CN109040109B - Data transaction method and system based on key management mechanism - Google Patents

Data transaction method and system based on key management mechanism Download PDF

Info

Publication number
CN109040109B
CN109040109B CN201811013228.9A CN201811013228A CN109040109B CN 109040109 B CN109040109 B CN 109040109B CN 201811013228 A CN201811013228 A CN 201811013228A CN 109040109 B CN109040109 B CN 109040109B
Authority
CN
China
Prior art keywords
key
user
root
file
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811013228.9A
Other languages
Chinese (zh)
Other versions
CN109040109A (en
Inventor
张文
邵帅
崔浩亮
潘旭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sailong (Wenzhou) communication technology Co.,Ltd.
Original Assignee
Guoding Network Space Security Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guoding Network Space Security Technology Co ltd filed Critical Guoding Network Space Security Technology Co ltd
Priority to CN201811013228.9A priority Critical patent/CN109040109B/en
Publication of CN109040109A publication Critical patent/CN109040109A/en
Application granted granted Critical
Publication of CN109040109B publication Critical patent/CN109040109B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]

Abstract

The invention discloses a data transaction method and a system based on a key management mechanism, which adopt an end-to-end encryption mode to ensure that user private data is always stored in a form of a ciphertext data body in the transmission process from a local key management service of a sending end to a key management server and then to a local key management service of a receiving end, and a file encryption key is generated by the sending end and is stored by the key management server; the receiving end purchases data to obtain authorization of a file decryption key and then applies for the key from the key management server, decryption of the data is completed at the moment, and the risk of monitoring and tampering in the private data transmission process is avoided; the invention adopts a key management system combining a symmetric password and an asymmetric password, which ensures the security of a user in the processes of issuing and applying the key, further ensures the security in the processes of selling and purchasing data, and provides a high-efficiency and reliable transaction platform for the user.

Description

Data transaction method and system based on key management mechanism
Technical Field
The invention relates to the technical field of data transaction, in particular to a data transaction method and a data transaction system based on a key management mechanism.
Background
With the continuous development of the information society, more and more people are aware of the business value contained behind data and the importance of data protection. However, the general data service depends on the public network, and during the transmission process, the private data of the user faces various risks, such as interception or tampering, due to the lack of necessary protection measures of the network itself. How to provide a safe and convenient data transaction mode for a user without influencing the user experience is a primary problem to be considered in the current data transaction field.
Data encryption is a common practice for securing data, and modern cryptography provides many efficient and reliable cryptographic algorithms for this purpose. The symmetric key encryption technology adopts the same key to encrypt and decrypt data, and has the characteristics of simplicity, high efficiency and difficult deciphering. However, since encryption and decryption typically occur at different stages of data transactions, the symmetric key agreement process may face potential security threats, while the secure transport and escrow of keys over public computer networks is a serious problem, since the confidentiality of the system depends on the security of the keys. In contrast, the asymmetric key encryption technology uses a pair of matched keys to encrypt and decrypt, the public key is public, the private key is stored privately, each key performs one-way operation on data, and the other key is used for reverse operation. Data encrypted with a public key can only be decrypted by the corresponding private key, while data encrypted with the private key can only be decrypted by the corresponding public key. The asymmetric cryptosystem algorithm has high strength and good confidentiality, eliminates the requirement of a user for exchanging keys in an unsafe channel, but has low encryption and decryption speed and is not suitable for encrypting a large amount of data, and meanwhile, a public key cryptosystem usually needs a trusted third party to provide infrastructure of safety service.
Disclosure of Invention
Aiming at the defects existing in the problems, the invention designs a one-time one-key data transaction method and a one-time one-key data transaction system by combining a symmetric password system and an asymmetric password system.
In order to achieve the above object, the present invention provides a data transaction method based on a key management mechanism, which includes:
the user A generates a file encryption key for a data file to be traded, encrypts the file encryption key by a root key of the user A and then sends the encrypted file encryption key to a key management server;
the key management server decrypts the file encryption key, encrypts the distributed file encryption key ID by the root key of the user A and sends the encrypted file encryption key ID to the user A;
the user A decrypts the file encryption key ID and sends the file encryption key ID to the user B along with the data file encrypted by the file encryption key;
the user B obtains the authorization of the data file decryption key through a purchase process, and sends a file decryption key application message containing the file encryption key ID to the key management server after being encrypted by the root key of the user B;
and the key management server verifies the authorization information of the user B, after the authorization information passes the verification, the file decryption key is encrypted by the root key of the user B and then is sent to the user B, and the user B checks the original text of the data file through the file decryption key.
As a further improvement of the present invention, the method for obtaining the user root key comprises:
a user encrypts a root key application message containing a user public key by a server public key and then sends the root key application message to a key management server;
the key management server decrypts the root key application message, encrypts the distributed root key by the user public key and then sends the encrypted root key to the user;
the user decrypts the root key to obtain the root key.
As a further improvement of the present invention, the key management server decrypts the root key application message encrypted by the server public key using the server private key.
As a further refinement of the invention, user a decrypts the root key encrypted by the user public key using the user private key.
As a further improvement of the present invention, the key management server decrypts the file encryption key encrypted by the root key using the root key, and saves the file encryption key.
As a further improvement of the invention, each user corresponds to a unique root key.
As a further improvement of the invention, the file encryption key and the file decryption key are symmetric keys, and each encrypted file corresponds to a unique file encryption key.
As a further improvement of the invention, the file encryption key is divided into a basic data sharing key and a restricted data sharing key through different key attribute settings.
The invention also provides a data transaction system based on the key management mechanism, which comprises: a local key management service and a remote key management server running in a user application layer;
the local key management service:
the key pair generation device is used for generating a public and private key pair of a user;
the system comprises a key management server, a server public key and a root key application message, wherein the server public key is used for encrypting the root key application message containing a user public key and then sending the root key application message to the key management server;
a root key for decrypting the user public key encrypted using the user private key;
the system comprises a key management server, a root key and a file encryption key generation module, wherein the key management server is used for generating a file encryption key for a data file to be traded, encrypting the file encryption key by the root key and then sending the encrypted file encryption key to the key management server;
the system comprises a root key, a file encryption key ID and a data file, wherein the root key is used for decrypting the file encryption key ID encrypted by the root key and sharing the file encryption key ID with the data file encrypted by the file encryption key;
the system comprises a key management server, a data file decryption key acquisition unit, a root key generation unit and a key management server, wherein the key management server is used for acquiring the authorization of the data file decryption key through a purchase process, and sending a file decryption key application message containing a file encryption key ID to the key management server after being encrypted by the root key;
the device is used for checking the original text of the data file through the file decryption key;
the key management server:
the system is used for generating a server public and private key pair;
the system comprises a server private key, a local key management service and a server public key, wherein the server private key is used for decrypting a root key application message encrypted by the server public key and sending a distributed root key to the local key management service after the distributed root key is encrypted by a user public key;
the system comprises a root key, a local key management service and a root key management service, wherein the root key is used for decrypting a file encryption key encrypted by the root key, storing the file encryption key, and sending an ID (identity) of the distributed file encryption key to the local key management service after the encryption of the root key;
and the system is used for verifying the authorization information of the user, and after the authorization information passes the verification, the file decryption key is encrypted by the root key and then is sent to the local key management service.
Compared with the prior art, the invention has the beneficial effects that:
the invention adopts an end-to-end encryption mode, ensures that the private data of the user is always stored in a form of ciphertext data body in the transmission process from the local key management service of the sending end to the key management server and then to the local key management service of the receiving end, and the file encryption key is generated by the sending end and is stored by the key management server; the receiving end purchases data and applies for a key from the key management server after obtaining the authorization of the file decryption key, and at the moment, the data decryption is completed; the risk of monitoring and tampering in the private data transmission process is avoided; in addition, the data encryption of the invention uses a symmetric encryption mode, the file encryption key of the data encryption uses a symmetric encryption mode, the invention adopts a key management system combining a symmetric password and an asymmetric password, which can ensure the safety of users in the processes of issuing and applying the key to the greatest extent, further ensure the safety in the processes of selling and purchasing the data and provide an efficient and reliable transaction platform for the users.
Drawings
FIG. 1 is a schematic diagram of a data transaction system based on a key management mechanism according to an embodiment of the present invention;
FIG. 2 is a block diagram of a hierarchical key structure of a data transaction system based on a key management mechanism according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating root key initialization in a data transaction method based on a key management mechanism according to an embodiment of the present invention;
FIG. 4 is a flowchart illustrating a method for applying for a file encryption key ID in a data transaction method based on a key management mechanism according to an embodiment of the present invention;
fig. 5 is a flowchart illustrating obtaining a file encryption key in a data transaction method based on a key management mechanism according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
The invention is described in further detail below with reference to the attached drawing figures:
the invention provides a data transaction system based on a key management mechanism, which comprises: a local key management service (TS) running at a user application layer and a remote Key Management Server (KMS); wherein:
the function of the local key management service (TS) is as follows:
the key pair generation device is used for generating a public and private key pair of a user;
the system comprises a key management server, a server public key and a root key application message, wherein the server public key is used for encrypting the root key application message containing a user public key and then sending the root key application message to the key management server;
a root key for decrypting the user public key encrypted using the user private key;
the system comprises a key management server, a root key and a file encryption key generation module, wherein the key management server is used for generating a file encryption key for a data file to be traded, encrypting the file encryption key by the root key and then sending the encrypted file encryption key to the key management server;
the system comprises a root key, a file encryption key ID and a data file, wherein the root key is used for decrypting the file encryption key ID encrypted by the root key and sharing the file encryption key ID with the data file encrypted by the file encryption key;
the system comprises a key management server, a data file decryption key acquisition unit, a root key generation unit and a key management server, wherein the key management server is used for acquiring the authorization of the data file decryption key through a purchase process, and sending a file decryption key application message containing a file encryption key ID to the key management server after being encrypted by the root key;
the device is used for checking the original text of the data file through the file decryption key;
the function of the remote Key Management Server (KMS) is as follows:
the system is used for generating a server public and private key pair;
the system comprises a server private key, a local key management service and a server public key, wherein the server private key is used for decrypting a root key application message encrypted by the server public key and sending a distributed root key to the local key management service after the distributed root key is encrypted by a user public key;
the system comprises a root key, a local key management service and a root key management service, wherein the root key is used for decrypting a file encryption key encrypted by the root key, storing the file encryption key, and sending an ID (identity) of the distributed file encryption key to the local key management service after the encryption of the root key;
and the system is used for verifying the authorization information of the user, and after the authorization information passes the verification, the file decryption key is encrypted by the root key and then is sent to the local key management service.
Specifically, the method comprises the following steps:
the local key management service (TS) of the invention designs a specific ciphertext data format, and determines the characteristics of a cryptographic algorithm and encrypted information through specified zone bits and fields. The original plaintext data of the application layer is processed by the key management service to generate a ciphertext data body carrying the encryption information and the key data in the encryption space, so that plaintext transmission of the original private data in a network is avoided under the condition that the ciphertext data can be restored, and the principle is shown in fig. 1.
The remote Key Management Server (KMS) of the invention provides management and maintenance for the life cycle of the key, provides security guarantee of the key for end-to-end encryption service, and further ensures the security of the transaction process of encrypted data. The data transaction system based on the key management mechanism adopts a layered key structure, as shown in fig. 2.
A server public-private key pair (KMS _ pub _ key, KMS _ pri _ key) is a public-private key pair generated by a Key Management Server (KMS), in which a public key (KMS _ pub _ key) is put in a certificate, a local key management service (TS) provided to each user, and a private key (KMS _ pri _ key) is held in the key management server;
the user public and private key pair (TS _ pub _ key, TS _ pri _ key) is generated when the user uses the local key management service (TS), and the user sends the locally generated user public key (TS _ pub _ key) to a Key Management Server (KMS) through a registration process for protecting a root key (rk); the user private key (TS _ pri _ key) is stored in the local key management service and is used for decrypting the user public key (TS _ pub _ key);
the user root key (rk) is generated by the key management server and is encrypted and distributed to the user through a user public key (TS _ pub _ key) when the user applies for the user, and the user root key is bound with a user account and used for protecting a file encryption key (fek) in the file encryption key issuing and applying processes;
the file encryption key (fek) is generated by a local key management service (TS) and is used for encrypting data to be shared, a user can distribute the file encryption key to a key management server through user root key (rk) encryption after the data encryption is completed, other users can also apply for the file encryption key from the key management server after purchasing the data, and the applied file encryption key is transmitted through the user root key in an encryption mode.
The file encryption key is in a ciphertext form during transmission through the interface, and the storage of the key in any plaintext form must be in a secure condition. The root key (rk) is designed to be shared by each user and is in one-to-one correspondence with the account number of the user, so that the security of the key transmission process of other users can not be endangered when the root key is leaked by a single user. The file encryption keys (fek) are used to encrypt data files, each encrypted file corresponding to a unique file encryption key, providing security for the transmission of the files over a public network.
The key distribution and negotiation are performed by a local key management service in conjunction with a remote key management server. The key management service TS provides support for a variety of algorithms, including symmetric encryption algorithms for data file encryption such as SM4, AES, DES, IDEA, and asymmetric encryption algorithms for root key agreement, RSA, etc. The combination of the symmetric cipher system and the asymmetric cipher key system not only meets the safety requirement of data encryption key protection, but also meets the performance requirement of the data encryption user experience process, and realizes the balance of safety and practicability.
The invention provides a data transaction method based on a key management mechanism, which comprises the following steps: initializing a root key, applying for a file encryption key ID and obtaining a file encryption key; wherein:
as shown in fig. 3, the method for initializing root keys of the present invention comprises:
after the user registers for the first time, the user firstly requests a Key Management Server (KMS) to distribute a root key (rk); the root key application message is encrypted through a server public key (KMS _ pub _ key) preset in the local, and is sent to the key management server after being encrypted; the key application message includes a random _ num (in order to prevent replay attack), a user identifier (user _ id), an identifier (user _ rflag) obtained after user registration, and a user public key (pub _ key _ TS); then, after receiving the key application message, the key management server verifies the user identity, that is, the key management server decrypts the root key application message encrypted by the server public key (KMS _ pub _ key) by using the server private key (KMS _ pri _ key), and if the decryption is successful, the user identity passes the verification; after the user identity authentication is passed, distributing a root key identifier (rk _ id) and a root key (rk _ body) for the user, encrypting the root key by using a user public key (pub _ key _ TS) transmitted in the message, and then transmitting the encrypted root key to the user; finally, the user a decrypts the root key encrypted by the user public key using the user private key to obtain the root key (rk).
Furthermore, each user corresponds to a unique root key, and if the user registers before, the operation of initializing the root key can be omitted when data transaction or sharing is carried out.
As shown in fig. 4, the method for encrypting the key ID for the file of the present invention comprises:
after the user finishes the registration, the data can be encrypted and shared; the user firstly generates a file encryption Key (fek) for private Data to be shared, then encrypts the file encryption Key (fek) by using a root Key (rk) of the user, wherein the file encryption Key (fek) comprises a random number (random _ num), a file identifier (file _ id), a Key length (fek _ len) and a Key (fek _ body), and the user also needs to set the attribute of the file encryption Key; sending the key to a Key Management Server (KMS) through a key issuing interface; then, after the key management server analyzes the message, the key management server uses the stored root key of the user to decrypt the file encryption key encrypted by the root key; storing the file encryption key (fek) in a Key Management Server (KMS), and sending the distributed file encryption key ID to the user after being encrypted by the root key; the method is used for the key application after other users purchase data, and then a successful response message is returned for the data publisher. At this time, the user can share the encrypted data through other ways, and only the user who purchases the key or obtains authorization can view the original text of the data.
As shown in fig. 5, the method for obtaining the file encryption key of the present invention comprises:
the user decrypts the file encryption key ID and sends the file encryption key ID to another user along with the data file encrypted by the file encryption key; after another user takes the encrypted data file, if the file is encrypted by BDSK, the user needs to obtain the authorization of the file decryption key through a purchase process, then requests to issue the file decryption key to the key management server, the file decryption key application message is encrypted by the root key of the user and is sent to the key management server through the key application interface, the key management server verifies the authorization information of the user after analyzing the message, and the server returns a successful response message to the data purchaser according to the key attributes, such as the key validity period, the key validity frequency, the key used frequency, the number of people that the key can share, the number of people that the key shares, the key owner and the like, after the verification is passed, and sends the encrypted file decryption key to the user by using the root key of the user. At this time, the user can view the data original text through the obtained key. If the file is encrypted by RDSK, the user requests the key management server to issue a file decryption key, a file decryption key application message is encrypted by a root key of the user and sent to the key management server through a key application interface, the key management server analyzes the message and verifies whether the user can obtain the decryption key or not according to key attributes such as an expiration date, key valid frequency, the number of persons who can share the key, the number of persons who share the key, whether the key is revoked and the like, if the verification is passed, the server returns a successful response message to the user and issues the decryption key to the user by using the root key of the user to encrypt the file decryption key.
The file encryption key (fek) contains a variety of attributes that can be set by the user during the process of generating an encrypted file, including encryption algorithm, key length, key validity period, key creation time, key validity frequency, key used frequency, number of people that the key can share, number of people that the key has shared, key owner, key backup, etc. At present, the system provides two types of data sharing keys for users:
1. the basic Data Sharing Key (Base Data Sharing Key). The basic data sharing key BDSK is used for encrypting conventional data files, is generated by a local key management service of a data owner, and is uploaded to a key management server for purchase and application by other users. The keys used for different data are different. The attributes of the basic data sharing key comprise an encryption algorithm, key length, key validity period, key validity frequency, key used frequency, number of persons who can share the key, number of persons who share the key, key attribution, key backup and the like.
2. The Restricted Data Sharing Key (Restricted Data Sharing Key). The restricted data sharing key RDSK is used for encrypting the shared data file, is generated by the local key management service of the data owner and is uploaded to the key management server, the key has no purchase flow, and the data owner can set whether to burn after reading, whether to group and whether to revoke the attribute. The attributes of the restricted data sharing key comprise an encryption algorithm, key length, key validity period, key validity frequency, number of key sharable persons, whether the key can be revoked, key attribution, key backup and the like.
The invention adopts an end-to-end encryption mode, ensures that the private data of the user is always stored in a form of ciphertext data body in the transmission process from the local key management service of the sending end to the key management server and then to the local key management service of the receiving end, and the file encryption key is generated by the sending end and is stored by the key management server; the receiving end purchases data to obtain the authorization of the file decryption key, applies for the key from the key management server and completes the decryption of the data; the risk of monitoring and tampering in the private data transmission process is avoided; in addition, the invention uses symmetric encryption for encrypting the data file and asymmetric encryption for encrypting the file encryption key, and the invention adopts a key management system combining symmetric password and asymmetric password, and the design idea can ensure the safety of the user in the process of issuing and applying the key to the maximum extent, thereby ensuring the safety in the process of selling and purchasing the data and providing an efficient and reliable transaction platform for the user.
The invention has the following specific advantages:
1. high efficiency. The data encryption uses a symmetric encryption mode, and is simple and efficient. The encryption and decryption operation can be completed within the time acceptable by the user for the file with larger data volume, and the user experience is smoother.
2. And (4) privacy. The data publisher owns the ownership of the data, the data is encrypted and shared to other users, and the data viewing right can be obtained only after the user purchases the data encryption key, but the plaintext original text of the data cannot be obtained.
3. And (4) durability. The data can be transmitted in various ways after being encrypted, different users can purchase data decryption keys through the transaction system, the server can record key purchase records of the users, and the users still have the authority of viewing data cleartext even after equipment is replaced.
4. And (4) diversity. The data publisher can select different keys to encrypt the data based on the sharing use occasions of the data, and the different keys have different attributes, so that various requirements of the data publisher are met.
5. And (4) safety. The key used for data encryption is protected by an asymmetric cryptosystem, and the safe transmission of the key distribution process is ensured. In addition, the data publisher and the purchaser do not directly conduct data file transaction, but conduct key transaction through a transaction system, and the privacy of the publisher and the privacy of the purchaser can be guaranteed to the maximum extent.
The above is only a preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes will occur to those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (4)

1. A data transaction method based on a key management mechanism is characterized by comprising the following steps:
the user A generates a file encryption key for a data file to be traded, encrypts the file encryption key by a root key of the user A and then sends the encrypted file encryption key to a key management server;
the key management server decrypts the file encryption key, encrypts the distributed file encryption key ID by the root key of the user A and sends the encrypted file encryption key ID to the user A;
the user A decrypts the file encryption key ID and sends the file encryption key ID to the user B along with the data file encrypted by the file encryption key;
the user B obtains the authorization of the data file decryption key through a purchase process, and sends a file decryption key application message containing the file encryption key ID to the key management server after being encrypted by the root key of the user B;
the key management server verifies the authorization information of the user B, after the authorization information passes the verification, the file decryption key is encrypted by the root key of the user B and then sent to the user B, and the user B checks the original text of the data file through the file decryption key;
the method for acquiring the user root key comprises the following steps:
a user encrypts a root key application message containing a user public key by a server public key and then sends the root key application message to a key management server;
the key management server decrypts the root key application message, encrypts the distributed root key by the user public key and then sends the encrypted root key to the user;
the user decrypts the root key to obtain the root key;
the key management server uses the server private key to decrypt the root key application message encrypted by the server public key;
the user uses the user private key to decrypt the root key encrypted by the user public key;
the key management server decrypts the file encryption key encrypted by the root key by using the root key and stores the file encryption key;
the transaction system of the data transaction method based on the key management mechanism comprises the following steps:
a local key management service and a remote key management server running in a user application layer;
the local key management service:
the key pair generation device is used for generating a public and private key pair of a user;
the system comprises a key management server, a server public key and a root key application message, wherein the server public key is used for encrypting the root key application message containing a user public key and then sending the root key application message to the key management server;
a root key for decrypting the user public key encrypted using the user private key;
the system comprises a key management server, a root key and a file encryption key generation module, wherein the key management server is used for generating a file encryption key for a data file to be traded, encrypting the file encryption key by the root key and then sending the encrypted file encryption key to the key management server;
the system comprises a root key, a file encryption key ID and a data file, wherein the root key is used for decrypting the file encryption key ID encrypted by the root key and sharing the file encryption key ID with the data file encrypted by the file encryption key;
the system comprises a key management server, a data file decryption key acquisition unit, a root key generation unit and a key management server, wherein the key management server is used for acquiring the authorization of the data file decryption key through a purchase process, and sending a file decryption key application message containing a file encryption key ID to the key management server after being encrypted by the root key;
the device is used for checking the original text of the data file through the file decryption key;
the key management server:
the system is used for generating a server public and private key pair;
the system comprises a server private key, a local key management service and a server public key, wherein the server private key is used for decrypting a root key application message encrypted by the server public key and sending a distributed root key to the local key management service after the distributed root key is encrypted by a user public key;
the system comprises a root key, a local key management service and a root key management service, wherein the root key is used for decrypting a file encryption key encrypted by the root key, storing the file encryption key, and sending an ID (identity) of the distributed file encryption key to the local key management service after the encryption of the root key;
and the system is used for verifying the authorization information of the user, and after the authorization information passes the verification, the file decryption key is encrypted by the root key and then is sent to the local key management service.
2. The data transaction method based on the key management mechanism as claimed in claim 1, wherein each user corresponds to a unique root key.
3. The data transaction method based on the key management mechanism as claimed in claim 1, wherein the file encryption key and the file decryption key are symmetric keys, and each encrypted file corresponds to a unique file encryption key.
4. The data transaction method based on the key management mechanism as claimed in claim 1, wherein the file encryption key is divided into a basic data sharing key and a restricted data sharing key by different key attribute settings.
CN201811013228.9A 2018-08-31 2018-08-31 Data transaction method and system based on key management mechanism Active CN109040109B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811013228.9A CN109040109B (en) 2018-08-31 2018-08-31 Data transaction method and system based on key management mechanism

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811013228.9A CN109040109B (en) 2018-08-31 2018-08-31 Data transaction method and system based on key management mechanism

Publications (2)

Publication Number Publication Date
CN109040109A CN109040109A (en) 2018-12-18
CN109040109B true CN109040109B (en) 2022-01-21

Family

ID=64622651

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811013228.9A Active CN109040109B (en) 2018-08-31 2018-08-31 Data transaction method and system based on key management mechanism

Country Status (1)

Country Link
CN (1) CN109040109B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110166458B (en) * 2019-05-23 2022-08-02 王怀尊 Three-level key encryption method
CN110414192B (en) * 2019-06-14 2023-09-26 尚承科技股份有限公司 Control and management system and method applied to safety manufacture
CN112699132B (en) * 2021-03-22 2022-04-22 阿里云计算有限公司 Method and device for decrypting security module

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1697374A (en) * 2004-05-13 2005-11-16 华为技术有限公司 Method for sanding and receiving cipher data, device for distributing and receiving cipher data
CN102025485A (en) * 2009-09-14 2011-04-20 中兴通讯股份有限公司 Key negotiation method, key management server and terminal
CN104506483A (en) * 2014-10-21 2015-04-08 中兴通讯股份有限公司 Method for encrypting and decrypting information and managing secret key as well as terminal and network server
CN107276756A (en) * 2017-07-27 2017-10-20 深圳市金立通信设备有限公司 A kind of method and server for obtaining root key

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7818567B2 (en) * 2006-09-27 2010-10-19 Lenovo (Singapore) Pte. Ltd. Method for protecting security accounts manager (SAM) files within windows operating systems
CN102970299B (en) * 2012-11-27 2015-06-03 西安电子科技大学 File safe protection system and method thereof
CN103354498B (en) * 2013-05-31 2016-09-28 北京创世泰克科技股份有限公司 A kind of file encryption transmission method of identity-based
CN104811448A (en) * 2015-04-21 2015-07-29 成都汇智远景科技有限公司 Safe data storage method
CN108038128B (en) * 2017-11-08 2020-02-14 平安科技(深圳)有限公司 Retrieval method, system, terminal equipment and storage medium of encrypted file

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1697374A (en) * 2004-05-13 2005-11-16 华为技术有限公司 Method for sanding and receiving cipher data, device for distributing and receiving cipher data
CN102025485A (en) * 2009-09-14 2011-04-20 中兴通讯股份有限公司 Key negotiation method, key management server and terminal
CN104506483A (en) * 2014-10-21 2015-04-08 中兴通讯股份有限公司 Method for encrypting and decrypting information and managing secret key as well as terminal and network server
CN107276756A (en) * 2017-07-27 2017-10-20 深圳市金立通信设备有限公司 A kind of method and server for obtaining root key

Also Published As

Publication number Publication date
CN109040109A (en) 2018-12-18

Similar Documents

Publication Publication Date Title
CN109495274B (en) Decentralized intelligent lock electronic key distribution method and system
KR20190073472A (en) Method, apparatus and system for transmitting data
CN106713279B (en) video terminal identity authentication system
US20080031459A1 (en) Systems and Methods for Identity-Based Secure Communications
US20140325225A1 (en) Self-authenticated method with timestamp
CN103957109A (en) Cloud data privacy protection security re-encryption method
US20200320178A1 (en) Digital rights management authorization token pairing
CN112187798B (en) Bidirectional access control method and system applied to cloud-side data sharing
CN101115060A (en) Method for protecting user encryption key in asymmetric cipher key transmitting process of user key management system
CN109040109B (en) Data transaction method and system based on key management mechanism
CN113225302B (en) Data sharing system and method based on proxy re-encryption
CN112883399B (en) Method and system for realizing secure sharing of encrypted file
CN109104278A (en) A kind of encrypting and decrypting method
CN114154181A (en) Privacy calculation method based on distributed storage
CN109726584B (en) Cloud database key management system
CN101521668A (en) Method for authorizing multimedia broadcasting content
JP5252539B2 (en) Standard time distribution device, time stamp device, device for time stamp user, time authentication system, time authentication method, and time authentication program
CN103916237A (en) Method and system for managing user encrypted-key retrieval
US20220171832A1 (en) Scalable key management for encrypting digital rights management authorization tokens
CN109726583A (en) Cloud data base encryption server system
KR100989371B1 (en) DRM security mechanism for the personal home domain
CN105791301A (en) Key distribution management method with information and key separated for multiple user groups
EP1830299A2 (en) Digital rights management system with diversified content protection process
KR100377196B1 (en) System and method for key recovery using multiple agents
CN109104393A (en) A kind of identity authentication method, device and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20220406

Address after: 325011 room 325, No. 166, Wenchang Road, Science Park, Wenzhou high tech Industrial Development Zone, Puzhou street, Longwan District, Wenzhou City, Zhejiang Province

Patentee after: Sailong (Wenzhou) communication technology Co.,Ltd.

Address before: Room C606, floor 6, B-2, Zhongguancun Dongsheng Science Park, No. 66, xixiaokou Road, Haidian District, Beijing 100192

Patentee before: GUODING NETWORK SPACE SECURITY TECHNOLOGY CO.,LTD.

TR01 Transfer of patent right