CN111585758A - Key management platform and key management method - Google Patents
Key management platform and key management method Download PDFInfo
- Publication number
- CN111585758A CN111585758A CN202010377103.5A CN202010377103A CN111585758A CN 111585758 A CN111585758 A CN 111585758A CN 202010377103 A CN202010377103 A CN 202010377103A CN 111585758 A CN111585758 A CN 111585758A
- Authority
- CN
- China
- Prior art keywords
- key
- data
- key management
- target
- management server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007726 management method Methods 0.000 title claims abstract description 156
- 238000012795 verification Methods 0.000 claims abstract description 53
- 238000013524 data verification Methods 0.000 claims abstract description 8
- 238000000034 method Methods 0.000 claims description 16
- 238000013507 mapping Methods 0.000 claims description 9
- 238000004891 communication Methods 0.000 claims description 6
- 238000004806 packaging method and process Methods 0.000 claims description 6
- 230000009977 dual effect Effects 0.000 claims description 5
- 230000004044 response Effects 0.000 abstract description 9
- 230000008447 perception Effects 0.000 abstract description 5
- 238000004364 calculation method Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 206010033799 Paralysis Diseases 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 239000002699 waste material Substances 0.000 description 2
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1001—Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
- H04L67/1004—Server selection for load balancing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Telephonic Communication Services (AREA)
Abstract
The application discloses a key management platform and a key management method, wherein the key management platform is deployed in a double-active mode, and the key management method specifically comprises the following steps: the data receiving module is used for receiving the key data to be verified sent by the external service system through the key verification interface; the data distribution module is used for distributing the key data to a target key management server of a target data center by using the load balancing equipment so that the target key management server sends the key data to the encryption unit; and the data verification module is used for verifying the key data by using a random encryption machine in the encryption unit and returning a verification result to the external service system. The key management platform is deployed in a double-active mode, namely, an external service system can call any management platform to realize password service, and if any management platform fails, the external service system has no perception, service continuity is not affected, and system operation stability and high response efficiency are remarkably guaranteed.
Description
Technical Field
The present application relates to the field of data encryption technologies, and in particular, to a key management platform and a key management method.
Background
The centralized key management platform is used as a security platform of financial industry foundation and has very high requirements on response time and response rate for sensitive data. For disaster recovery, an enterprise generally constructs two or more data centers, one as a main data center for hosting a user's service, and the other as a backup data center for backing up data, configuration, service, and the like of the main data center. The traditional main and standby mode is that a service only runs in one data center, an enterprise combines disaster backup level requirements and service requirements, a large number of backup servers are deployed in a backup center, but the backup center only provides disaster backup services for the service, and only when a disaster occurs, such as a production data center is paralyzed, a service system of the disaster backup center starts the servers, so that the response is not timely enough, the service continuity requirements cannot be met, and the problem of resource waste of the backup center server exists.
Therefore, how to solve the above problems is a great concern for those skilled in the art.
Disclosure of Invention
The application aims to provide a key management platform and a key management method, which can meet the requirement of service continuity.
In order to achieve the above object, the present application provides a key management platform, where the key management platform is deployed in a live-active mode, and the platform includes:
the data receiving module is used for receiving the key data to be verified sent by the external service system through the key verification interface;
the data distribution module is used for distributing the key data to a target key management server of a target data center by using load balancing equipment so that the target key management server sends the key data to an encryption unit;
and the data verification module is used for verifying the key data by using a random encryption machine in the encryption unit and returning a verification result to the external service system.
Optionally, the data distribution module includes:
the data center selection unit is used for selecting a target data center according to the running state of each data center and the distance between the external service system and all the data centers by using the load balancing equipment;
a server selection unit, configured to select a target key management server from all key management servers in the target data center in combination with current computing performance of each key management server in the target data center and a domain name or an IP address of the external service system;
and the key data distribution unit is used for distributing the key data to the target key management server of the target data center through load balancing equipment.
Optionally, the data checking module includes:
the key verification unit is used for verifying the key data based on a national cryptographic algorithm by using a random encryption machine in the encryption unit to obtain an initial result of whether the key data passes verification;
and the result returning unit is used for sending the initial result to the target key management server so that the target key management server assembles the initial result based on a preset communication protocol to obtain a verification result and returns the verification result to the external service system.
Optionally, the data distribution module includes:
the first sending unit is used for distributing the key data to a target key management server of a target data center through load balancing equipment;
and the second sending unit is used for packaging the key data by using the target key management server and sending the packaged key data to the encryption unit.
Optionally, the method further includes:
the request receiving module is used for receiving a key acquisition request initiated by the terminal equipment through the key acquisition interface;
the mapping acquisition module is used for acquiring a preset mapping relation between the basic information of the terminal equipment and a key generation protocol;
and the key generation module is used for generating a corresponding working key based on a key generation protocol corresponding to the current terminal equipment and returning the working key to the terminal equipment.
In order to achieve the above object, the present application provides a key management method applied to a key management platform deployed in a dual active mode, where the method includes:
receiving key data to be verified sent by an external service system through a key verification interface;
distributing the key data to a target key management server of a target data center by using load balancing equipment so that the target key management server sends the key data to an encryption unit;
and verifying the key data by using a random encryption machine in the encryption unit, and returning a verification result to the external service system.
Optionally, the distributing the key data to the target key management server of the target data center by using the load balancing device includes:
selecting a target data center according to the running state of each data center and the distance between the external service system and all the data centers by using load balancing equipment;
selecting a target key management server from all key management servers according to the current computing performance of each key management server in the target data center and the domain name or IP address of the external service system;
distributing the key data to the target key management server of the target data center through a load balancing device.
Optionally, the verifying the key data by using a random encryption engine in the encryption unit, and returning a verification result to the external service system, includes:
verifying the key data based on a national cryptographic algorithm by using a random encryption machine in the encryption unit to obtain an initial result of whether the key data passes verification;
and sending the initial result to the target key management server so that the target key management server assembles the initial result based on a preset communication protocol to obtain a verification result and returns the verification result to the external service system.
Optionally, the distributing the key data to a target key management server of a target data center by using a load balancing device, so that the target key management server sends the key data to an encryption unit, includes:
distributing the key data to a target key management server of a target data center through load balancing equipment;
and packaging the key data by using the target key management server, and sending the packaged key data to an encryption unit.
Optionally, the method further includes:
receiving a key acquisition request initiated by terminal equipment through a key acquisition interface;
acquiring a preset mapping relation between basic information of the terminal equipment and a key generation protocol;
and generating a corresponding working key based on a key generation protocol corresponding to the current terminal equipment and returning the working key to the terminal equipment.
According to the above scheme, the key management platform provided by the application is deployed in a live-active mode, and specifically includes: the data receiving module is used for receiving the key data to be verified sent by the external service system through the key verification interface; the data distribution module is used for distributing the key data to a target key management server of a target data center by using load balancing equipment so that the target key management server sends the key data to an encryption unit; and the data verification module is used for verifying the key data by using a random encryption machine in the encryption unit and returning a verification result to the external service system. According to the method, the key management platform can provide the password verification service for the external service system through the key verification interface, the key management platform is deployed in a double-active mode, namely the external service system can call any management platform to realize the password service, attention is not needed to be paid to which data platform needs to be sent, if any management platform fails, the external service system does not have any perception, the service continuity cannot be influenced, and the stability of system operation and high response efficiency are remarkably guaranteed.
The application also discloses a key management method which can achieve the technical effects.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a structural diagram of a key management platform disclosed in an embodiment of the present application;
fig. 2 is a flowchart of a key management platform disclosed in the embodiment of the present application in a specific application scenario;
fig. 3 is a flowchart of a key management method disclosed in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In the traditional main/standby mode, a service only runs in one data center, an enterprise combines disaster backup level requirements and service requirements, a large number of backup servers are deployed in a backup center, but the backup center only provides disaster backup services for the service, and only when a disaster occurs, such as a production data center is paralyzed, a service system of the disaster backup center starts the servers, so that the response is not timely enough, the service continuity requirements cannot be met, and the problem of resource waste of the backup center server exists
Therefore, the embodiment of the application discloses a key management platform which can meet the requirement of service continuity.
Referring to fig. 1, an embodiment of the present application discloses a key management platform, where the key management platform is deployed in a dual active mode, and the key management platform specifically includes:
the data receiving module 101 is configured to receive, through a key verification interface, key data to be verified, which is sent by an external service system;
in the embodiment of the application, the key management platform can provide a uniform key verification interface for the external service system, so that the key data to be verified sent by the external service system can be received through the key verification interface, and the key verification service can be provided for the external service system.
It should be noted that the key management platform in the embodiment of the present application is deployed in a live-active mode. The dual-active mode, namely the two platforms are equal and do not divide a master platform and a slave platform, can simultaneously and actively provide business production service to the outside in an online mode, and can greatly improve the utilization rate of resources and the working efficiency and performance of the system.
The data distribution module 102 is configured to distribute the key data to a target key management server of a target data center by using a load balancing device, so that the target key management server sends the key data to an encryption unit;
in a specific implementation, after the key management platform receives the key data, the key data may be distributed through the load balancing device. As a possible implementation manner, the data distribution module 102 may specifically include: the data center selection unit is used for selecting a target data center according to the running state of each data center and the distance between an external service system and all the data centers by using the load balancing equipment; the server selection unit is used for selecting a target key management server from all the key management servers by combining the current calculation performance of each key management server in the target data center and the domain name or IP address of an external service system; and the key data distribution unit is used for distributing the key data to a target key management server of the target data center through the load balancing equipment. That is, the load balancing device may be used to count the processing task amount of each data center and key management server in the management platform, the operation state of the data center, the calculation performance of the key management server, and the like, so that the load balancing device may distribute the key data to be verified to the target data center with a smaller task amount and a normal operation state, and further distribute the key data to the key management server with idle calculation resources and higher calculation performance for calculation processing.
In a traditional financial industry business system, a plurality of intermediate nodes are required to pass from a starting point to an end point from a mobile phone APP, an internet bank WEB end and self-service equipment to a rear-end accounting server, plaintext is exposed at each node, if the safety protection of a certain node on a link is weak, according to the barrel principle, although encryption measures are adopted, the safety of the whole link is only equivalent to the safety condition of the weakest node. Based on the above problem, the data distribution module of the embodiment of the present application may specifically include: the first sending unit is used for distributing the key data to a target key management server of a target data center through the load balancing equipment; and the second sending unit is used for packaging the key data by using the target key management server and sending the packaged key data to the encryption unit. Therefore, the key data can be packaged in the transmission process, so that the plaintext is prevented from falling to the ground on a full link, and the data leakage risk caused by plaintext exposure is avoided.
And the data verification module 103 is configured to verify the key data by using a random encryption unit in the encryption unit, and return a verification result to the external service system.
Specifically, after the key data are sent to the encryption unit, the random encryption unit in the encryption unit can be used to verify the key data, so as to obtain a verification result. In a possible implementation manner, the data verification module 103 may specifically include a key verification unit, configured to verify, by using a random encryption engine in an encryption unit, the key data based on a national cryptographic algorithm, so as to obtain an initial result of whether the key data passes verification; and the result returning unit is used for sending the initial result to the target key management server so that the target key management server assembles the initial result based on the preset communication protocol to obtain a verification result and returns the verification result to the external service system.
According to the above scheme, the key management platform provided by the application is deployed in a live-active mode, and specifically includes: the data receiving module is used for receiving the key data to be verified sent by the external service system through the key verification interface; the data distribution module is used for distributing the key data to a target key management server of a target data center by using load balancing equipment so that the target key management server sends the key data to an encryption unit; and the data verification module is used for verifying the key data by using a random encryption machine in the encryption unit and returning a verification result to the external service system. According to the method, the key management platform can provide the password verification service for the external service system through the key verification interface, the key management platform is deployed in a double-active mode, namely the external service system can call any management platform to realize the password service, attention is not needed to be paid to which data platform needs to be sent, if any management platform fails, the external service system does not have any perception, the service continuity cannot be influenced, and the stability of system operation and high response efficiency are remarkably guaranteed.
On the basis of the above embodiments, as a preferred implementation, the key management platform provided in the embodiments of the present application may further improve the key generation service.
Specifically, the key management platform may further include: the request receiving module is used for receiving a key acquisition request initiated by the terminal equipment through the key acquisition interface; the mapping acquisition module is used for acquiring a preset mapping relation between the basic information of the terminal equipment and a key generation protocol; and the key generation module is used for generating a corresponding working key based on a key generation protocol corresponding to the current terminal equipment and returning the working key to the terminal equipment. Through the modules, the key management platform can provide unified planning and management of keys for the terminal equipment, and the function of one machine and one secret is realized.
Besides the key management functions of sensitive data encryption and decryption, key generation and the like, the key management platform can also be used for realizing message integrity verification, namely, the key management platform can be used for recording transaction data during online bank transactions such as transfer and accounting, and the consistency of the data is ensured.
The key management platform provided by the embodiment of the present application is described below by a specific application example. Specifically, referring to fig. 2, the external application system may call the API interface of the centralized key management platform to send a cryptographic service request to the load balancing device, and the global load device is connected to the nearby data center and distributed to two centralized key management platform servers in the same center through the load balancing device inside the data center. And the centralized key management platform analyzes the external application system message after receiving the message, calls a database adopting an RAC mode to assemble a new message and sends the new message to the encryption unit. And after receiving the new message, the random encryptor in the encryption unit can adopt a trusted cryptographic algorithm to calculate and return the new message to the centralized key management platform, and the centralized key management platform is reassembled and then returns the new message to the external application system. The secure and trusted cryptographic algorithm is a domestic cryptographic algorithm identified by the national crypto authority, such as encryption algorithms SM2, SM3, SM4, and the like.
In specific implementation, a bottom architecture of the centralized key management platform can be modified, the multi-data center centralized key management platform is used as a large resource pool, and the external application system can call any platform in the resource pool, so that the external application system does not pay attention to which data center needs to be sent. After any platform in the resource pool breaks down, the external system has no perception, the service continuity is not influenced, and the stable operation of the system can be guaranteed to the greatest extent.
As a preferred implementation manner, the embodiment of the present application may also use a near distribution principle, and may automatically distribute to a nearest data center through a network, so that a service system can access a server nearest to the service system by using an IP address or a domain name, thereby obtaining the highest access speed. In addition, the optimal transmission line can be realized by utilizing global load balance, and the lowest response time is guaranteed.
It can be understood that, the key management platform provided by the embodiment of the present application adopts a dual active architecture, which can preferentially avoid large-area interruption of a service after a fault; the encryption algorithm capable of providing security and credibility comprises SM2, SM3 and SM4 domestic encryption algorithms; the system can provide unified planning and management of the secret key, provide unified data security password service for the business system, provide unified security service interfaces and specifications, ensure that each accessed business system follows relevant standards and specifications and is convenient for formulating a data security password service standard; providing uniform management and load balance for the heterogeneous encryption machine; one-machine one-secret transformation of terminal equipment such as an ATM, a POS, a VTM, a counter keyboard and the like is supported; the transaction message MAC verification is realized, and data interception and replay attacks are prevented; sensitive data related to all service systems can be encrypted and transmitted by adopting a trusted password algorithm, namely, a client password is input to a final core system from a terminal, and the whole link is encrypted by adopting a safe trusted password algorithm, so that the client password plaintext on the whole link does not fall to the ground, and the risk of data leakage is reduced.
In the following, a key management method provided by an embodiment of the present application is introduced, and a key management method described below and a key management platform described above may be referred to each other.
Referring to fig. 3, an embodiment of the present application provides a key management method, where the method is applied to a key management platform deployed in a dual active mode, and specifically may include:
s201: receiving key data to be verified sent by an external service system through a key verification interface;
s202: distributing the key data to a target key management server of a target data center by using load balancing equipment so that the target key management server sends the key data to an encryption unit;
in the embodiment of the application, the load balancing device may be utilized to select a target data center closest to the external service system according to the operating state of each data center and the distance between the external service system and all data centers, and select a target key management server with the optimal calculation performance from all key management servers in combination with the current calculation performance of each key management server in the target data center and the domain name or IP address of the external service system, so as to distribute the key data to the target key management server of the target data center through the load balancing device.
In the data distribution process, the key data can be distributed to a target key management server of a target data center through the load balancing equipment, the target key management server is used for packaging the key data, and the packaged key data is sent to the encryption unit so as to ensure that the plaintext does not fall to the ground.
S203: and verifying the key data by using a random encryption machine in the encryption unit, and returning a verification result to the external service system.
In this step, the random encryption engine in the encryption unit may be specifically used, the key data is verified based on the national encryption algorithm, an initial result of whether the key data passes verification is obtained, and the initial result is sent to the target key management server, so that the target key management server assembles the initial result based on the preset communication protocol, obtains a verification result, and returns the verification result to the external service system.
On the basis of the foregoing embodiment, as a preferred implementation manner, in the embodiment of the present application, a key acquisition request initiated by a terminal device may be received through a key acquisition interface, a mapping relationship between preset basic information of the terminal device and a key generation protocol is acquired according to the key acquisition request, and then a corresponding working key is generated based on the key generation protocol corresponding to the current terminal device and returned to the terminal device, so as to provide a key generation service.
The key management platform can provide password verification service for the external business system through the key verification interface, the key management platform is deployed in a double-active mode, namely the external business system can call any management platform to realize password service, the data platform to which the external business system needs to be sent does not need to be concerned, if any management platform breaks down, the external business system does not have any perception, the business continuity cannot be influenced, and the stability of system operation and higher response efficiency are remarkably guaranteed.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system disclosed by the embodiment, the description is relatively simple because the system corresponds to the method disclosed by the embodiment, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. A key management platform, wherein the key management platform is deployed in a live-active mode, the platform comprising:
the data receiving module is used for receiving the key data to be verified sent by the external service system through the key verification interface;
the data distribution module is used for distributing the key data to a target key management server of a target data center by using load balancing equipment so that the target key management server sends the key data to an encryption unit;
and the data verification module is used for verifying the key data by using a random encryption machine in the encryption unit and returning a verification result to the external service system.
2. The key management platform of claim 1, wherein the data distribution module comprises:
the data center selection unit is used for selecting a target data center according to the running state of each data center and the distance between the external service system and all the data centers by using the load balancing equipment;
a server selection unit, configured to select a target key management server from all key management servers in the target data center in combination with current computing performance of each key management server in the target data center and a domain name or an IP address of the external service system;
and the key data distribution unit is used for distributing the key data to the target key management server of the target data center through load balancing equipment.
3. The key management platform of claim 1, wherein the data verification module comprises:
the key verification unit is used for verifying the key data based on a national cryptographic algorithm by using a random encryption machine in the encryption unit to obtain an initial result of whether the key data passes verification;
and the result returning unit is used for sending the initial result to the target key management server so that the target key management server assembles the initial result based on a preset communication protocol to obtain a verification result and returns the verification result to the external service system.
4. The key management platform of claim 1, wherein the data distribution module comprises:
the first sending unit is used for distributing the key data to a target key management server of a target data center through load balancing equipment;
and the second sending unit is used for packaging the key data by using the target key management server and sending the packaged key data to the encryption unit.
5. The key management platform of any of claims 1 to 4, further comprising:
the request receiving module is used for receiving a key acquisition request initiated by the terminal equipment through the key acquisition interface;
the mapping acquisition module is used for acquiring a preset mapping relation between the basic information of the terminal equipment and a key generation protocol;
and the key generation module is used for generating a corresponding working key based on a key generation protocol corresponding to the current terminal equipment and returning the working key to the terminal equipment.
6. A key management method is applied to a key management platform which adopts a dual active mode for deployment, and the method comprises the following steps:
receiving key data to be verified sent by an external service system through a key verification interface;
distributing the key data to a target key management server of a target data center by using load balancing equipment so that the target key management server sends the key data to an encryption unit;
and verifying the key data by using a random encryption machine in the encryption unit, and returning a verification result to the external service system.
7. The key management method of claim 6, wherein the distributing the key data to the target key management server of the target data center by using the load balancing device comprises:
selecting a target data center according to the running state of each data center and the distance between the external service system and all the data centers by using load balancing equipment;
selecting a target key management server from all key management servers according to the current computing performance of each key management server in the target data center and the domain name or IP address of the external service system;
distributing the key data to the target key management server of the target data center through a load balancing device.
8. The key management method according to claim 6, wherein the verifying the key data by using a random encryption engine in the encryption unit and returning a verification result to the external service system comprises:
verifying the key data based on a national cryptographic algorithm by using a random encryption machine in the encryption unit to obtain an initial result of whether the key data passes verification;
and sending the initial result to the target key management server so that the target key management server assembles the initial result based on a preset communication protocol to obtain a verification result and returns the verification result to the external service system.
9. The key management method according to claim 6, wherein the distributing the key data to a target key management server of a target data center by using a load balancing device so that the target key management server sends the key data to an encryption unit comprises:
distributing the key data to a target key management server of a target data center through load balancing equipment;
and packaging the key data by using the target key management server, and sending the packaged key data to an encryption unit.
10. The key management method according to any one of claims 6 to 9, further comprising:
receiving a key acquisition request initiated by terminal equipment through a key acquisition interface;
acquiring a preset mapping relation between basic information of the terminal equipment and a key generation protocol;
and generating a corresponding working key based on a key generation protocol corresponding to the current terminal equipment and returning the working key to the terminal equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010377103.5A CN111585758A (en) | 2020-05-07 | 2020-05-07 | Key management platform and key management method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010377103.5A CN111585758A (en) | 2020-05-07 | 2020-05-07 | Key management platform and key management method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111585758A true CN111585758A (en) | 2020-08-25 |
Family
ID=72115162
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010377103.5A Pending CN111585758A (en) | 2020-05-07 | 2020-05-07 | Key management platform and key management method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111585758A (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101877157A (en) * | 2010-02-09 | 2010-11-03 | 北京江南博仁科技有限公司 | Key management system and method for bank terminal security equipment |
| CN103051459A (en) * | 2013-01-17 | 2013-04-17 | 北京印天网真科技有限公司 | Management method and device of traction secrete key of safety card |
| CN103825698A (en) * | 2014-01-20 | 2014-05-28 | 中国建设银行股份有限公司 | Password security management system and method |
| US20150089231A1 (en) * | 2013-09-26 | 2015-03-26 | Krimmeni Technologies, Inc. | Systems and methods for establishing and using distributed key servers |
| CN105634730A (en) * | 2015-12-29 | 2016-06-01 | 中国建设银行股份有限公司 | Secret key management system of financial IC card |
| WO2017114103A1 (en) * | 2015-12-28 | 2017-07-06 | 中国银联股份有限公司 | Method and apparatus for processing cloud encryptor |
| US20180295109A1 (en) * | 2017-04-11 | 2018-10-11 | Servicenow, Inc. | System and method for securing sensitive information |
| CN110166234A (en) * | 2019-05-21 | 2019-08-23 | 阿里巴巴集团控股有限公司 | A kind of creation of business cipher key and business datum encryption method, apparatus and system |
| CN110460436A (en) * | 2019-07-12 | 2019-11-15 | 山东三未信安信息科技有限公司 | Hardware device key management method, system, storage medium and computer equipment |
-
2020
- 2020-05-07 CN CN202010377103.5A patent/CN111585758A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101877157A (en) * | 2010-02-09 | 2010-11-03 | 北京江南博仁科技有限公司 | Key management system and method for bank terminal security equipment |
| CN103051459A (en) * | 2013-01-17 | 2013-04-17 | 北京印天网真科技有限公司 | Management method and device of traction secrete key of safety card |
| US20150089231A1 (en) * | 2013-09-26 | 2015-03-26 | Krimmeni Technologies, Inc. | Systems and methods for establishing and using distributed key servers |
| CN103825698A (en) * | 2014-01-20 | 2014-05-28 | 中国建设银行股份有限公司 | Password security management system and method |
| WO2017114103A1 (en) * | 2015-12-28 | 2017-07-06 | 中国银联股份有限公司 | Method and apparatus for processing cloud encryptor |
| CN105634730A (en) * | 2015-12-29 | 2016-06-01 | 中国建设银行股份有限公司 | Secret key management system of financial IC card |
| US20180295109A1 (en) * | 2017-04-11 | 2018-10-11 | Servicenow, Inc. | System and method for securing sensitive information |
| CN110166234A (en) * | 2019-05-21 | 2019-08-23 | 阿里巴巴集团控股有限公司 | A kind of creation of business cipher key and business datum encryption method, apparatus and system |
| CN110460436A (en) * | 2019-07-12 | 2019-11-15 | 山东三未信安信息科技有限公司 | Hardware device key management method, system, storage medium and computer equipment |
Non-Patent Citations (4)
| Title |
|---|
| 何锡点等: "基于云平台的数据中心改造架构设计及关键技术", 《网络安全技术与应用》 * |
| 何锡点等: "基于云平台的数据中心改造架构设计及关键技术", 网络安全技术与应用 * |
| 刘磊: "基于可信计算技术的密码服务平台", 《信息安全研究》 * |
| 樊昊: """双活"数据中心的设计实现"", 《电信科学》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11895242B2 (en) | Data processing method and apparatus in blockchain network, storage medium, and computer device | |
| CN112016105B (en) | Chain uplink and downlink data sharing method based on distributed prediction machine and homomorphic encryption | |
| CN111681003B (en) | Resource cross-chain transfer method and device, computer equipment and storage medium | |
| US20210194847A1 (en) | Method for Processing Cloud Service in Cloud System, Apparatus, and Device | |
| CN102647461B (en) | Communication means based on HTTP, server, terminal | |
| JP7118281B2 (en) | Integrated payment backend construction method, system, computer equipment and storage medium | |
| US8209412B2 (en) | Methods for managing a plurality of devices using protectable communication protocol, including determination of marketing feedback to assess a response to an advertisement | |
| CN102111378A (en) | Signature verification system | |
| CN111865609A (en) | Private cloud platform data encryption and decryption system based on state cryptographic algorithm | |
| CN113225394B (en) | API gateway management system based on container cluster | |
| CN116389105B (en) | Remote access management platform and management method | |
| CN101136747B (en) | Information checking system and method | |
| KR102442169B1 (en) | A method and apparatus for log verification between heterogeneous operators in edge cloud system | |
| CN107645474A (en) | Log in the method for open platform and log in the device of open platform | |
| CN114902264A (en) | Monitoring in a distributed computing system | |
| CN111585758A (en) | Key management platform and key management method | |
| WO2022237600A1 (en) | Information proxy method and apparatus | |
| AU2021102086A4 (en) | Secure Long range device to communication method for IOT devices using low power Wide Area Network (LPWAN) | |
| CN110046893A (en) | A kind of internet trading system and its network trading method based on block chain | |
| CN117061538A (en) | Consensus processing method and related device based on block chain network | |
| CN107547563A (en) | A kind of authentication method and device | |
| CN110505205B (en) | Cloud platform encryption and decryption service access method and access system | |
| CN109587241B (en) | Data sharing method and equipment | |
| Hwang et al. | Blockchain-based automatic indemnification mechanism based on proof of violation for cloud storage services | |
| KR20210069865A (en) | REST API Based Cryptocurrency Trading System |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200825 |
|
| RJ01 | Rejection of invention patent application after publication |