CN112632589A - Key escrow method, device, equipment and computer readable storage medium - Google Patents

Key escrow method, device, equipment and computer readable storage medium Download PDF

Info

Publication number
CN112632589A
CN112632589A CN202011635724.5A CN202011635724A CN112632589A CN 112632589 A CN112632589 A CN 112632589A CN 202011635724 A CN202011635724 A CN 202011635724A CN 112632589 A CN112632589 A CN 112632589A
Authority
CN
China
Prior art keywords
key
center
escrow
identity authentication
application system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011635724.5A
Other languages
Chinese (zh)
Inventor
魏帅超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
WeBank Co Ltd
Original Assignee
WeBank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by WeBank Co Ltd filed Critical WeBank Co Ltd
Priority to CN202011635724.5A priority Critical patent/CN112632589A/en
Publication of CN112632589A publication Critical patent/CN112632589A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a method, a device, equipment and a computer readable storage medium for key escrow, wherein the method comprises the following steps: a service application system obtains a key certificate applied to a key escrow center and initiates identity authentication to an identity authentication center based on the key certificate; after the identity authentication is passed, a key corresponding to the key certificate is obtained from the key escrow center; and processing a data encryption task by adopting the key. The business application system does not own the secret key, but trusts in an independent secret key trusteeship center, and the secret key can be obtained only by passing authentication in the identity authentication center, thereby avoiding the secret key leakage caused by code leakage and improving the safety level of the business application system.

Description

Key escrow method, device, equipment and computer readable storage medium
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a method, an apparatus, a device, and a computer-readable storage medium for key escrow.
Background
In the current internet architecture, in order to improve the security level of the business application system, the core service is generally encrypted, for example, the connection information of the database or the sensitive information in the database is encrypted. In the conventional method, a developer generally writes a key used for encryption into a configuration file or a program during program development, so that a corresponding key is read for encryption and decryption when a system is started, and the problem of plaintext storage of original information of a client can be solved to a certain extent. However, the problem exists in that the key is written in the file, if the code leaks, the key may be leaked greatly, and sensitive information is leaked, so that the security is low.
Disclosure of Invention
The invention mainly aims to provide a key escrow method, a key escrow device, key escrow equipment and a computer readable storage medium, and aims to solve the technical problem that a key used for encrypting sensitive information in a business application system is written in a file and the security is low.
In order to achieve the above object, the present invention provides a key escrow method, which is applied to a business application system, and the method includes:
acquiring a key certificate applied to a key escrow center, and initiating identity authentication to an identity authentication center based on the key certificate;
after the identity authentication is passed, a key corresponding to the key certificate is obtained from the key escrow center;
and processing a data encryption task by adopting the key.
Optionally, the step of initiating identity authentication to an identity authentication center based on the key credential includes:
acquiring configuration information of the service application system;
and sending the configuration information and the key certificate to the identity authentication center so that the identity authentication center returns a result of passing authentication when finding that the configuration information and the key certificate are stored, wherein the key escrow center synchronizes the issued key certificate and the corresponding service application system configuration information to the identity authentication center when issuing the key certificate.
Optionally, after the identity authentication is passed, the step of obtaining a key corresponding to the key credential from the key escrow center includes:
receiving a key acquisition code sent by the identity authentication center, wherein the identity authentication center generates the key acquisition code after passing the identity authentication of the service application system;
sending the key acquisition code to the key escrow center for the key escrow center to verify the key acquisition code, and returning a key corresponding to the key certificate after the verification is successful;
and receiving the key sent by the key escrow center.
Optionally, the step of processing the data encryption task by using the key includes:
encrypting the plaintext service data by adopting the key, and storing the encrypted ciphertext service data into a database of the service application system; or the like, or, alternatively,
and decrypting the ciphertext business data acquired from the database by using the key to obtain plaintext business data so as to perform business processing on the plaintext business data.
Optionally, the step of processing the data encryption task by using the key includes:
encrypting a plaintext message by using the key to obtain a ciphertext message, and sending the ciphertext message to a target receiver; or the like, or, alternatively,
and when a ciphertext message is received, decrypting the ciphertext message by using the key to obtain a plaintext message so as to perform service processing on the plaintext message.
Optionally, the step of processing the data encryption task by using the key includes:
acquiring plaintext database connection information generated when a database is established, encrypting the plaintext database connection information by adopting the secret key, and storing encrypted ciphertext database connection information; or the like, or, alternatively,
and when an access request to a database in the service application system is detected, acquiring ciphertext database connection information of the database, decrypting the ciphertext database connection information by adopting the key, and accessing the database based on plaintext database connection information obtained by decryption.
Optionally, before the step of obtaining the key credential applied to the key escrow center, the method further includes:
sending a key application to the key escrow center, so that the key escrow center generates a key and a key certificate according to the key application, and issues the key certificate to the business application system;
storing the key certificate in a key tool kit in the service application system;
the step of obtaining the key credential applied to the key escrow center includes:
obtaining the key credential from the key toolkit.
In order to achieve the above object, the present invention further provides a key escrow device, where the key escrow device is deployed in a business application system, and the key escrow device includes:
the authentication module is used for acquiring a key certificate applied to a key escrow center and initiating identity authentication to an identity authentication center based on the key certificate;
the obtaining module is used for obtaining a key corresponding to the key certificate from the key escrow center after the identity authentication is passed;
and the processing module is used for processing the data encryption task by adopting the key.
To achieve the above object, the present invention further provides a key escrow device, including: a memory, a processor, and a key escrow program stored on the memory and executable on the processor, the key escrow program when executed by the processor implementing the steps of the key escrow method as described above.
Furthermore, to achieve the above object, the present invention also provides a computer readable storage medium, on which a key escrow program is stored, which when executed by a processor implements the steps of the key escrow method as described above.
Furthermore, to achieve the above object, the present invention also proposes a computer program product comprising a computer program which, when being executed by a processor, realizes the steps of the key escrow method as described above.
In the invention, a key is managed by a key management center independent of a business application system, only a key certificate corresponding to the key is stored in the business application system, and after identity authentication is initiated to an identity authentication center based on the key certificate and passes, the key corresponding to the key certificate can be obtained from the key management center, and then a data encryption task is processed according to the key. Compared with the method that the secret key is written in the configuration file of the business application system, the business application system does not own the secret key, but is managed in an independent secret key management center, the secret key can be acquired only by passing authentication in the identity authentication center, the secret key leakage caused by code leakage is avoided, if an attacker needs to acquire sensitive information in the business application system, the attacker needs to invade a memory to intercept the secret key, or the secret key can be acquired only by cracking authentication logic of the identity authentication center, the attack difficulty is high, and therefore the safety level of the business application system is improved. In addition, no developer contacts and knows the key in the development and application process of the service application system, so that the safety level of the system is further improved.
Drawings
FIG. 1 is a schematic diagram of a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a first embodiment of a key escrow method according to the present invention;
FIG. 3 is a diagram of a key escrow hardware architecture according to an embodiment of the present invention;
fig. 4 is a flowchart of a key escrow according to an embodiment of the present invention;
FIG. 5 is a block diagram of a key escrow device according to a preferred embodiment of the invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As shown in fig. 1, fig. 1 is a schematic device structure diagram of a hardware operating environment according to an embodiment of the present invention.
It should be noted that, the key escrow device in the embodiment of the present invention may be a smart phone, a personal computer, a server, and the like, and is not limited herein.
As shown in fig. 1, the key escrow device may include: a processor 1001, such as a CPU, a network interface 1004, a user interface 1003, a memory 1005, a communication bus 1002. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the device architecture shown in fig. 1 does not constitute a limitation of the key escrow device, and may include more or fewer components than shown, or some components in combination, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a type of computer storage medium, may include an operating system, a network communication module, a user interface module, and a key escrow program therein. An operating system is a program that manages and controls the hardware and software resources of a device, supporting the operation of key escrow programs, as well as other software or programs. In the device shown in fig. 1, the user interface 1003 is mainly used for data communication with a client; the network interface 1004 is mainly used for establishing communication connection with a server; and processor 1001 may be configured to invoke a key escrow program stored in memory 1005 and perform the following operations:
acquiring a key certificate applied to a key escrow center, and initiating identity authentication to an identity authentication center based on the key certificate;
after the identity authentication is passed, a key corresponding to the key certificate is obtained from the key escrow center;
and processing a data encryption task by adopting the key.
Further, the step of initiating identity authentication to an identity authentication center based on the key credential comprises:
acquiring configuration information of the service application system;
and sending the configuration information and the key certificate to the identity authentication center so that the identity authentication center returns a result of passing authentication when finding that the configuration information and the key certificate are stored, wherein the key escrow center synchronizes the issued key certificate and the corresponding service application system configuration information to the identity authentication center when issuing the key certificate.
Further, after the identity authentication is passed, the step of obtaining a key corresponding to the key certificate from the key escrow center includes:
receiving a key acquisition code sent by the identity authentication center, wherein the identity authentication center generates the key acquisition code after passing the identity authentication of the service application system;
sending the key acquisition code to the key escrow center for the key escrow center to verify the key acquisition code, and returning a key corresponding to the key certificate after the verification is successful;
and receiving the key sent by the key escrow center.
Further, the step of processing the data encryption task by using the key comprises:
encrypting the plaintext service data by adopting the key, and storing the encrypted ciphertext service data into a database of the service application system; or the like, or, alternatively,
and decrypting the ciphertext business data acquired from the database by using the key to obtain plaintext business data so as to perform business processing on the plaintext business data.
Further, the step of processing the data encryption task by using the key comprises:
encrypting a plaintext message by using the key to obtain a ciphertext message, and sending the ciphertext message to a target receiver; or the like, or, alternatively,
and when a ciphertext message is received, decrypting the ciphertext message by using the key to obtain a plaintext message so as to perform service processing on the plaintext message.
Further, the step of processing the data encryption task by using the key comprises:
acquiring plaintext database connection information generated when a database is established, encrypting the plaintext database connection information by adopting the secret key, and storing encrypted ciphertext database connection information; or the like, or, alternatively,
and when an access request to a database in the service application system is detected, acquiring ciphertext database connection information of the database, decrypting the ciphertext database connection information by adopting the key, and accessing the database based on plaintext database connection information obtained by decryption.
Further, before the step of obtaining the key credential applied to the key escrow center, the processor 1001 may be further configured to call the key escrow program stored in the memory 1005, and perform the following operations:
sending a key application to the key escrow center, so that the key escrow center generates a key and a key certificate according to the key application, and issues the key certificate to the business application system;
storing the key certificate in a key tool kit in the service application system;
the step of obtaining the key credential applied to the key escrow center includes:
obtaining the key credential from the key toolkit.
Based on the above structure, various embodiments of a key escrow method are proposed.
Referring to fig. 2, fig. 2 is a flowchart illustrating a key escrow method according to a first embodiment of the present invention.
Embodiments of the present invention provide embodiments of a key escrow method, and it should be noted that although a logical order is shown in the flowcharts, in some cases, the steps shown or described may be performed in an order different from that here. The key escrow method is applied to a business application system, and the business application system can be deployed in equipment such as a smart phone, a personal computer and a server. In this embodiment, the key escrow method includes:
step S10, obtaining a key certificate applied to a key escrow center, and initiating identity authentication to an identity authentication center based on the key certificate;
in this embodiment, the service application system refers to a software system for performing service data processing and providing service, and may be deployed in the server device. Different business application systems may also be deployed in the same device, and are not limited herein. The key escrow center and the identity authentication center are service software or components independent of the business application system, and can be deployed in different devices of the business application system. In one embodiment, as shown in fig. 3, the business application system, the key escrow center, and the identity authentication center may be respectively deployed in different hardware devices.
During the development of the business application system, a developer can apply for a key from the key escrow center. The key escrow center generates a key and a key certificate and stores the key and the key certificate in association. The key may be generated by using a common key generation algorithm, and the key may be used to encrypt and decrypt data. The key certificate is a certificate corresponding to the key, the key certificate can be generated by adopting a random number generation algorithm, and the key certificates of different keys are different. The key escrow center issues the key credential to the developer. The developer configures the key certificate into the service application system, and specifically can write the key certificate into a configuration file of the service application system, or introduces a key toolkit, and the key toolkit can be configured with a mainstream information encryption and decryption component for encrypting and decrypting data, and configures the key certificate into the key toolkit.
When the business application system is started or detects a data encryption task, a pre-written key certificate can be obtained, and identity authentication is initiated to an identity authentication center based on the key certificate. Specifically, the service application system may initiate an identity authentication request carrying identity information to the identity authentication center, and the identity authentication center verifies the identity information after receiving the request. The identity authentication center can preset a verification rule, when the identity information is detected to accord with the verification rule, the verification is determined to pass, otherwise, the verification is determined not to pass. The identity authentication center returns the verification result to the service application system, or the verification result can be synchronized to the key escrow center.
The identity information may be a key certificate, configuration information of the service application system, and/or other preset authentication passwords. The configuration information may include an application ID, a name and/or a port number of the business application system, etc. When the identity information is the key certificate, the identity authentication center can verify the key certificate and confirm whether the key certificate is valid. In one embodiment, the key escrow center also synchronizes the key certificate to the identity authentication center when issuing the key certificate; after receiving the identity authentication request, the identity authentication center searches whether a secret key certificate carried in the identity authentication request is stored; if the key certificate is found, the key certificate is valid, and the identity authentication is passed, otherwise, the identity authentication is not passed. In another embodiment, the key escrow center encrypts a random number by using a public key to obtain a key certificate, and the identity authentication center stores a private key corresponding to the public key; after receiving the identity authentication request, the identity authentication center decrypts the key certificate by using the private key, if the decryption is successful, the key certificate is valid, and the identity authentication is passed, otherwise, the identity authentication is not passed.
When the identity information is the configuration information of the service application system, a developer can fill the configuration information of the service application system when applying for the key from the key escrow center; after issuing the key certificate, the key escrow center can synchronize configuration information of the service application system to the identity authentication center; after receiving the identity authentication request, the identity authentication center extracts the configuration information from the identity authentication request, and searches whether the configuration information is stored, if so, the service application system has the authority, the identity authentication is passed, otherwise, the identity authentication is not passed.
Step S20, after the identity authentication is passed, obtaining a key corresponding to the key certificate from the key escrow center;
after the identity authentication is confirmed, the business application system can acquire a key corresponding to the key certificate from the key escrow center. Specifically, the business application system may send the key credential to the key escrow center; the key escrow center searches the key corresponding to the key certificate and returns the key to the service application system when receiving the result that the identity authentication of the service application system passes from the identity authentication center, and can refuse to feed back the key when not receiving the result that the identity authentication passes or receiving the result that the identity authentication fails.
And the business application system receives the key fed back by the key escrow center. It should be noted that the service application system only caches or temporarily stores the obtained key during the operation process, and when the service application system finishes the operation, the key is not written into the disk, so that the key is prevented from being leaked due to the intrusion of the disk.
And step S30, processing the data encryption task by using the key.
When the service application system detects the data encryption task, the data encryption task can be processed by adopting the key. Specifically, the data encryption task may include a task of encrypting data and a person decrypting data, for example, a task of encrypting and decrypting database connection information, a task of encrypting and decrypting data in a database, a task of encrypting a message to be transmitted and a task of decrypting a received ciphertext message. It should be noted that the keys used in different data encryption tasks may be different, and the different keys may be applied separately when applying for the key, and different keys are exchanged for the key escrow center based on different key credentials.
Further, if the service application system obtains the key after being started, the key can be temporarily stored in the key toolkit after being started. And when the data encryption task is detected, calling a key toolkit to process the data encryption task by adopting the key.
In this embodiment, a key is escrowed by a key escrow center independent from a business application system, only a key certificate corresponding to the key is stored in the business application system, and after the identity authentication is initiated to an identity authentication center based on the key certificate and passes, a key corresponding to the key certificate can be obtained from the key escrow center, so as to process a data encryption task according to the key. Compared with writing a secret key in a configuration file of a business application system, in this embodiment, the business application system does not own the secret key, but hosts the secret key in an independent secret key hosting center, and the secret key can be acquired only by authenticating in an identity authentication center, so that secret key leakage caused by code leakage is avoided. In addition, no developer contacts and knows the key in the development and application process of the service application system, so that the safety level of the system is further improved.
Further, based on the first embodiment described above, a second embodiment of the key escrow method of the present invention is provided, in this embodiment, the step of initiating identity authentication to an identity authentication center based on the key credential in step S10 includes:
step S101, obtaining configuration information of the service application system;
in this embodiment, the identity information may include a key credential and configuration information of the business application system.
Specifically, the service application system first obtains its own configuration information. The configuration information may be obtained from a configuration file of the service application system.
Step S102, sending the configuration information and the key certificate to the identity authentication center, so that the identity authentication center returns a result of passing authentication when finding that the configuration information and the key certificate are stored, wherein the key escrow center synchronizes the issued key certificate and the corresponding service application system configuration information to the identity authentication center when issuing the key certificate.
The service application system sends the configuration information and the key certificate to the identity authentication center, namely, sends an identity authentication request carrying the configuration information and the key certificate. After receiving the authentication request, or after receiving the configuration information and the key certificate, the identity authentication center searches whether the configuration information and the key certificate are stored. Specifically, when the key escrow center issues the key certificate, the issued key certificate and the configuration information of the business application system corresponding to the key certificate can be synchronized to the identity authentication center, and the identity authentication center stores the configuration information and the key certificate in an associated manner. When the identity authentication center finds that the identity authentication center stores the configuration information and the key certificate sent by the service application system, the identity authentication center indicates that the identity information sent by the service application system is valid, and at the moment, the identity authentication center returns the result of passing authentication to the service application system. If the identity information is not found, the identity information sent by the service application system is invalid, and at the moment, the result of authentication failure is returned to the service application system, or no response is made.
In this embodiment, the service application system needs to send the correct key certificate and the configuration information to the identity authentication center to acquire the key, and an attacker needs to intercept the correct key certificate and the configuration information to be authenticated in the identity authentication center, so that the attack difficulty is increased, and the security level of the service application system is further increased.
Further, the step S20 includes:
step S201, receiving a key acquisition code sent by the identity authentication center, wherein the identity authentication center generates the key acquisition code after passing the identity authentication of the service application system;
in one embodiment, after the identity authentication center passes the identity authentication of the service application system, a key acquisition code may be generated and sent to the service application system. The identity authentication center may generate the key acquisition code by using a preset algorithm, for example, a random number generation algorithm, a verification code generation algorithm, and the like, which is not limited herein.
Step S202, sending the key acquisition code to the key escrow center for the key escrow center to verify the key acquisition code, and returning a key corresponding to the key certificate after the verification is successful;
and the business application system sends the key acquisition code to the key escrow center, and the key escrow center verifies the key acquisition code and returns the key corresponding to the key certificate after the verification is successful. Specifically, the identity authentication center may store the key acquisition code and the key credential in a preset database, where the database is shared with the key escrow center; when receiving a key acquisition code sent by a service application system, the key escrow center searches whether the key acquisition code exists in the database; if yes, the verification is determined to be successful, a key certificate corresponding to the key acquisition code is extracted from the database, and then a key corresponding to the key certificate is returned to the service application system; if not, determining that the verification fails and not feeding back the key to the service application system. Further, the key escrow center may further obtain a timestamp that the identity authentication center stores the key acquisition code to the database when the key acquisition code is found in the database, and determine that the verification fails if a duration from a time point of the timestamp to a current time point is greater than a preset maximum duration, otherwise determine that the verification succeeds. That is, by further setting time verification, the attack difficulty of an attacker is increased.
Or, the identity authentication center generates the key acquisition code by using an algorithm, the key escrow center is configured with a verification algorithm corresponding to the algorithm, and the key escrow center can verify the key acquisition code by using the verification algorithm after receiving the key acquisition code sent by the service application system. For example, the identity authentication center may generate a random number, then splice the key certificate and the random number, encrypt the spliced result by using a pre-configured public key, and use the encrypted result as a key acquisition code; the key escrow center is configured with a private key corresponding to the public key, after receiving the key acquisition code, the private key is adopted to decrypt the key acquisition code, if the decryption is successful, namely if the decryption can be performed, the verification is determined to be successful, a key certificate is extracted from the decryption result, and then the key corresponding to the key certificate is returned to the business application system; and if the decryption fails, determining that the verification fails and not feeding back the key to the service application system.
Step S203, receiving the key sent by the key escrow center.
The business application system receives the key sent from the key escrow center, and can process a data encryption task in the business application system based on the key.
In this embodiment, after the identity authentication is passed, the service application system needs to exchange a temporary key acquisition code for the identity authentication center through the key certificate, and can acquire the key from the key escrow center through the correct key acquisition code. Because the identity authentication center sends the key acquisition code to the service application system which passes the identity authentication, an attacker cannot receive the key acquisition code after the attacker passes the identity authentication initiated by the attack program to the service application system, so that the attacker cannot acquire the key from the key escrow center, the attack difficulty is further increased, and the security level of the system is improved.
In one embodiment, as shown in fig. 4, a product person applies for a key through a key service provided by a key escrow center, the key escrow center generates a key and a key certificate, and issues the key certificate to the product person. And synchronizing the key certificate to a developer of the service application system by the product personnel, configuring the key certificate into the service application system by the developer, and deploying the service application system. After the service application system is started, identity authentication is automatically initiated to an identity authentication center, and after the authentication is passed, a secret key is obtained from a secret key escrow center. When a client service request sent by an external application is received, a key is adopted to encrypt or decrypt information related in the service processing logic, and after the service processing logic is completed, a service processing result is returned to the client, namely the external application.
Further, based on the first and/or second embodiments, a third embodiment of the key escrow method according to the present invention is provided, in this embodiment, the step S30 includes:
step S301, encrypting plaintext service data by using the secret key, and storing the encrypted ciphertext service data into a database of the service application system;
in this embodiment, when the business application system executes the business logic, the business application system needs to store the business data in the database of the business application system, or needs to acquire the business data from the database for processing. For example, a new user applies for a new account in a business application system through a client, the business application system needs to store information of the new account in a database, and for example, when the user queries own account information from the business application system through the client, the business application system needs to obtain the account information from the database and return the account information to the client for the user to view. Therefore, the service data may be sensitive data related to user privacy or enterprise privacy, and needs to be encrypted when being stored in the database, so as to prevent the sensitive information from being directly exposed when the database is stolen.
When the business application system detects plaintext business data needing to be encrypted, the obtained secret key is adopted to encrypt the plaintext business data to obtain ciphertext business data, and the ciphertext business data is stored in a database of the business application system to ensure that sensitive data in the database is in a ciphertext state.
Step S302, decrypting the ciphertext business data obtained from the database with the key to obtain plaintext business data, so as to perform business processing on the plaintext business data.
When the service application system obtains the service data from the database and the service data is the ciphertext, the service application system can decrypt the ciphertext service data by using the obtained key to obtain plaintext service data, and then perform subsequent service processing operation on the plaintext service data.
Further, the step S30 includes:
step S303, encrypting a plaintext message by using the key to obtain a ciphertext message, and sending the ciphertext message to a target receiver;
when the service application system executes the service logic, the service application system needs to interact with other systems for service data, and some service data belong to sensitive data, so that the data needs to be encrypted in order to avoid being stolen in the information transmission process.
The service data is transmitted in a message form, when a service application system detects a plaintext message to be encrypted, the plaintext message is encrypted by using an obtained key to obtain a ciphertext message, and the ciphertext message is transmitted to a target receiver, so that the information is in a ciphertext state in the information transmission process. After receiving the ciphertext message, the target receiver can decrypt and process the ciphertext message.
Step S304, when receiving the ciphertext message, decrypting the ciphertext message by using the key to obtain a plaintext message, so as to perform service processing on the plaintext message.
When the business application system receives the ciphertext message, the obtained secret key can be adopted to decrypt the ciphertext message to obtain a plaintext message, and then subsequent business processing operation is carried out on the plaintext business data.
Further, the step S30 includes:
step S305, obtaining plaintext database connection information generated when a database is established, encrypting the plaintext database connection information by adopting the secret key, and storing encrypted ciphertext database connection information;
when a database is created by the service application system, and data in the database needs privacy protection or needs to set access rights, database connection information may be generated, where the database connection information may be a user password set by a user or a random number generated. And the service application system acquires the database connection information, and encrypts the database connection information of the plaintext by using the acquired key to obtain ciphertext database connection information. The business application system can store the connection information of the ciphertext database or return the connection information of the ciphertext database to the client side applying for the database.
Step S306, when detecting the access request to the database in the service application system, acquiring the ciphertext database connection information of the database, decrypting the ciphertext database connection information by adopting the key, and accessing the database based on the plaintext database connection information obtained by decryption.
When an access request to a database in a business application system is detected, ciphertext database connection information of the database can be obtained from the access request or the business application system, and the obtained secret key is used for decrypting the ciphertext database connection information to obtain plaintext database connection information. The business application system accesses the database based on the plaintext database connection information.
Further, based on the first, second and/or third embodiments, a fourth embodiment of the key escrow method according to the present invention is proposed, in this embodiment, before step S10, the method further includes:
step S40, sending a key application to the key escrow center, so that the key escrow center generates a key and a key certificate according to the key application, and issues the key certificate to the business application system;
in this embodiment, the service application system may automatically send a key application to the key escrow center after being started, where the key application may carry description information such as a type of a key to be applied, and may also carry configuration information of the service application system. After receiving the key application, the key escrow center generates a key and a key certificate; if the key application carries description information about the key type and the like, a key meeting the description information requirement can be generated. And the key escrow center stores the key certificate and the key association and issues the key certificate to the business application system. The key escrow center can also synchronize the key certificate and the configuration information to the identity authentication center so that the identity authentication center can authenticate the identity authentication request initiated by the service application system.
Step S50, storing the key certificate in the key tool kit in the service application system;
after receiving the key certificate issued by the key escrow center, the business application system stores the key certificate in a key tool kit in the business application system.
The step of acquiring the key credential applied to the key escrow center in step S10 includes:
step S103, obtaining the key credential from the key toolkit.
When the business application system detects the data encryption task, the key certificate can be obtained from the key toolkit, identity authentication is initiated to the identity authentication center based on the key certificate, after the authentication is passed, the key escrow center obtains the key corresponding to the key certificate, and then the data encryption task is processed by adopting the key.
It should be noted that, the service application system stores the key in the started key toolkit, after the service application system finishes running, the running space of the key toolkit is released, and data including the key in the running space is cleared, so that an attacker cannot crack the key from the program, and the security of the service application system is improved.
In addition, an embodiment of the present invention further provides a key escrow device, where the device is deployed in a business application system, and with reference to fig. 5, the device includes:
the authentication module 10 is configured to obtain a key credential applied to a key escrow center, and initiate identity authentication to an identity authentication center based on the key credential;
an obtaining module 20, configured to obtain, from the key escrow center, a key corresponding to the key credential after the identity authentication is passed;
and the processing module 30 is configured to process the data encryption task by using the key.
Further, the authentication module 10 includes:
a first obtaining unit, configured to obtain configuration information of the service application system;
the first sending unit is configured to send the configuration information and the key credential to the identity authentication center, so that the identity authentication center returns a result of passing authentication when finding that the configuration information and the key credential are stored, where the key escrow center synchronizes the issued key credential and the corresponding service application system configuration information to the identity authentication center when issuing the key credential.
Further, the obtaining module 20 includes:
the first receiving unit is used for receiving a key acquisition code sent by the identity authentication center, wherein the identity authentication center generates the key acquisition code after passing the identity authentication of the service application system;
the second sending unit is used for sending the key acquisition code to the key escrow center so that the key escrow center can verify the key acquisition code, and returning a key corresponding to the key certificate after the key acquisition code is successfully verified;
and the second receiving unit is used for receiving the key sent by the key escrow center.
Further, the processing module 30 includes:
the first encryption unit is used for encrypting the plaintext business data by adopting the secret key and storing the encrypted ciphertext business data into a database of the business application system; or the like, or, alternatively,
and the first decryption unit is used for decrypting the ciphertext business data acquired from the database by adopting the key to obtain plaintext business data so as to perform business processing on the plaintext business data.
Further, the processing module 30 includes:
the second encryption unit is used for encrypting a plaintext message by adopting the key to obtain a ciphertext message and sending the ciphertext message to a target receiver; or the like, or, alternatively,
and the second decryption unit is used for decrypting the ciphertext message by adopting the key to obtain a plaintext message when the ciphertext message is received so as to perform service processing on the plaintext message.
Further, the processing module 30 includes:
acquiring plaintext database connection information generated when a database is established, encrypting the plaintext database connection information by adopting the secret key, and storing encrypted ciphertext database connection information; or the like, or, alternatively,
and when an access request to a database in the service application system is detected, acquiring ciphertext database connection information of the database, decrypting the ciphertext database connection information by adopting the key, and accessing the database based on plaintext database connection information obtained by decryption.
Further, before the step of obtaining the key credential applied for by the key escrow center, the method further includes:
a second obtaining unit, configured to send a key application to the key escrow center, so that the key escrow center generates a key and a key credential according to the key application, and issues the key credential to the service application system;
the storage unit is used for storing the key certificate in a key tool kit in the service application system;
the authentication module 10 includes:
a third obtaining unit, configured to obtain the key credential from the key toolkit.
The specific embodiment of the key escrow device of the present invention has basically the same extension as that of each embodiment of the key escrow method, and is not described herein again.
Furthermore, an embodiment of the present invention further provides a computer-readable storage medium, where a key escrow program is stored on the storage medium, and when executed by a processor, the key escrow program implements the steps of the key escrow method described below. The invention also proposes a computer program product comprising a computer program which, when executed by a processor, implements the steps of the key escrow method as described above.
The embodiments of the key escrow device, the computer readable storage medium, and the computer program product of the present invention may refer to the embodiments of the key escrow method of the present invention, and are not described herein again.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (11)

1. A method for key escrow, the method being applied to a business application system, the method comprising:
acquiring a key certificate applied to a key escrow center, and initiating identity authentication to an identity authentication center based on the key certificate;
after the identity authentication is passed, a key corresponding to the key certificate is obtained from the key escrow center;
and processing a data encryption task by adopting the key.
2. The key escrow method of claim 1, wherein the step of initiating authentication to an authentication center based on the key credential comprises:
acquiring configuration information of the service application system;
and sending the configuration information and the key certificate to the identity authentication center so that the identity authentication center returns a result of passing authentication when finding that the configuration information and the key certificate are stored, wherein the key escrow center synchronizes the issued key certificate and the corresponding service application system configuration information to the identity authentication center when issuing the key certificate.
3. The key escrow method of claim 1, wherein obtaining the key corresponding to the key credential from the key escrow center after the identity authentication is passed comprises:
receiving a key acquisition code sent by the identity authentication center, wherein the identity authentication center generates the key acquisition code after passing the identity authentication of the service application system;
sending the key acquisition code to the key escrow center for the key escrow center to verify the key acquisition code, and returning a key corresponding to the key certificate after the verification is successful;
and receiving the key sent by the key escrow center.
4. The key escrow method of claim 1, wherein the step of processing a data encryption task with the key comprises:
encrypting the plaintext service data by adopting the key, and storing the encrypted ciphertext service data into a database of the service application system; or the like, or, alternatively,
and decrypting the ciphertext business data acquired from the database by using the key to obtain plaintext business data so as to perform business processing on the plaintext business data.
5. The key escrow method of claim 1, wherein the step of processing a data encryption task with the key comprises:
encrypting a plaintext message by using the key to obtain a ciphertext message, and sending the ciphertext message to a target receiver; or the like, or, alternatively,
and when a ciphertext message is received, decrypting the ciphertext message by using the key to obtain a plaintext message so as to perform service processing on the plaintext message.
6. The key escrow method of claim 1, wherein the step of processing a data encryption task with the key comprises:
acquiring plaintext database connection information generated when a database is established, encrypting the plaintext database connection information by adopting the secret key, and storing encrypted ciphertext database connection information; or the like, or, alternatively,
and when an access request to a database in the service application system is detected, acquiring ciphertext database connection information of the database, decrypting the ciphertext database connection information by adopting the key, and accessing the database based on plaintext database connection information obtained by decryption.
7. The key escrow method of any one of claims 1 to 6, wherein the step of obtaining the key credential applied for by the key escrow center is preceded by:
sending a key application to the key escrow center, so that the key escrow center generates a key and a key certificate according to the key application, and issues the key certificate to the business application system;
storing the key certificate in a key tool kit in the service application system;
the step of obtaining the key credential applied to the key escrow center includes:
obtaining the key credential from the key toolkit.
8. A key escrow apparatus, the apparatus being deployed in a business application system, the apparatus comprising:
the authentication module is used for acquiring a key certificate applied to a key escrow center and initiating identity authentication to an identity authentication center based on the key certificate;
the obtaining module is used for obtaining a key corresponding to the key certificate from the key escrow center after the identity authentication is passed;
and the processing module is used for processing the data encryption task by adopting the key.
9. A key escrow device, the key escrow device comprising: memory, a processor and a key escrow program stored on the memory and executable on the processor, the key escrow program when executed by the processor implementing the steps of the key escrow method of any of claims 1 to 7.
10. A computer-readable storage medium, having stored thereon a key escrow program that, when executed by a processor, implements the steps of the key escrow method of any one of claims 1 to 7.
11. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, realizes the steps of the key escrow method according to any one of claims 1 to 7.
CN202011635724.5A 2020-12-31 2020-12-31 Key escrow method, device, equipment and computer readable storage medium Pending CN112632589A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011635724.5A CN112632589A (en) 2020-12-31 2020-12-31 Key escrow method, device, equipment and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011635724.5A CN112632589A (en) 2020-12-31 2020-12-31 Key escrow method, device, equipment and computer readable storage medium

Publications (1)

Publication Number Publication Date
CN112632589A true CN112632589A (en) 2021-04-09

Family

ID=75289949

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011635724.5A Pending CN112632589A (en) 2020-12-31 2020-12-31 Key escrow method, device, equipment and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN112632589A (en)

Similar Documents

Publication Publication Date Title
US11799656B2 (en) Security authentication method and device
US11968206B2 (en) Non-custodial tool for building decentralized computer applications
US20140270179A1 (en) Method and system for key generation, backup, and migration based on trusted computing
CN106452764B (en) Method for automatically updating identification private key and password system
CN111708991A (en) Service authorization method, service authorization device, computer equipment and storage medium
WO2022142629A1 (en) User data processing method and apparatus, computer device, and storage medium
JP2004288169A (en) Network connection system
WO2009110457A1 (en) Authentication information generation system, authentication information generation method, and authentication information generation program utilizing a client device and said method
KR20170019308A (en) Method for providing trusted right information, method for issuing user credential including trusted right information, and method for obtaining user credential
CN112765637A (en) Data processing method, password service device and electronic equipment
US20110154436A1 (en) Provider Management Methods and Systems for a Portable Device Running Android Platform
CN106992978B (en) Network security management method and server
CN111786996A (en) Cross-domain synchronous login state method and device and cross-domain synchronous login system
CN108667800B (en) Access authority authentication method and device
CN115473655B (en) Terminal authentication method, device and storage medium for access network
CN104901967A (en) Registration method for trusted device
CN112261103A (en) Node access method and related equipment
WO2019234801A1 (en) Service provision system and service provision method
CN110287725B (en) Equipment, authority control method thereof and computer readable storage medium
CN112632589A (en) Key escrow method, device, equipment and computer readable storage medium
CN111586011A (en) Information sharing method and device
CN111246480A (en) Application communication method, system, equipment and storage medium based on SIM card
CN114021094B (en) Remote server login method, electronic device and storage medium
CN112769560B (en) Key management method and related device
CN113727057B (en) Network access authentication method, device and equipment for multimedia conference terminal and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination