CN112713994A - Distributed key hierarchical management system under complex network - Google Patents
Distributed key hierarchical management system under complex network Download PDFInfo
- Publication number
- CN112713994A CN112713994A CN202011599383.0A CN202011599383A CN112713994A CN 112713994 A CN112713994 A CN 112713994A CN 202011599383 A CN202011599383 A CN 202011599383A CN 112713994 A CN112713994 A CN 112713994A
- Authority
- CN
- China
- Prior art keywords
- key
- management system
- key management
- module
- encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
Abstract
The invention provides a distributed key hierarchical management system under a complex network, which relates to the technical field of key management and comprises a primary key management system, a secondary key management system and a database, wherein: the first-level key management system is used for encrypting the service key and re-acquiring the encrypted service key, the second-level key management system is used for registering to the first-level key management system and exchanging public key certificates of both parties, and the database is used for storing the service key. The invention can realize the hierarchical domain-division deployment of the key management system, the mode can well deal with the deployment problem of a large-scale complex network, the keys in different areas are isolated, when the key in one area is leaked, other areas cannot be influenced, the application accesses the key management system nearby, the service quality of the service of the key management system is improved, and the client is benefited.
Description
Technical Field
The invention relates to the technical field of key management, in particular to a distributed key hierarchical management system in a complex network.
Background
In the prior art, the requirement of different area keys is generally fulfilled by a key centralized management mode and a key issuing mode, and although the implementation mode is simple, the method also has many disadvantages, and the specific disadvantages are as follows:
(1) the key centralized management has the problem of security, and if the key management system is broken, all keys can be leaked.
(2) And if the key management center is down or the service is abnormal, the service of the whole system is interrupted.
(3) And the single key management center has the performance bottleneck problem, and the bottleneck represents the processing capacity bottleneck and the network communication bottleneck problem.
(4) The single key management center has the problems of low remote calling efficiency and low reliability for complex network conditions.
Disclosure of Invention
The invention aims to provide a distributed key hierarchical management system under a complex network, which can realize hierarchical and domain-division deployment of the key management system, can well deal with the deployment problem of a large-scale complex network, isolates keys in different areas, does not influence other areas when the key in one area is leaked, applies the key management system which is accessed nearby, improves the service quality of the service of the key management system, and ensures that customers are substantial.
In order to achieve the purpose, the invention is realized by the following technical scheme: the distributed key hierarchical management system under the complex network comprises a primary key management system, a secondary key management system and a database, wherein:
the first-level key management system is used for encrypting the service key and obtaining the encrypted service key again.
The second-level key management system is used for registering with the first-level key management system and exchanging public key certificates of both sides.
The database is used for storing service keys.
The first-level key management system is in bidirectional connection with the second-level key management system, and the second-level key management system is in bidirectional connection with the database.
Preferably, the secondary key management system is further configured to read the service key from the database.
Preferably, the first-level key management system and the second-level key management system each include a system key unit, a service key unit, and a crypto-tube encryption key module, wherein:
the system key unit is used for encryption and calibration calculation of various password resources.
The service key unit is used for encryption and operation.
The encrypted management encryption key module is used for encryption protection in the transmission process of keys and sensitive information.
Preferably, the primary key management system and the secondary key management system each further include a device key pair module:
the device key pair module is used for the authentication and encryption channel negotiation key among different devices.
Preferably, the device key pair module performs authentication and encryption channel negotiation between different devices in the form of a device public and private key pair, and the device public and private keys are statically stored in a device secure storage area as a ciphertext.
Preferably, the system key unit includes a system master key module and a system authentication key module:
the system master key module is used for encrypting various password resources in a system and an encryption database.
The system authentication key module is used for calculating the check value of the user key binding information.
Preferably, the system authentication key module is further configured to store the calculation result in a database in a ciphertext manner.
Preferably, the service key unit includes an encryption symmetric key module and a message authentication key module, wherein:
the encryption symmetric key module is used for carrying out encryption and authentication operation on the user or the applied service.
The message authentication key module is used for authentication operation of a service key of a user or an application.
Preferably, the various types of cryptographic resources include a symmetric key of the user or the application and a private key of the asymmetric key.
Preferably, the encryption and authentication operation result of the encryption symmetric key module is encrypted by the system master key module and then stored in the database.
The invention provides a distributed key hierarchical management system under a complex network. The method has the following beneficial effects:
the invention can realize the hierarchical domain-division deployment of the key management system, the mode can well deal with the deployment problem of a large-scale complex network, the keys in different areas are isolated, when the key in one area is leaked, the other areas are not influenced, the application accesses the key management system nearby, the service quality of the service of the key management system is improved, and the client is benefited.
Drawings
FIG. 1 is a schematic diagram of a distributed key hierarchical management system under a complex network according to the present invention;
FIG. 2 is a diagram of a single system of a distributed key hierarchy management system in a complex network according to the present invention;
FIG. 3 is an interaction diagram of the distributed key hierarchical management system and the key of the key server system in the complex network according to the present invention;
fig. 4 is a flow chart of the operation of the service key of the distributed key hierarchical management system in the complex network according to the present invention.
In the figure: 1. a primary key management system; 2. a secondary key management system; 3. a database.
Detailed Description
The technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention; it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments, and all other embodiments obtained by those skilled in the art without any inventive work are within the scope of the present invention.
In the description of the present invention, it should be noted that the terms "upper", "lower", "inner", "outer", "top/bottom", and the like indicate orientations or positional relationships based on those shown in the drawings, and are only for convenience of description and simplification of description, but do not indicate or imply that the referred device or element must have a specific orientation, be constructed in a specific orientation, and be operated, and thus should not be construed as limiting the present invention. Furthermore, the terms "first" and "second" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
In the description of the present invention, it should be noted that, unless otherwise explicitly specified or limited, the terms "mounted," "disposed," "sleeved/connected," "connected," and the like are to be construed broadly, e.g., "connected," which may be fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; the two components can be directly connected or indirectly connected through an intermediate medium, and the two components can be communicated with each other; the specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
Example 1:
referring to fig. 1-2, a distributed key hierarchical management system under a complex network includes a primary key management system 1, a secondary key management system 2, and a database 3, where:
the primary key management system 1 is configured to transcrypt the service key and to obtain the transcrypted service key again.
The secondary key management system 2 is used for registering with the primary key management system 1 and exchanging public key certificates of both parties.
The database 3 is used to store the service key.
The first-level key management system 1 is in bidirectional connection with the second-level key management system 2, and the second-level key management system 2 is in bidirectional connection with the database 3.
In particular, the secondary key management system 2 is also configured to read the service key from the database 3.
Specifically, the primary key management system 1 and the secondary key management system 2 both include a system key unit, a service key unit, and a crypto-tube encryption key module, wherein:
the system key unit is used for encryption and calibration calculation of various password resources.
The service key unit is used for encryption and calculation.
The encrypted management encryption key module is used for encryption protection in the transmission process of the key and the sensitive information.
Specifically, the primary key management system 1 and the secondary key management system 2 each further include an equipment key pair module:
the device key pair module is used for the authentication and encryption channel negotiation key among different devices.
Specifically, the device key pair module performs authentication and encryption channel negotiation between different devices in a device public and private key pair mode, and the device public and private keys are statically stored in a device security storage area in a ciphertext mode.
Specifically, the system key unit includes a system master key module and a system authentication key module:
the system master key module is used for encrypting various password resources in the system and the encryption database 3, wherein the various password resources comprise a symmetric key of a user or an application and a private key of an asymmetric key.
The system authentication key module is used for calculating the check value of the user key binding information.
Specifically, the system authentication key module is further configured to store the calculation result in the database 3 in a ciphertext manner.
Specifically, the service key unit includes an encryption symmetric key module and a message authentication key module, where:
the encryption symmetric key module is used for carrying out encryption and authentication operation on the user or the applied service.
The message authentication key module is used for authentication operation of a service key of a user or an application.
Specifically, the encryption and authentication operation results of the encrypted symmetric key module are encrypted by the system master key module and then stored in the database 3.
The invention, the key management system is made up of two-stage key management system, the first-stage key management system 1 does not interact with other business systems directly, mainly realize off-line or online registration and access management to the second-stage key management system 2, and the key data interaction between different second-stage subsystems, the second-stage key management system 2 provides the key life cycle management service to the business system directly, through the hierarchical management solution of distributed key under the complicated network, can realize the hierarchical domain-divided deployment of the key management system, this way can deal with the deployment problem of the large-scale complicated network well, the key of different areas is isolated, when the key of a area is revealed, will not influence other areas, employ and visit the key management system nearby, improve the service quality of the service of the key management system, make the customer obtain the benefit.
Example 2:
based on embodiment 1, referring to fig. 3, the key management system reads the service key [, E (SMKi, SK) ], from the database 3 of the key management system, using the key identifier ID, and then uses the cryptographic operation resource of the key management system to encrypt the user service key [, E (SMKi, SK) ], where the cryptographic server resource m can directly use [, E (KM-KEKm, SK) ].
Example 3:
on the basis of embodiment 2, please refer to fig. 4, the cryptographic service system is deployed in a nearby deployment manner, that is, the cryptographic service system is deployed at a place closest to the application, the cryptographic service needs to be registered with the closest key management system, and the escrow key used by the cryptographic service system for operation is provided by the registered key management system.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various changes and modifications can be made without departing from the inventive concept of the present invention, and these changes and modifications are all within the scope of the present invention.
Claims (10)
1. Distributed key hierarchical management system under complex network, characterized by, include one-level key management system (1), two-level key management system (2) and database (3), wherein:
the primary key management system (1) is used for encrypting the service key and re-acquiring the encrypted service key;
the second-level key management system (2) is used for registering with the first-level key management system (1) and exchanging public key certificates of both sides;
the database (3) is used for storing service keys;
the primary key management system (1) is in bidirectional connection with the secondary key management system (2), and the secondary key management system (2) is in bidirectional connection with the database (3).
2. The distributed hierarchical key management system under complex network according to claim 1, wherein the secondary key management system (2) is further configured to read the service key from the database (3).
3. The distributed hierarchical key management system under complex network according to claim 1, wherein the primary key management system (1) and the secondary key management system (2) each include a system key unit, a service key unit and a crypto-tube encryption key module, and wherein:
the system key unit is used for encryption and calibration calculation of various password resources;
the service key unit is used for encryption and operation;
the encrypted management encryption key module is used for encryption protection in the transmission process of keys and sensitive information.
4. The distributed hierarchical key management system under complex network according to claim 3, wherein the primary key management system (1) and the secondary key management system (2) each further include a device key pair module:
the device key pair module is used for the authentication and encryption channel negotiation key among different devices.
5. The distributed hierarchical key management system according to claim 3, wherein the device key pair module performs authentication and encryption channel negotiation between different devices in the form of a device public and private key pair, and the device public and private keys are statically stored in a device secure storage area as ciphertext.
6. The distributed hierarchical key management system according to claim 4, wherein the system key unit includes a system master key module and a system authentication key module:
the system master key module is used for encrypting various password resources in a system and an encryption database (3);
the system authentication key module is used for calculating the check value of the user key binding information.
7. The distributed hierarchical key management system for keys under a complex network according to claim 6, wherein the system authentication key module is further configured to store the calculation result in the database (3) in a ciphertext manner.
8. The distributed hierarchical key management system according to claim 6, wherein the service key unit includes an encryption symmetric key module and a message authentication key module, and wherein:
the encryption symmetric key module is used for carrying out encryption and authentication operation on the user or the applied service;
the message authentication key module is used for authentication operation of a service key of a user or an application.
9. The distributed hierarchical key management system according to claim 6, wherein the types of cryptographic resources include a symmetric key of a user or an application and a private key of an asymmetric key.
10. The distributed hierarchical key management system for complex networks according to claim 8, wherein the encryption and authentication operation results of the encryption symmetric key module are stored in the database (3) after being encrypted by the system master key module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011599383.0A CN112713994A (en) | 2020-12-30 | 2020-12-30 | Distributed key hierarchical management system under complex network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011599383.0A CN112713994A (en) | 2020-12-30 | 2020-12-30 | Distributed key hierarchical management system under complex network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112713994A true CN112713994A (en) | 2021-04-27 |
Family
ID=75546647
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011599383.0A Pending CN112713994A (en) | 2020-12-30 | 2020-12-30 | Distributed key hierarchical management system under complex network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112713994A (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050138374A1 (en) * | 2003-12-23 | 2005-06-23 | Wachovia Corporation | Cryptographic key backup and escrow system |
| CN109687956A (en) * | 2018-12-11 | 2019-04-26 | 北京数盾信息科技有限公司 | A kind of unification provides key management and key computational service system to client |
| CN112054901A (en) * | 2020-09-01 | 2020-12-08 | 郑州信大捷安信息技术股份有限公司 | Key management method and system supporting multiple key systems |
-
2020
- 2020-12-30 CN CN202011599383.0A patent/CN112713994A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050138374A1 (en) * | 2003-12-23 | 2005-06-23 | Wachovia Corporation | Cryptographic key backup and escrow system |
| CN109687956A (en) * | 2018-12-11 | 2019-04-26 | 北京数盾信息科技有限公司 | A kind of unification provides key management and key computational service system to client |
| CN112054901A (en) * | 2020-09-01 | 2020-12-08 | 郑州信大捷安信息技术股份有限公司 | Key management method and system supporting multiple key systems |
Non-Patent Citations (2)
| Title |
|---|
| 戴千一等: "分布式网络环境下基于区块链的密钥管理方案", 《网络与信息安全学报》 * |
| 陈静等: "一种分布式数据库密钥管理模块设计", 《商场现代化》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10853517B2 (en) | Method for handling privacy data | |
| Qi et al. | Cpds: Enabling compressed and private data sharing for industrial Internet of Things over blockchain | |
| US7499551B1 (en) | Public key infrastructure utilizing master key encryption | |
| FI104666B (en) | Secure handshake protocol | |
| US7457848B2 (en) | Over-network resource distribution system and mutual authentication system | |
| US20080189551A1 (en) | Authority-Neutral Certification for Multiple-Authority PKI Environments | |
| US20070277013A1 (en) | Method for transmitting protected information to a plurality of recipients | |
| US20080189543A1 (en) | Method and system for reducing a size of a security-related data object stored on a token | |
| JPH1127253A (en) | Key recovery system, key recovery device, recording medium for storing key recovery program and key recovery method | |
| CN109495592A (en) | Data collaborative method and electronic equipment | |
| US20070055893A1 (en) | Method and system for providing data field encryption and storage | |
| US9112886B2 (en) | Method and system for providing centralized data field encryption, and distributed storage and retrieval | |
| US8185752B2 (en) | Method and system for providing data field encryption and storage | |
| CN1798021B (en) | Communication supporting server, method and system | |
| CN109981287A (en) | A kind of code signature method and its storage medium | |
| Gong et al. | A data privacy protection scheme for Internet of things based on blockchain | |
| US8401183B2 (en) | Method and system for keying and securely storing data | |
| Ding et al. | Self-sovereign identity as a service: architecture in practice | |
| CN114938280A (en) | Authentication method and system based on non-interactive zero-knowledge proof and intelligent contract | |
| CN114079645B (en) | Method and device for registering service | |
| Bishop | Privacy-enhanced electronic mail | |
| CN103916237B (en) | Method and system for managing user encrypted-key retrieval | |
| CN112713994A (en) | Distributed key hierarchical management system under complex network | |
| CN100499649C (en) | Method for realizing safety coalition backup and switching | |
| US20220358243A1 (en) | Method for handling privacy data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20210427 |
|
| WD01 | Invention patent application deemed withdrawn after publication |