CN114124373A - Video key management method and system for automatic backup and recovery - Google Patents
Video key management method and system for automatic backup and recovery Download PDFInfo
- Publication number
- CN114124373A CN114124373A CN202111290691.XA CN202111290691A CN114124373A CN 114124373 A CN114124373 A CN 114124373A CN 202111290691 A CN202111290691 A CN 202111290691A CN 114124373 A CN114124373 A CN 114124373A
- Authority
- CN
- China
- Prior art keywords
- key
- backup
- party
- video
- key backup
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000011084 recovery Methods 0.000 title claims abstract description 62
- 238000007726 management method Methods 0.000 title claims abstract description 57
- 238000000034 method Methods 0.000 claims abstract description 19
- 238000012544 monitoring process Methods 0.000 claims description 16
- 230000011664 signaling Effects 0.000 claims description 14
- 238000013475 authorization Methods 0.000 claims description 9
- 238000012806 monitoring device Methods 0.000 claims description 9
- 238000005516 engineering process Methods 0.000 claims description 3
- 239000012634 fragment Substances 0.000 claims description 3
- 230000002265 prevention Effects 0.000 abstract 1
- 238000010586 diagram Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
Abstract
The invention discloses a video key management method and a system for automatic backup and recovery, wherein the method comprises the following steps: the key generation party deploys a key backup service module and a key backup library on each key backup party; the key generation party authorizes each key backup party to receive the key backup package, and meanwhile, each key backup party authorizes the key generation party to distribute and obtain the key backup package; the key generation party assembles a key backup package, encrypts the key backup package, sends the encrypted key backup package to each authorized key backup party, stores the encrypted key backup package into a key backup library of the key backup party and performs key backup; when video-on-demand, the key user acquires the historical backup key in the key backup library on the platform at the current stage, and plays the key after decrypting the video; and when the key generation party requests recovery, the key recovery is carried out through the key backup party. The method effectively prevents the historical secret key from being lost through multi-node and multi-mode secret key backup, solves the problem of usability of encrypted videos, and has the advantages of single-point fault prevention, secret key confidentiality integrity protection and fast secret key retrieval.
Description
Technical Field
The invention belongs to the technical field of video key management, and particularly relates to a video key management method and system for automatic backup and recovery.
Background
In 11 months in 2018, the national standardization administration committee of China issued "GB 35114-2017 public safety video monitoring networking information safety technical requirement", which is a mandatory national standard for video monitoring networking information safety. The standard grades the front-end monitoring equipment, and requires that the C-level equipment has the capability of bidirectional identity authentication based on a digital certificate and a management platform, video data signature capability and video data encryption capability, so that the purposes that the identity is real, the video comes from real equipment, whether the video content is falsified can be verified, and the video content encryption protection target can be achieved are achieved. The key used for video data encryption requires that the video key encryption key vekk update period is not more than 1 day, and the video encryption key VEK update period is not more than 1 hour. VEK is used for encrypting video streams, VKEK is used for encrypting VEK, the VEK is randomly generated by the front-end monitoring equipment, and the VKEK is generated from a key management system of the platform end and is distributed to the front-end monitoring equipment after being encrypted by a public key of the front-end monitoring equipment. Since the platform end needs to interface with a plurality of front-end monitoring devices, and each front-end monitoring device needs to generate at least one vekk each day, a large amount of vekks are generated.
The above safety requirements bring new problems: once vekk is lost, video recording cannot be decrypted and played. Although the key management system KMS commonly used in the market at present has functions of generating, storing, distributing, backing up, recovering and the like of symmetric keys, the key backing up and recovering depend on manual operation, and cannot meet the requirement of fast recovery to support real-time video playing. In addition, the KMS has flat key identification, so that the waiting time of a user is long under the condition that massive keys need to be retrieved, and the video-on-demand pause is obvious.
When a video on demand user requests a historical encrypted video of a lower platform on a higher platform, products of most current manufacturers generate a new VKEK on the lower platform, and the new VKEK is used for re-encrypting a video encryption key VEK in the encrypted video to assemble a new video file. And the new VKEK is encrypted by adopting a public key of the upper platform and then distributed to the upper platform. Because the video data is huge data, the processing process has great pressure on the performance of the server, so that video on demand is severely blocked, and the user experience is influenced.
Disclosure of Invention
The invention mainly aims to overcome the defects and shortcomings of the prior art and provide a video key management method and system for automatic backup and recovery.
In order to achieve the purpose, the invention adopts the following technical scheme:
the invention provides a video key management method for automatic backup and recovery, which comprises the following steps:
the key generation party deploys a key backup service module and a key backup library on each key backup party;
the key generation party authorizes each key backup party to receive the key backup package, and meanwhile, each key backup party authorizes the key generation party to distribute and obtain the key backup package;
the key generation party assembles a key backup package according to the data format of the key backup library, encrypts the key backup package, distributes the encrypted key backup package to the key backup service modules of the authorized key backup parties through the key backup service modules, stores the encrypted key backup package into the key backup library of the key backup party and backs up the key;
when the video on demand needs to use the backup key, the key user acquires the historical backup key in the key backup library on the platform at the current stage, and plays the video after decrypting the video;
when the key generation party requests recovery, the key recovery is carried out through the key backup party; and after receiving the request, the key backup party decrypts and encrypts the key backup library of the key backup party into a new key backup library, the new key backup library is sent to the key generation party through a key backup service module of the key backup party, and the key generation party decrypts the new key backup library sent by the key backup party and merges the new key backup library into the local key backup library.
Preferably, the key generation party refers to a video key management system for generating a video key encryption key vekk, and the key backup party refers to equipment or personnel for performing key backup in cooperation with the key generation party, and includes a signaling server and a gateway, a key manager terminal, and an upper layer video key management system.
Preferably, the key generator authorizes each key backup party to receive the key backup package, and the specific authorization configuration parameters include: the method comprises the following steps that a key backup party name, an access mode of a key backup party, an access address of the key backup party, a key encryption public key or certificate of the key backup party, a signature public key or certificate and a selection threshold identification are selected;
the key backup party authorizes the key generator to distribute and obtain the key backup package, and the specific authorization configuration parameters comprise: a name of the key generator, an IP of the key generator, a signature public key or certificate of the key generator, an encryption public key or certificate.
Preferably, the data format of the key backup library adopts a directory hierarchy structure, and includes four levels of directories, wherein the first level directory is the ID of the current level platform, the second level directory is the IDs of all front-end monitoring devices connected to the current level platform, the third level directory is all key version numbers of a certain front-end device, the fourth level is each key backup file, and the public key ID of each key backup party is used as a file name;
the information in the key backup file includes: platform number platformID, front-end device number DevID, key version number KeyVersion, key generation time KeyCreateTime, key algorithm identification KeyAlgID, key backup party public key identification BackupKeyID, encrypted key EncryptedKey, threshold identification ThresholdID, m and t of the threshold, key generation party public key identification CreatorKeyID, and key generation party Signature Signature.
Preferably, the performing of the key backup is stored in a key backup library of the key backup party, and specifically includes:
a key generation party assembles a key backup package for all video key encryption keys VKEK of the previous day according to the data format of a key backup library at a set time, adopts a public key of the key backup party to encrypt the VKEK and puts the encrypted key EncryptedKey field in the data format; if the threshold division is involved, dividing the VKEK into m parts according to threshold parameters, adopting a public key of a key administrator to divide the VKEK into pieces, encrypting the pieces, putting the encrypted pieces into an encrypted key EncryptedKey field in a data format, and finally adopting a private key of a key generator to sign;
the key generation party distributes the assembled key backup package to the key backup service module of each authorized key backup party in an HTTPpost or Email mode through the key backup service module;
after receiving the key backup packet sent by the key generator, the key backup party authenticates the IP of the key generator and then verifies the signature by using the certificate of the key generator;
the key backup party performs incremental combination on the received key backup package and the previous key backup package to form a full-amount key backup library of the node, and then performs safe backup;
and the key backup party informs the key generation party that the key backup of the node is successful.
Preferably, when the video-on-demand needs to use the backup key, the key user obtains the historical backup key in the key backup library on the current-level platform, decrypts the video, and plays the video, specifically:
when the video playing terminal plays the history encrypted video file, acquiring the ID and the VKEK version number of the front-end monitoring equipment through the SVAC video file;
the video playing terminal transmits a public key of the video playing terminal, a front-end monitoring device ID and a VKEK version number through a signaling server of the current-stage platform to obtain the VKEK;
the signaling server of the current-level platform authenticates the video playing terminal;
after the authority is determined, the signaling server of the platform transmits a public key of a video playing terminal, a front-end monitoring device ID and a VKEK version number to a video key management system of the platform to obtain the VKEK;
the video key management system of the platform acquires the designated VKEK from the key backup library according to the ID of the front-end monitoring equipment and the key version number, decrypts by adopting the private key of the platform, and encrypts the VKEK by using the public key of the video playing terminal;
the video key management system of the platform returns the encrypted VKEK through the key backup service module of the platform;
the video playing terminal decrypts VKEK by using a private key of the video playing terminal, decrypts a video encryption key VEK by using the VKEK, and then plays the video after decrypting the encrypted video by using the VEK.
Preferably, the key recovery by the key backup party specifically includes:
the key generation side sends a recovery request to the key backup side;
after receiving the request, the key backup party authenticates the IP and the certificate of the key generation party, searches a key backup library of the key backup party after the request is passed, decrypts the key by using a private key of the key backup party, encrypts the key by using a public key of the key generation party, and generates a new key backup packet;
the key backup party returns a new key backup package to the key generation party;
the key generation party analyzes the new key backup package, decrypts the encrypted key EncryptedKey field in the new key backup package by using the private key of the key generation party, and if the encrypted key EncryptedKey field relates to a threshold parameter, the key generation party is combined with the key factors decrypted by other key administrators;
and the key generation party merges the decrypted key backup information and the local key backup library, and the key backup library is successfully recovered.
Preferably, when the key recovery is performed, the manual recovery by a key administrator is supported, specifically:
through a shamir threshold cryptography technology, VKEK generated by a key generator is divided into m blocks to be stored by m key managers, and the VKEK can be recovered only by providing VKEK fragments by t, 0< t ═ m key managers when the key is recovered.
The invention also provides a video key management system for automatic backup and recovery, which is applied to the video key management method for automatic backup and recovery and comprises a deployment module, an authorization module, a backup module, a use module and a recovery module;
the deployment module is used for the key generation party to deploy the key backup service module and the key backup library on each key backup party;
the authorization module is used for authorizing each key backup party to receive the key backup package by the key generation party, and simultaneously authorizing the key generation party to distribute and obtain the key backup package by each key backup party;
the backup module is used for the key generation party to distribute the key backup information to each key backup party for key backup;
the using module is used for acquiring a video key and decrypting and playing a video when the video is requested;
and the recovery module is used for acquiring the key backup packages of the key backup parties and combining the key backup packages into a local key backup library when the key generation party requests recovery.
Still another aspect of the present invention provides a computer-readable storage medium storing a program which, when executed by a processor, implements an automatic backup and restore video key management method.
Compared with the prior art, the invention has the following advantages and beneficial effects:
1. according to the invention, through multi-node and multi-mode key backup of a current-level platform, a superior-level platform, a manual mode and the like, historical keys are effectively prevented from being lost, and the problem of availability of encrypted videos is solved;
2. the key backup library format of the directory structure in the invention is more in line with the management logic of the video key, and is more beneficial to quickly retrieving the historical key to decrypt and play the encrypted video;
3. the invention supports the key backup and recovery in an automatic mode, accelerates the key backup and recovery speed, reduces the labor cost and meets the requirement of video on demand real-time performance;
4. the authorized platforms can share the key through key backup, so that the platforms can decrypt and encrypt videos mutually; the encrypted video is not encrypted after being decrypted in the transit process, so that the burden of equipment and a network is effectively reduced.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a flowchart of a video key management method for automatic backup and recovery according to an embodiment of the present invention;
FIG. 2 is a schematic structural diagram of a key backup service module according to an embodiment of the present invention;
FIG. 3 is a data format diagram of a key backup repository according to an embodiment of the present invention;
FIG. 4 is a flowchart of key backup distribution according to an embodiment of the present invention;
FIG. 5 is a flowchart illustrating the use of the key backup according to an embodiment of the present invention;
FIG. 6 is a flowchart of key recovery according to an embodiment of the present invention;
FIG. 7 is a block diagram of a video key management system with automatic backup and recovery according to an embodiment of the present invention;
fig. 8 is a structural diagram of a computer-readable storage medium according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
As shown in fig. 1, in an embodiment of the present application, there is provided an automatic backup and restore video key management method, including the following steps:
s1, the key generator deploys a key backup service module and a key backup library on each key backup party;
more specifically, the key generator is a video key management system that generates a video key encryption key vekk; the key backup party refers to equipment or personnel for performing key backup in cooperation with the key generation party, such as a signaling server and a gateway, a key manager terminal, an upper layer video key management system, and the like.
More specifically, as shown in fig. 2, the key backup party includes a video key management system, a signaling server and a gateway, and a key administrator terminal, and a key backup service module is respectively deployed on each of the key backup parties for distributing and receiving key backup packages (a key backup package is a subset of a key backup library). The video key management system is used for generating a video key encryption key VKEK of the platform, distributing the video key encryption key VKEK to the front-end monitoring equipment for use, and distributing the video key encryption key VKEK to key backup service modules of other network nodes for key backup through a key backup service module packaged key backup packages. And when the video key management system is recovered after a fault, the key backup service module acquires the key backup package from the key backup service modules of other network nodes to recover the key.
S2, the key generator authorizes each key backup party to receive the key backup package, and meanwhile, each key backup party authorizes the key generator to distribute and obtain the key backup package;
more specifically, the specific configuration parameters that the key generator authorizes each key backup party include: the name of the key backup party (such as 'home-level signaling server', 'superior key management system', 'key manager-zhang san' and the like), the access mode of the key backup party (such as 'http post' or 'Email'), the access address of the key backup party (such as URL or Email address), the key encryption public key or certificate of the key backup party (necessary), the signature public key or certificate (which can be null), and the selection threshold identifier (which can be null);
the specific configuration parameters of each key backup party authorized key generator include: a name of a key generator (e.g., "the present-level key management system", "the lower-level key management system", etc.), an IP of the key generator, a signature public key or certificate of the key generator, and an encryption public key or certificate.
S3, the key generation part assembles a key backup package according to the data format of the key backup library, encrypts the key backup package, distributes the encrypted key backup package to the key backup service module of each authorized key backup part through the key backup service module, and stores the encrypted key backup package into the key backup library of the key backup part to perform key backup;
more specifically, as shown in fig. 3, the data format of the key backup library adopts a directory hierarchy structure, so that the historical key of the designated front-end monitoring terminal can be conveniently and quickly found, and compared with a flat database table format, the key backup library has the characteristics of clear logical hierarchy, high key retrieval speed and the like. The first-level directory of the key backup library is the ID of the platform, the second-level directory is the ID of all front-end monitoring devices connected to the platform, the third-level directory is all key version numbers of a certain front-end device, the fourth-level directory is each key backup file, the public key ID of each key backup party is used as a file name, and each key backup file specifically contains the following information: platform number PlatformID, front-end device number DevID, key version number KeyVersion, key generation time KeyCreateTime, key algorithm identification KeyAlgID, key backup party public key identification BackupKeyID, encrypted key EncryptedKey, threshold identification thresholdd (which may be empty), m and t of threshold (which may be empty), key generator public key identification CreatorKeyID, key generator Signature: signing the data; the key backup package is a subset of the key backup library.
More specifically, as shown in fig. 4, the key backup specifically includes the following steps:
s31, assembling a key backup package for all video key encryption keys VKEK of the previous day according to the data format of a key backup library by a key generation party at set time (such as 0 point in the morning), encrypting the VKEK by adopting a public key of the key backup party and putting the encrypted key into an encrypted key EncryptedKey field in the data format; if the threshold division is involved, dividing the VKEK into m parts according to threshold parameters, adopting a public key of a key administrator to divide the VKEK into pieces, encrypting the pieces, putting the encrypted pieces into an encrypted key EncryptedKey field in a data format, and adopting a private key of a key generator to sign;
s32, the key generation party distributes the assembled key backup package to the key backup service module of each authorized key backup party through the key backup service module in an HTTPpost or Email mode;
s33, after receiving the key backup package sent by the key generator, the key backup party firstly authenticates the IP of the key generator, and verifies the signature by using the certificate of the key generator to ensure the integrity of the data;
s34, the key backup party performs incremental merging on the received key backup package and the previous key backup package to form a full-amount key backup library of the node, and then performs safe backup;
s35, the key backup side informs the key generation side that the node key backup is successful.
S4, when the video on demand needs to use the backup key, the key user obtains the historical backup key in the key backup library on the platform, and plays the video after decrypting the video;
more specifically, because the lower platform regularly backs up the video key to the upper platform, and the upper platform can acquire the historical backup key of the lower platform from the video key management system of the current stage to perform decryption and playing, the performance pressure of the method on the server is very small, video on demand blocking cannot be caused, and the user experience is obviously superior to that of products of most manufacturers.
As shown in fig. 5, the using steps of the backup key are:
s41, when the video playing terminal plays the history encrypted video file, acquiring the ID of the front-end monitoring equipment and the VKEK version number through the SVAC video file;
s42, the video playing terminal transmits the public key of the video playing terminal, the front-end monitoring equipment ID and the VKEK version number through the signaling server of the current-stage platform to obtain the VKEK;
s43, the signaling server of the current stage platform authenticates the video playing terminal;
s44, after the authority is determined, the signaling server of the platform transmits the public key of the video playing terminal, the front end monitoring equipment ID and the VKEK version number to the video key management system of the platform to obtain the VKEK;
s45, the video key management system of the platform acquires the designated VKEK from the key backup library according to the ID and the key version number of the front-end monitoring equipment, decrypts by using the private key of the platform, and encrypts the VKEK by using the public key of the video playing terminal;
s46, the video key management system of the platform returns the encrypted VKEK through the key backup service module of the platform;
and S47, the video playing terminal decrypts VKEK by using a private key of the video playing terminal, decrypts the video encryption key VEK by using the VKEK, and plays the video after decrypting the encrypted video by using the VEK.
S5, when the key generator requests to restore, the key is restored by the key backup party; and after receiving the request, the key backup party decrypts and encrypts the key backup library of the key backup party into a new key backup library, the new key backup library is sent to the key generation party through a key backup service module of the key backup party, and the key generation party decrypts the new key backup library sent by the key backup party and merges the new key backup library into the local key backup library.
More specifically, as shown in fig. 6, the backup key recovery step is:
s51, the key generation side sends a recovery request to the key backup side;
s52, after receiving the request, the key backup party authenticates the IP and certificate of the key generation party, after passing the request, searches the key backup library of the key backup party, decrypts the key backup library by using the private key of the key generation party, and encrypts the key backup library by using the public key of the key generation party to generate a new key backup library;
s53, the key backup side returns a new key backup library through the key backup service module of the key backup side;
s54, the key generator analyzes the new key backup library, uses the private key of the key generator to decrypt the encrypted key EncryptedKey field in the new key backup library, if the key relates to the threshold parameter, the key is combined with the key factor decrypted by other key managers;
and S55, the key generation party merges the decrypted key backup information and the local key backup library, and the key backup library is successfully recovered.
More specifically, the backup key recovery of this embodiment also supports manual recovery by a key administrator, which specifically includes:
through a shamir threshold cryptography technology, VKEK generated by a key generator is divided into m blocks to be stored by m key managers, and the VKEK can be recovered only by providing VKEK fragments by t, 0< t ═ m key managers when the key is recovered.
It should be noted that, for the sake of simplicity, the foregoing method embodiments are described as a series of acts or combinations, but those skilled in the art should understand that the present invention is not limited by the described order of acts, as some steps may be performed in other orders or simultaneously according to the present invention.
Based on the same idea as the video key management method for automatic backup and recovery in the above embodiment, the present invention further provides an automatic backup and recovery video key management system, which can be used to execute the above automatic backup and recovery video key management method. For convenience of illustration, the structural diagram of an embodiment of the video key management system for automatic backup and restore only shows a part related to the embodiment of the present invention, and those skilled in the art will understand that the illustrated structure does not constitute a limitation to the apparatus, and may include more or less components than those illustrated, or combine some components, or arrange different components.
In another embodiment of the present application, as shown in fig. 7, there is provided an automatic backup and restore video key management system 100, which comprises at least the following modules:
a deployment module 101, configured to deploy, by a key generator, a key backup service module and a key backup library on each key backup party;
the authorization module 102 is used for the key generation party to authorize each key backup party to receive the key backup package, and meanwhile, each key backup party authorizes the key generation party to distribute and obtain the key backup package;
the backup module 103 is used for the key generation party to distribute the key backup information to each key backup party for key backup;
the using module 104 is used for acquiring a video key and decrypting a video for playing when the video is requested;
and the recovery module 105 is configured to, when the key generator requests recovery, obtain the key backup libraries of the key backup parties and merge the key backup libraries into the local key backup library.
It should be noted that, the video key management system for automatic backup and recovery of the present invention corresponds to the video key management method for automatic backup and recovery of the present invention one to one, and the technical features and the beneficial effects thereof described in the embodiments of the video key management method for automatic backup and recovery of the present invention are all applicable to the embodiments of the video key management system for automatic backup and recovery, and specific contents may refer to the description in the embodiments of the method of the present invention, and are not repeated herein, and thus, the present invention is declared.
In addition, in the implementation of the video key management system for automatic backup and recovery in the above embodiment, the logical division of each program module is only an example, and in practical applications, the above function distribution may be performed by different program modules according to needs, for example, due to the configuration requirement of corresponding hardware or the convenience of implementation of software, that is, the internal structure of the video key management system for automatic backup and recovery is divided into different program modules to perform all or part of the above described functions.
As shown in fig. 8, in an embodiment, a computer-readable storage medium 200 is further provided, which stores a program in a memory 201, and when the program is executed by a processor, the processor 202 implements the method for managing video keys for automatic backup and recovery, specifically:
the key generation party deploys a key backup service module and a key backup library on each key backup party;
the key generation party authorizes each key backup party to receive the key backup package, and meanwhile, each key backup party authorizes the key generation party to distribute and obtain the key backup package;
the key generation party assembles a key backup package according to the data format of the key backup library, encrypts the key backup package, distributes the encrypted key backup package to the key backup service modules of the authorized key backup parties through the key backup service modules, stores the encrypted key backup package into the key backup library of the key backup party and backs up the key;
when the video on demand needs to use the backup key, the key user acquires the historical backup key in the key backup library on the platform at the current stage, and plays the video after decrypting the video;
when the key generation party requests recovery, the key recovery is carried out through the key backup party; and after receiving the request, the key backup party decrypts and encrypts the key backup library of the key backup party into a new key backup library, the new key backup library is sent to the key generation party through a key backup service module of the key backup party, and the key generation party decrypts the new key backup library sent by the key backup party and merges the new key backup library into the local key backup library.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a non-volatile computer-readable storage medium, and can include the processes of the embodiments of the methods described above when the program is executed. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above embodiments are preferred embodiments of the present invention, but the present invention is not limited to the above embodiments, and any other changes, modifications, substitutions, combinations, and simplifications which do not depart from the spirit and principle of the present invention should be construed as equivalents thereof, and all such changes, modifications, substitutions, combinations, and simplifications are intended to be included in the scope of the present invention.
Claims (10)
1. A video key management method for automatic backup and recovery is characterized by comprising the following steps:
the key generation party deploys a key backup service module and a key backup library on each key backup party;
the key generation party authorizes each key backup party to receive the key backup package, and meanwhile, each key backup party authorizes the key generation party to distribute and obtain the key backup package;
the key generation party assembles a key backup package according to the data format of the key backup library, encrypts the key backup package, distributes the encrypted key backup package to the key backup service modules of the authorized key backup parties through the key backup service modules, stores the encrypted key backup package into the key backup library of the key backup party and backs up the key;
when the video on demand needs to use the backup key, the key user acquires the historical backup key in the key backup library on the platform at the current stage, and plays the video after decrypting the video;
when the key generation party requests recovery, the key recovery is carried out through the key backup party; and after receiving the request, the key backup party decrypts and encrypts the key backup library of the key backup party into a new key backup library, the new key backup library is sent to the key generation party through a key backup service module of the key backup party, and the key generation party decrypts the new key backup library sent by the key backup party and merges the new key backup library into the local key backup library.
2. The method for managing video keys for automatic backup and recovery according to claim 1, wherein the key generator is a video key management system that generates a video key encryption key vekk, and the key backup party is a device or a person that performs key backup in cooperation with the key generator, and includes a signaling server and a gateway, a key manager terminal, and an upper layer video key management system.
3. The method for managing video keys for automatic backup and recovery according to claim 1, wherein the key generator authorizes each key backup party to receive a key backup package, and the specific authorization configuration parameters include: the method comprises the following steps that a key backup party name, an access mode of a key backup party, an access address of the key backup party, a key encryption public key or certificate of the key backup party, a signature public key or certificate and a selection threshold identification are selected;
the key backup party authorizes the key generator to distribute and obtain the key backup package, and the specific authorization configuration parameters comprise: a name of the key generator, an IP of the key generator, a signature public key or certificate of the key generator, an encryption public key or certificate.
4. The video key management method for automatic backup and recovery according to claim 1, wherein the data format of the key backup library adopts a directory hierarchy structure including four levels of directories, wherein the first level directory is the ID of the current level platform, the second level directory is the ID of all front-end monitoring devices connected to the current level platform, the third level directory is all key version numbers of a certain front-end device, the four levels are each key backup file, and the public key ID of each key backup party is used as a file name;
the information in the key backup file includes: platform number platformID, front-end device number DevID, key version number KeyVersion, key generation time KeyCreateTime, key algorithm identification KeyAlgID, key backup party public key identification BackupKeyID, encrypted key EncryptedKey, threshold identification ThresholdID, m and t of the threshold, key generation party public key identification CreatorKeyID, and key generation party Signature Signature.
5. The method for managing video keys for automatic backup and recovery according to claim 4, wherein the key backup is stored in a key backup library of a key backup party, specifically:
a key generation party assembles a key backup package for all video key encryption keys VKEK of the previous day according to the data format of a key backup library at a set time, adopts a public key of the key backup party to encrypt the VKEK and puts the encrypted key EncryptedKey field in the data format; if the threshold division is involved, dividing the VKEK into m parts according to threshold parameters, adopting a public key of a key administrator to divide the VKEK into pieces, encrypting the pieces, putting the encrypted pieces into an encrypted key EncryptedKey field in a data format, and finally adopting a private key of a key generator to sign;
the key generation party distributes the assembled key backup package to the key backup service module of each authorized key backup party in an HTTPpost or Email mode through the key backup service module;
after receiving the key backup packet sent by the key generator, the key backup party authenticates the IP of the key generator and then verifies the signature by using the certificate of the key generator;
the key backup party performs incremental combination on the received key backup package and the previous key backup package to form a full-amount key backup library of the node, and then performs safe backup;
and the key backup party informs the key generation party that the key backup of the node is successful.
6. The video key management method for automatic backup and recovery according to claim 1, wherein when the backup key is needed for video on demand, the key user obtains the historical backup key in the key backup library on the current-level platform, decrypts the video, and plays the video, specifically:
when the video playing terminal plays the history encrypted video file, acquiring the ID and the VKEK version number of the front-end monitoring equipment through the SVAC video file;
the video playing terminal transmits a public key of the video playing terminal, a front-end monitoring device ID and a VKEK version number through a signaling server of the current-stage platform to obtain the VKEK;
the signaling server of the current-level platform authenticates the video playing terminal;
after the authority is determined, the signaling server of the platform transmits a public key of a video playing terminal, a front-end monitoring device ID and a VKEK version number to a video key management system of the platform to obtain the VKEK;
the video key management system of the platform acquires the designated VKEK from the key backup library according to the ID of the front-end monitoring equipment and the key version number, decrypts by adopting the private key of the platform, and encrypts the VKEK by using the public key of the video playing terminal;
the video key management system of the platform returns the encrypted VKEK through the key backup service module of the platform;
the video playing terminal decrypts VKEK by using a private key of the video playing terminal, decrypts a video encryption key VEK by using the VKEK, and then plays the video after decrypting the encrypted video by using the VEK.
7. The method for managing video keys for automatic backup and recovery according to claim 1, wherein the key recovery is performed by a key backup party, specifically:
the key generation side sends a recovery request to the key backup side;
after receiving the request, the key backup party authenticates the IP and the certificate of the key generation party, searches a key backup library of the key backup party after the request is passed, decrypts the key by using a private key of the key backup party, encrypts the key by using a public key of the key generation party, and generates a new key backup packet;
the key backup party returns a new key backup package to the key generation party;
the key generation party analyzes the new key backup package, decrypts the encrypted key EncryptedKey field in the new key backup package by using the private key of the key generation party, and if the encrypted key EncryptedKey field relates to a threshold parameter, the key generation party is combined with the key factors decrypted by other key administrators;
and the key generation party merges the decrypted key backup information and the local key backup library, and the key backup library is successfully recovered.
8. The video key management method for automatic backup and recovery according to claim 1, wherein the method supports manual recovery by a key administrator during key recovery, and specifically comprises:
through a shamir threshold cryptography technology, VKEK generated by a key generator is divided into m blocks to be stored by m key managers, and the VKEK can be recovered only by providing VKEK fragments by t, 0< t ═ m key managers when the key is recovered.
9. An automatic backup and recovery video key management system, which is applied to the automatic backup and recovery video key management method of any one of claims 1 to 8, and comprises a deployment module, an authorization module, a backup module, a use module and a recovery module;
the deployment module is used for the key generation party to deploy the key backup service module and the key backup library on each key backup party;
the authorization module is used for authorizing each key backup party to receive the key backup package by the key generation party, and simultaneously authorizing the key generation party to distribute and obtain the key backup package by each key backup party;
the backup module is used for the key generation party to distribute the key backup information to each key backup party for key backup;
the using module is used for acquiring a video key and decrypting and playing a video when the video is requested;
and the recovery module is used for acquiring the key backup packages of the key backup parties and combining the key backup packages into a local key backup library when the key generation party requests recovery.
10. A computer-readable storage medium storing a program, wherein the program, when executed by a processor, implements an automatic backup and restore video key management method according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111290691.XA CN114124373A (en) | 2021-11-02 | 2021-11-02 | Video key management method and system for automatic backup and recovery |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111290691.XA CN114124373A (en) | 2021-11-02 | 2021-11-02 | Video key management method and system for automatic backup and recovery |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114124373A true CN114124373A (en) | 2022-03-01 |
Family
ID=80380340
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111290691.XA Pending CN114124373A (en) | 2021-11-02 | 2021-11-02 | Video key management method and system for automatic backup and recovery |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114124373A (en) |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2007020065A (en) * | 2005-07-11 | 2007-01-25 | Hitachi Ltd | Decryption backup method, decryption restoration method, attestation device, individual key setting machine, user terminal, backup equipment, encryption backup program, decryption restoration program |
| CN101986596A (en) * | 2010-10-21 | 2011-03-16 | 无锡江南信息安全工程技术中心 | Key management mechanism |
| CN105681031A (en) * | 2016-01-08 | 2016-06-15 | 成都卫士通信息产业股份有限公司 | Storage encryption gateway key management system and method |
| US20160350238A1 (en) * | 2015-05-31 | 2016-12-01 | Apple Inc. | Backup Accessible By Subset Of Related Devices |
| CN106330868A (en) * | 2016-08-14 | 2017-01-11 | 北京数盾信息科技有限公司 | Encrypted storage key management system and method of high-speed network |
| CN106685645A (en) * | 2016-11-14 | 2017-05-17 | 郑州信大捷安信息技术股份有限公司 | Key backup and recovery method and system for secure chip service key |
| CN107171796A (en) * | 2017-06-27 | 2017-09-15 | 济南浪潮高新科技投资发展有限公司 | A kind of many KMC key recovery methods |
| CN109495247A (en) * | 2018-11-21 | 2019-03-19 | 北京深思数盾科技股份有限公司 | Cipher key backup, the method for recovery and encryption equipment |
| CN110086612A (en) * | 2019-04-26 | 2019-08-02 | 山大地纬软件股份有限公司 | A kind of public and private key backup of block chain and lose method for retrieving and system |
| CN112468297A (en) * | 2020-11-30 | 2021-03-09 | 中国工商银行股份有限公司 | Key backup method and device based on block chain |
| CN113037483A (en) * | 2021-04-20 | 2021-06-25 | 重庆九格慧科技有限公司 | Distributed key management method based on threshold |
-
2021
- 2021-11-02 CN CN202111290691.XA patent/CN114124373A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2007020065A (en) * | 2005-07-11 | 2007-01-25 | Hitachi Ltd | Decryption backup method, decryption restoration method, attestation device, individual key setting machine, user terminal, backup equipment, encryption backup program, decryption restoration program |
| CN101986596A (en) * | 2010-10-21 | 2011-03-16 | 无锡江南信息安全工程技术中心 | Key management mechanism |
| US20160350238A1 (en) * | 2015-05-31 | 2016-12-01 | Apple Inc. | Backup Accessible By Subset Of Related Devices |
| CN105681031A (en) * | 2016-01-08 | 2016-06-15 | 成都卫士通信息产业股份有限公司 | Storage encryption gateway key management system and method |
| CN106330868A (en) * | 2016-08-14 | 2017-01-11 | 北京数盾信息科技有限公司 | Encrypted storage key management system and method of high-speed network |
| CN106685645A (en) * | 2016-11-14 | 2017-05-17 | 郑州信大捷安信息技术股份有限公司 | Key backup and recovery method and system for secure chip service key |
| CN107171796A (en) * | 2017-06-27 | 2017-09-15 | 济南浪潮高新科技投资发展有限公司 | A kind of many KMC key recovery methods |
| CN109495247A (en) * | 2018-11-21 | 2019-03-19 | 北京深思数盾科技股份有限公司 | Cipher key backup, the method for recovery and encryption equipment |
| CN110086612A (en) * | 2019-04-26 | 2019-08-02 | 山大地纬软件股份有限公司 | A kind of public and private key backup of block chain and lose method for retrieving and system |
| CN112468297A (en) * | 2020-11-30 | 2021-03-09 | 中国工商银行股份有限公司 | Key backup method and device based on block chain |
| CN113037483A (en) * | 2021-04-20 | 2021-06-25 | 重庆九格慧科技有限公司 | Distributed key management method based on threshold |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6968223B2 (en) | Methods, devices, and systems for quantum key distribution | |
| CN109995505B (en) | Data security duplicate removal system and method in fog computing environment and cloud storage platform | |
| CN109981255B (en) | Method and system for updating key pool | |
| CN107846282A (en) | A kind of electronic data distribution keeping method and system based on block chain technology | |
| US20160337124A1 (en) | Secure backup and recovery system for private sensitive data | |
| US11831753B2 (en) | Secure distributed key management system | |
| CN110635906B (en) | Key management method and device for distributed block storage system | |
| CN108768647B (en) | Random number generation method for block chain | |
| CN111030814A (en) | Key negotiation method and device | |
| CN109391617B (en) | Block chain-based network equipment configuration management method and client | |
| CN106127081B (en) | The open data fault-tolerant method for secure storing that can verify that | |
| CN112118245B (en) | Key management method, system and equipment | |
| CN114826652A (en) | Traceable access control method based on double block chains | |
| CN112565434A (en) | Cloud storage safety duplicate removal method and device based on Mercker hash tree | |
| CN110086818B (en) | Cloud file secure storage system and access control method | |
| CN110933112A (en) | Network access authentication method, device and storage medium | |
| CN107769918B (en) | Safe cloud data multi-copy association deletion method | |
| CN112054901B (en) | Key management method and system supporting multiple key systems | |
| KR102298266B1 (en) | Data access control method and system using attribute-based password for secure and efficient data sharing in cloud environment | |
| US8914640B2 (en) | System for exchanging data between at least one sender and one receiver | |
| CN108881269B (en) | Seed key management method and system and token manufacturer production device | |
| CN108494552B (en) | Cloud storage data deduplication method supporting efficient convergence key management | |
| CN114124373A (en) | Video key management method and system for automatic backup and recovery | |
| CN108173880B (en) | File encryption system based on third party key management | |
| CN115828290A (en) | Encryption and decryption method and device based on distributed object storage |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |