciphertext of the parameter 12, determines the encryption scheme ID according to the encryption definition of the encryption version AEV2, and then performs corresponding decryption.
When the subsystem 3 receives the API _1 request message sent by the subsystem 2, the encryption and decryption SDK is adopted for decryption according to the encrypted version AEV1 carried in the message, and the encryption and decryption SDK finds that the parameter 11 is not needed and does not perform decryption processing according to the encrypted version AEV 1; similarly, when processing the response message, it is also found that the parameter 12 is not subjected to the encryption processing. Subsystem 2 receives the response message and, similarly, finds that decryption of parameter 12 is not required, based on the encrypted version of AEV 1.
Scene 2: modifying a key or a key set in a key set; wherein, modifying the key or key group configuration in the key group will not result in the change of the API encrypted version
Assuming that the subsystem 1 calls the API _1 of the subsystem 3, when the subsystem 1 encrypts the request message, it uses the current key 1 in the key group 1, and after the subsystem 1 sends the request message, the security administrator changes the current key of the key group to be the key 2 (the original key 1 still exists, but the currently valid key is changed to be the key 2). After the subsystem 3 receives the request message, the request message needs to be decrypted, and because the subsystem 1 stores the key ID in the cipher text when the encryption and decryption SDK is used for encrypting the message, the subsystem 3 does not decrypt according to the current effective key in the key group but finds the original key for decryption according to the key ID stored in the cipher text when decrypting, and can still successfully decrypt the request message.
Since the subsystem 1 stores the key ID in the ciphertext when encrypting the message using the encryption/decryption SDK, even if the subsystem 1 is modified to invoke the key group ID of the subsystem 3, the decryption of the message is not affected.
Scene 3: modifying encryption schemes
Wherein modifying the encryption scheme ID in the encryption definition of the API results in a change to the encrypted version of the API. It should be noted that, a calling process for modifying the encryption scheme is similar to the process in the scenario 1, and reference is specifically made to the description in the scenario 1, and details of the embodiment of the present application are not described herein again.
In the following, detailed description will be given of how to achieve data compatibility when an encryption scheme and an encryption key for encrypting a stored data item are changed through a specific scenario.
Scene 4: modifying the data item, which originally did not require encryption, to require encryption
For example, the data item DI1 originally does not need to be encrypted for storage (assuming that 10 ten thousand records are currently stored in the field Column1 of Table1 of the database), after the subsystem 1 is upgraded, the information of the encrypted storage data item is configured for DI1, the data newly stored in DI1 is encrypted, the subsystem 1 calls an encryption and decryption SDK for encryption, the encryption and decryption SDK finds a corresponding encryption storage key group according to the ID of the data item, finds a currently valid key for encryption, and then stores the encrypted data in the Table.
The subsystem 1 acquires the data of the DI1 from the table for use, the subsystem 1 calls the encryption and decryption SDK for decryption, the encryption and decryption SDK judges whether the data is originally encrypted or not according to the encryption identifier in the ciphertext, if not, the original data is directly returned, if the data is encrypted, the corresponding key is found according to the encryption scheme ID and the encryption key ID stored in the ciphertext for decryption, and then the decrypted plaintext is returned.
Scene 5: modifying an encryption scheme for a data item
Since modifying the encryption scheme of a data item will only result in the data stored by subsequent encryption of that data item adopting a new encryption scheme. When data is decrypted when the data is taken out, the encryption and decryption SDK decrypts by adopting the corresponding encryption scheme according to the encryption scheme ID stored in the ciphertext, so that the data encrypted by the new encryption scheme or the data encrypted by the old encryption scheme can be successfully decrypted.
Scene 6: modifying an encryption key set
Since modifying the encryption key set of a data item will only result in the data stored by subsequent encryption of that data item using the new encryption key set. When the system takes out the data and decrypts the data, the encryption and decryption SDK decrypts the data by adopting the corresponding encryption scheme according to the secret key ID stored in the secret text, so that the data encrypted by the new encryption key set or the data encrypted by the old encryption key set can be successfully decrypted.
Scene 7: modifying keys in an encryption key set
Since modifying the key in the encryption key set of the data item only results in the data stored by subsequent encryption of the data item using the new encryption key. When the system decrypts the data when taking out the data, the encryption and decryption SDK decrypts the data by adopting the corresponding encryption key according to the encryption key ID stored in the cipher text, so that the data encrypted by the new encryption key or the data encrypted by the old encryption key can be successfully decrypted.
The above description mainly introduces the scheme provided by the embodiment of the present application from the perspective of interaction between various devices. It is understood that each device, such as the first service subsystem, the second service subsystem, the information management device, and the like, includes a hardware structure and/or a software module for performing each function in order to implement the above functions. Those of skill in the art will readily appreciate that the various illustrative devices and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiment of the present application, the first service subsystem, the second service subsystem, the information management, and the like may be divided into functional modules according to the above method example, for example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. It should be noted that, in the embodiment of the present application, the division of the module is schematic, and is only one logic function division, and there may be another division manner in actual implementation.
Fig. 9 shows a possible structure diagram of the first service subsystem involved in the above embodiment, in the case of dividing each functional module by corresponding functions. The first service subsystem 300 includes: a determination unit 301, an encryption unit 302, and a transmission unit 303. Wherein, the determining unit 301 is configured to execute step 201 in fig. 2, step 210 in fig. 5, and step 212 in fig. 6; the encryption unit 302 is configured to perform step 202 in fig. 2 and step 211 in fig. 5; the sending unit 303 is configured to execute step 203 in fig. 2 and step 206 in fig. 3. Further, the first service subsystem 300 further includes: a receiving unit 304 and a decryption unit 305. Wherein, the receiving unit 304 is used for receiving the encryption management information sent in step 207 in fig. 3 and receiving the encryption management information pushed in step 208 in fig. 4; the decryption unit 305 is configured to perform step 213 in fig. 6. All relevant contents of each step related to the above method embodiment may be referred to the functional description of the corresponding functional module, and are not described herein again.
Fig. 10 shows a schematic diagram of a possible logical structure of the first service subsystem in the case of an integrated unit. The first service subsystem 310 includes: a processor 312, a communication interface 313, a memory 311, and a bus 314. The processor 312, the communication interface 313, and the memory 311 are connected to each other by a bus 314. In an embodiment of the present application, the processor 312 may be configured to control and manage the actions of the first service subsystem 310, for example, the processor 312 is configured to perform steps 201 to 202 in fig. 2, steps 210 to 211 in fig. 5, and steps 212 to 213 in fig. 6, and/or other processes for the techniques described herein. And a communication interface 313, which can be used for communication with the second service subsystem and the information management device. The memory 311 may be used to store program codes and data for the first service subsystem 310.
In the case of dividing the functional modules according to the respective functions, fig. 11 shows a possible structural diagram of the second service subsystem involved in the above embodiment. The second service subsystem 400 includes: a receiving unit 401, a determining unit 402 and a decrypting unit 403. Wherein, the receiving unit 401 is configured to receive the service message sent in step 203 in fig. 2, receive the encryption management information sent in step 206 in fig. 3, and receive the encryption management information pushed in step 208 in fig. 4; the determining unit 402 is configured to perform step 204 in fig. 2, step 210 in fig. 5, and step 212 in fig. 6; decryption unit 403 is used to perform step 205 in fig. 2, and step 213 in fig. 6. Further, the second service subsystem 400 further includes: a transmitting unit 404 and an encrypting unit 405. Wherein, the sending unit 404 is configured to execute step 206 in fig. 3 and step 209 in fig. 4; the encryption unit 405 is used to perform step 211 in fig. 5. All relevant contents of each step related to the above method embodiment may be referred to the functional description of the corresponding functional module, and are not described herein again.
In the case of an integrated unit, fig. 12 shows a schematic diagram of a possible logical structure of the second service subsystem. The second service subsystem 410 includes: a processor 412, a communication interface 413, a memory 411, and a bus 414. The processor 412, communication interface 413, and memory 411 are connected to each other by a bus 414. In an embodiment of the present application, the processor 412 may be configured to control and manage the actions of the second service subsystem 410, for example, the processor 412 may be configured to perform steps 204-205 in fig. 2, steps 210-211 in fig. 5, and steps 212-213 in fig. 6, and/or other processes for the techniques described herein. And a communication interface 413 which can be used for communication with the first service subsystem and the information management device. The memory 411 may be used to store program codes and data for the second service subsystem 410.
The processor 412 may be, among other things, a central processing unit, a general purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, transistor logic, a hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. The processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, a digital signal processor and a microprocessor, or the like. The bus 414 may be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 12, but this is not intended to represent only one bus or type of bus.
In the case of adopting the functional modules divided corresponding to the respective functions, the information management apparatus in fig. 1 shows a schematic diagram of a possible structure of the information management apparatus in the above embodiment. The information management apparatus 103 includes: a transceiving unit 1031, a storage unit 1032 and a processing unit 1033. Wherein, the transceiving unit 1031 is configured to receive the information acquisition request sent in step 206 of fig. 3 and the response message sent in step 209 of fig. 4; the transceiving unit 1031 is further configured to perform step 207 in fig. 3 and step 209 in fig. 4; a storage unit 1302, configured to store encryption management information of the service subsystem; processing unit 1033 is configured to perform step 214 in FIG. 7, and step 216 in FIG. 8; processing unit 1033 is also configured to perform step 215 in FIG. 7; the processing unit 1033 is further configured to perform step 217 of fig. 8. All relevant contents of each step related to the above method embodiment may be referred to the functional description of the corresponding functional module, and are not described herein again.
In the case of using an integrated unit, fig. 13 shows a schematic diagram of a possible logical structure of the information management apparatus. The information management apparatus 500 includes: a processor 502, a communication interface 503, a memory 501, and a bus 504. The processor 502, the communication interface 503, and the memory 501 are connected to each other by a bus 504. In an embodiment of the present application, processor 502 may be configured to control and manage actions of information management apparatus 500, for example, processor 502 may be configured to perform steps 214-215 in fig. 7, steps 216-217 in fig. 8, and/or other processes for the techniques described herein. The communication interface 503 may be used for communication with the first service subsystem and the second service subsystem. The memory 501 may be used to store program codes and data for the information management apparatus 500.
The processor 502 may be, among other things, a central processing unit, a general purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, transistor logic, a hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. The processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, a digital signal processor and a microprocessor, or the like. The bus 504 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 13, but this is not intended to represent only one bus or type of bus.
In another embodiment of the present application, a computer-readable storage medium is further provided, in which computer-executable instructions are stored, and when the at least one processor of the device executes the computer-executable instructions, the device performs the steps of the first service subsystem, the steps of the second service subsystem, or the steps of the information management device in the method for managing encrypted information provided in any one of the illustrated embodiments of fig. 2 to 8.
In another embodiment of the present application, there is also provided a computer program product comprising computer executable instructions stored in a computer readable storage medium; the computer-executable instructions may be read by at least one processor of the device from a computer-readable storage medium, and execution of the computer-executable instructions by the at least one processor causes the device to perform the steps of the first service subsystem, the steps of the second service subsystem, or the steps of the information management device in the method of managing encrypted information provided by any of the illustrated embodiments of fig. 2-8 described above.
In another embodiment of the present application, there is also provided a system including a first service subsystem, a second service subsystem, and an information management device. The first service subsystem may be the first service subsystem shown in any one of fig. 9-10, and/or the second service subsystem may be the second service subsystem shown in any one of fig. 11-12, and/or the information management device may be the information management device shown in fig. 1 or fig. 13. Wherein the first service subsystem is configured to perform the steps of the first service subsystem in the method for managing encrypted information provided by any of the illustrated embodiments of fig. 2-8; the second service subsystem is configured to perform the steps of the first service subsystem in the method for managing encrypted information provided by any of the illustrated embodiments of fig. 2-8; the information management device is configured to perform the steps of the information management device in the method for managing encrypted information provided by any one of the illustrated embodiments of fig. 2-8.
In the system provided by the embodiment of the application, the service interface and the encrypted version used by the service interface are bound, and the identifier of the key used for encryption and the identifier of the encrypted version are sent out through the service message, so that the caller of the service interface and the provider of the service interface can agree on which parameters need to be encrypted according to the encryption definition of the encrypted version, and the corresponding key and the encryption scheme are inquired according to the identifier of the key in the service message and the encryption management information acquired in advance, thereby realizing correct decryption.
In addition, the encryption management information in the distributed service system is managed in a centralized manner through the single information management device, and the encryption management information corresponding to each service subsystem can be respectively sent to each service subsystem when the encryption algorithm is upgraded, the key is periodically updated, or the encryption management information of the service subsystem is damaged or lost, so that the centralized management and encryption upgrade of the encryption information of each service subsystem are realized.
Therefore, the embodiment of the application can ensure safe upgrading operations such as upgrading of the encryption algorithm, periodic updating of the encryption key and the like, realize step-by-step upgrading of each service subsystem, does not need to modify the interface definition of the service interface, and avoids the problem of service interruption in the encryption upgrading process. Meanwhile, through the centralized management of the information management equipment, the risk of key leakage caused by the fact that each business subsystem respectively stores the key can be reduced, and the burden of storing and configuring the key by the business subsystems is reduced.
Finally, it should be noted that: the above description is only an embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions within the technical scope of the present disclosure should be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (22)
1. A method for managing encrypted information, wherein the method is applied to a distributed service system, the service system at least comprises a first service subsystem and a second service subsystem, and the method comprises:
the first business subsystem determines an encrypted version used by a service interface to be called, inquires an encryption definition corresponding to the encrypted version in encryption management information acquired in advance, and inquires a first key used for transmission encryption between the first business subsystem and the second business subsystem from the encryption management information; the encryption definition is used for indicating parameters needing encryption in the service interface and an identifier of an encryption scheme to be adopted;
the first service subsystem encrypts the parameter indicating the service interface in the encryption definition to be encrypted by using the first key and a first encryption scheme indicated in the encryption definition to obtain ciphertext information; the ciphertext information comprises an identifier of the first key and ciphertext data encrypted by the parameter;
the first service subsystem sends a service message to the second service subsystem, wherein the service message comprises the identification of the encrypted version and the ciphertext information;
wherein, the first service subsystem queries the first key for the current encryption from the encryption management information, and further includes:
the first service subsystem inquires a key group used for transmitting encryption between the first service subsystem and the second service subsystem from the encryption management information; wherein the key set comprises at least one key, and each key corresponds to an encryption validity period;
and the first service subsystem selects the current effective key as the first key according to the encryption validity period of each key.
2. The method according to claim 1, wherein before the first service subsystem queries the encryption definition corresponding to the encrypted version in the pre-obtained encryption management information, the method further comprises:
the first service subsystem sends an information acquisition request to information management equipment and receives the encrypted management information sent by the information management equipment; alternatively, the first and second electrodes may be,
the first service subsystem receives the encryption management information pushed by the information management equipment;
wherein the encryption management information includes: the encryption definition corresponding to different encryption versions, different encryption schemes, key group information used for transmitting encryption between different service subsystems, and key information in each key group.
3. The method of claim 1, further comprising:
the first service subsystem inquires a second encryption scheme and a second key for encrypting a specified data item from the encryption management information;
the first service subsystem encrypts the specified data item according to the second encryption scheme and the second key to obtain encrypted storage data item information; wherein the encrypted storage data item information includes a second encryption scheme identification and a second key identification.
4. The method of claim 3, wherein after the first service subsystem encrypts the specified data item according to the second encryption scheme and the second key to obtain encrypted storage data item information, the method further comprises:
the first service subsystem acquires the second encryption scheme and the second key from the encryption management information according to the second encryption scheme identifier and the second key identifier included in the encrypted storage data item information;
and the first service subsystem decrypts the encrypted storage data item information according to the second encryption scheme and a second key to obtain the specified data item.
5. A method for managing encrypted information, wherein the method is applied to a distributed service system, the service system at least comprises a first service subsystem and a second service subsystem, and the method comprises:
the second service subsystem receives a service message; the service message comprises an encrypted version identification and ciphertext information; the ciphertext information comprises an identifier of a first key and ciphertext data which is obtained by encrypting parameters needing to be encrypted in a service interface called by the first service subsystem; the encrypted version identification is used for indicating the encrypted version used by the service interface called by the first business subsystem;
the second service subsystem inquires an encryption definition corresponding to the encrypted version in encryption management information acquired in advance according to the identifier of the encrypted version and inquires a first key for transmission and decryption between the first service subsystem and the second service subsystem from the encryption management information according to the identifier of the first key; the encryption definition is used for indicating parameters needing encryption in the service interface and an identifier of an encryption scheme to be adopted;
the second service subsystem decrypts the ciphertext data encrypted by the parameter by using the first key and a first encryption scheme indicated in the encryption definition;
the second service subsystem queries a first key for decryption at this time from the encryption management information according to the identifier of the first key, and the method includes:
the second service subsystem inquires a key group used for transmitting encryption between the first service subsystem and the second service subsystem; wherein the key set comprises at least one key, and each key corresponds to an encryption validity period;
and the second service subsystem selects a first key corresponding to the identifier of the first key from the at least one key according to the identifier of the first key.
6. The method of claim 5, wherein before the second service subsystem receives the service message, the method further comprises:
the second service subsystem sends an information acquisition request to information management equipment and receives the encrypted management information sent by the information management equipment; alternatively, the first and second electrodes may be,
the second service subsystem receives the encryption management information pushed by the information management equipment;
wherein the encryption management information includes: the encryption definition corresponding to different encryption versions, different encryption schemes, key group information used for transmitting encryption between different service subsystems, and key information in each key group.
7. The method of claim 5, further comprising:
the second service subsystem inquires a second encryption scheme and a second key for encrypting the specified data item from the encryption management information;
the second service subsystem encrypts the specified data item according to the second encryption scheme and the second key to obtain encrypted storage data item information; wherein the encrypted storage data item information includes a second encryption scheme identification and a second key identification.
8. The method of claim 7, wherein after the second service subsystem encrypts the specified data item according to the second encryption scheme and the second key to obtain encrypted storage data item information, the method further comprises:
the second service subsystem acquires the second encryption scheme and the second key from the encryption management information according to the second encryption scheme identifier and the second key identifier included in the encrypted storage data item information;
and the second service subsystem decrypts the encrypted storage data item information according to the second encryption scheme and a second key to obtain the specified data item.
9. A method for managing encrypted information, wherein the method is applied to an information management device, the information management device is used for managing a distributed service system, the service system includes at least two service subsystems, and the method includes:
the information management equipment receives an information acquisition request sent by a service subsystem and sends encryption management information to the service subsystem; alternatively, the first and second electrodes may be,
the information management equipment pushes the encryption management information to the service subsystem;
wherein the encryption management information includes: the encryption definition corresponding to different encryption versions, different encryption schemes, key group information used for transmitting encryption between different service subsystems, and key information in each key group;
the encryption version is an encryption version used by the service interface, and the encryption definition corresponding to the encryption version is used for indicating parameters needing to be encrypted in the service interface and an identifier of an encryption scheme to be adopted.
10. The method of claim 9, further comprising:
the information management apparatus inquires of a second encryption scheme and a second key for encrypting a specified data item from the encryption management information;
the information management equipment encrypts the specified data item according to the second encryption scheme and the second key to obtain encrypted storage data item information; wherein the encrypted storage data item information includes a second encryption scheme identification and a second key identification.
11. The method according to claim 10, wherein after the information management apparatus encrypts the specified data item according to the second encryption scheme and the second key, resulting in encrypted stored data item information, the method further comprises:
the information management device acquires the second encryption scheme and the second key from the encryption management information according to the second encryption scheme identifier and the second key identifier included in the encrypted storage data item information;
and the information management equipment decrypts the encrypted storage data item information according to the second encryption scheme and a second key to obtain the specified data item.
12. A service subsystem, wherein the service subsystem is a first service subsystem in a distributed service system, the service system further includes at least a second service subsystem, and the first service subsystem includes:
a determining unit, configured to determine an encrypted version used by a service interface to be invoked, query an encryption definition corresponding to the encrypted version in encryption management information acquired in advance, and query a first key used for transmission encryption between the first service subsystem and the second service subsystem from the encryption management information; the encryption definition is used for indicating parameters needing encryption in the service interface and an identifier of an encryption scheme to be adopted;
the encryption unit is used for encrypting the parameters which indicate the service interface in the encryption definition and need to be encrypted by adopting the first secret key and a first encryption scheme indicated in the encryption definition to obtain ciphertext information; the ciphertext information comprises an identifier of the first key and ciphertext data encrypted by the parameter;
a sending unit, configured to send a service message to the second service subsystem, where the service message includes the identifier of the encrypted version and the ciphertext information;
wherein, the determining unit is specifically configured to:
inquiring a key group used for transmitting encryption between the first service subsystem and the second service subsystem from the encryption management information; wherein the key set comprises at least one key, and each key corresponds to an encryption validity period;
and selecting the currently valid key as the first key according to the encryption validity period of each key.
13. The service subsystem of claim 12,
the sending unit is also used for sending an information acquisition request to the information management equipment; the service subsystem further comprises: a receiving unit configured to receive the encryption management information transmitted by the information management apparatus; alternatively, the first and second electrodes may be,
the service subsystem further comprises: a receiving unit, configured to receive the encryption management information pushed by the information management apparatus;
wherein the encryption management information includes: the encryption definition corresponding to different encryption versions, different encryption schemes, key group information used for transmitting encryption between different service subsystems, and key information in each key group.
14. The service subsystem of claim 12,
the determining unit is further configured to query, from the encryption management information, a second encryption scheme and a second key for encrypting a specified data item;
the encryption unit is further configured to encrypt the specified data item according to the second encryption scheme and the second key to obtain encrypted storage data item information; wherein the encrypted storage data item information includes a second encryption scheme identification and a second key identification.
15. The service subsystem of claim 14,
the determining unit is further configured to obtain the second encryption scheme and the second key from the encryption management information according to the second encryption scheme identifier and the second key identifier included in the encrypted storage data item information;
the service subsystem further comprises: and the decryption unit is used for decrypting the encrypted storage data item information according to the second encryption scheme and the second key to obtain the specified data item.
16. A service subsystem, wherein the service subsystem is a second service subsystem in a distributed service system, and wherein the service system further comprises a first service subsystem, and wherein the service subsystem comprises:
a receiving unit, configured to receive a service message; the service message comprises an encrypted version identification and ciphertext information; the ciphertext information comprises an identifier of a first key and ciphertext data which is obtained by encrypting parameters needing to be encrypted in a service interface called by the first service subsystem; the encrypted version identification is used for indicating the encrypted version used by the service interface called by the first business subsystem;
a determining unit, configured to query, according to the identifier of the encrypted version, an encryption definition corresponding to the encrypted version in encryption management information obtained in advance, and query, according to the identifier of the first key, a first key used for transmission and decryption between the first service subsystem and the second service subsystem from the encryption management information; the encryption definition is used for indicating parameters needing encryption in the service interface and an identifier of an encryption scheme to be adopted;
the decryption unit is used for decrypting the ciphertext data after the parameter encryption by adopting the first key and a first encryption scheme indicated in the encryption definition;
wherein, the determining unit is specifically configured to:
inquiring a key group used for transmission encryption between the first service subsystem and the second service subsystem; wherein the key set comprises at least one key, and each key corresponds to an encryption validity period;
and selecting a first key corresponding to the identifier of the first key from the at least one key according to the identifier of the first key.
17. The service subsystem of claim 16,
the service subsystem further comprises: a sending unit configured to send an information acquisition request to the information management apparatus; the receiving unit is further configured to receive the encryption management information sent by the information management device; alternatively, the first and second electrodes may be,
the receiving unit is further configured to receive the encryption management information pushed by the information management device;
wherein the encryption management information includes: the encryption definition corresponding to different encryption versions, different encryption schemes, key group information used for transmitting encryption between different service subsystems, and key information in each key group.
18. The service subsystem of claim 16,
the determining unit is further configured to query, from the encryption management information, a second encryption scheme and a second key for encrypting a specified data item;
the service subsystem further comprises: the encryption unit is used for encrypting the specified data item according to the second encryption scheme and the second key to obtain encrypted storage data item information; wherein the encrypted storage data item information includes a second encryption scheme identification and a second key identification.
19. The service subsystem of claim 18,
the determining unit is further configured to obtain the second encryption scheme and the second key from the encryption management information according to the second encryption scheme identifier and the second key identifier included in the encrypted storage data item information;
and the decryption unit is further configured to decrypt the encrypted stored data item information according to the second encryption scheme and the second key to obtain the specified data item.
20. An information management apparatus for managing a distributed service system including at least two service subsystems, the information management apparatus comprising:
the storage unit is used for storing the encryption management information of the service subsystem;
the receiving and sending unit is used for receiving an information acquisition request sent by a service subsystem and sending the encryption management information to the service subsystem; alternatively, the first and second electrodes may be,
the receiving and sending unit is further configured to push the encryption management information to the service subsystem;
wherein the encryption management information includes: the encryption definition corresponding to different encryption versions, different encryption schemes, key group information used for transmitting encryption between different service subsystems, and key information in each key group;
the encryption version is an encryption version used by the service interface, and the encryption definition corresponding to the encryption version is used for indicating parameters needing to be encrypted in the service interface and an identifier of an encryption scheme to be adopted.
21. The information management apparatus according to claim 20, characterized by further comprising:
a processing unit configured to query a second encryption scheme and a second key for encrypting a specified data item from the encryption management information;
the processing unit is further configured to encrypt the specified data item according to the second encryption scheme and the second key to obtain encrypted stored data item information; wherein the encrypted storage data item information includes a second encryption scheme identification and a second key identification.
22. The information management apparatus according to claim 21,
the processing unit is further configured to obtain the second encryption scheme and the second key from the encryption management information according to the second encryption scheme identifier and the second key identifier included in the encrypted storage data item information;
and the processing unit is further configured to decrypt the encrypted stored data item information according to the second encryption scheme and the second key to obtain the specified data item.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611264624.XA CN108270739B (en) | 2016-12-30 | 2016-12-30 | Method and device for managing encryption information |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611264624.XA CN108270739B (en) | 2016-12-30 | 2016-12-30 | Method and device for managing encryption information |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108270739A CN108270739A (en) | 2018-07-10 |
| CN108270739B true CN108270739B (en) | 2021-01-29 |
Family
ID=62755381
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611264624.XA Active CN108270739B (en) | 2016-12-30 | 2016-12-30 | Method and device for managing encryption information |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108270739B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109274490B (en) * | 2018-09-25 | 2021-12-17 | 苏州科达科技股份有限公司 | SRTP code stream master key updating method, system, equipment and storage medium |
| CN109088783A (en) * | 2018-11-01 | 2018-12-25 | 郑州云海信息技术有限公司 | Refresh progress acquisition methods, device and equipment between whole machine cabinet server multistage |
| CN110162988A (en) * | 2019-05-22 | 2019-08-23 | 咪付(深圳)网络技术有限公司 | A kind of sensitive data encryption method based on operation system |
| CN110635905B (en) * | 2019-09-30 | 2022-04-08 | 重庆小雨点小额贷款有限公司 | Key management method, related equipment and computer readable storage medium |
| WO2021184264A1 (en) * | 2020-03-18 | 2021-09-23 | 华为技术有限公司 | Data saving method, data access method, and related apparatus and device |
| CN111600879B (en) * | 2020-05-14 | 2023-02-17 | 杭州海康威视数字技术股份有限公司 | Data output/acquisition method and device and electronic equipment |
| CN114095152A (en) * | 2020-08-03 | 2022-02-25 | 天翼电子商务有限公司 | Method, system, medium and apparatus for updating key and encrypting and decrypting data |
| CN112532387B (en) * | 2020-11-27 | 2022-12-30 | 上海爱数信息技术股份有限公司 | Key service operation system and method thereof |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6577734B1 (en) * | 1995-10-31 | 2003-06-10 | Lucent Technologies Inc. | Data encryption key management system |
| CN100403673C (en) * | 2002-12-26 | 2008-07-16 | 成都卫士通信息产业股份有限公司 | Seamless key exchanging technology based on secret communication |
| US20050177713A1 (en) * | 2004-02-05 | 2005-08-11 | Peter Sim | Multi-protocol network encryption system |
| JP4770494B2 (en) * | 2006-02-03 | 2011-09-14 | 株式会社日立製作所 | Cryptographic communication method and system |
| US20100042841A1 (en) * | 2008-08-15 | 2010-02-18 | Neal King | Updating and Distributing Encryption Keys |
| CN104580189B (en) * | 2014-12-30 | 2019-02-12 | 北京奇虎科技有限公司 | A kind of safe communication system |
-
2016
- 2016-12-30 CN CN201611264624.XA patent/CN108270739B/en active Active
Non-Patent Citations (2)
| Title |
|---|
| Secure management of key distribution in cloud scenarios;Zongmin Cui; Hong Zhu; Jing Yu;《 Proceedings of 2014 International Conference on Cloud Computing and Internet of Things》;20150319;第18-21页 * |
| 一种基于身份的层次式空间网络组密钥管理方案;蒋自辉,雷凤宇;《计算机科学》;20151115;第42卷(第11A期);第333-340页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108270739A (en) | 2018-07-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108270739B (en) | Method and device for managing encryption information | |
| CN111191286B (en) | HyperLegger Fabric block chain private data storage and access system and method thereof | |
| JP4993733B2 (en) | Cryptographic client device, cryptographic package distribution system, cryptographic container distribution system, and cryptographic management server device | |
| JP5100286B2 (en) | Cryptographic module selection device and program | |
| CN109067528B (en) | Password operation method, work key creation method, password service platform and equipment | |
| CN101258505B (en) | Secure software updates | |
| US8495383B2 (en) | Method for the secure storing of program state data in an electronic device | |
| US11831753B2 (en) | Secure distributed key management system | |
| CN110489996B (en) | Database data security management method and system | |
| CN108768963B (en) | Communication method and system of trusted application and secure element | |
| CN107040520B (en) | Cloud computing data sharing system and method | |
| CN109347625A (en) | Crypto-operation, method, cryptographic service platform and the equipment for creating working key | |
| CN106992851A (en) | TrustZone-based database file password encryption and decryption method and device and terminal equipment | |
| CN111131416A (en) | Business service providing method and device, storage medium and electronic device | |
| CN112669104B (en) | Data processing method of leasing equipment | |
| CN104868998A (en) | System, Device, And Method Of Provisioning Cryptographic Data To Electronic Devices | |
| CN105975867A (en) | Data processing method | |
| CN111191217A (en) | Password management method and related device | |
| CN112822177A (en) | Data transmission method, device, equipment and storage medium | |
| CN111008400A (en) | Data processing method, device and system | |
| CN111917711B (en) | Data access method and device, computer equipment and storage medium | |
| KR101329789B1 (en) | Encryption Method of Database of Mobile Communication Device | |
| CN116155483A (en) | Block chain signing machine safety design method and signing machine | |
| CN110287725B (en) | Equipment, authority control method thereof and computer readable storage medium | |
| CN107682147B (en) | Security management method and system for smart card chip operating system file |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |