CN114598453A - Key updating method and device, electronic equipment and storage medium - Google Patents
Key updating method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114598453A CN114598453A CN202011307313.3A CN202011307313A CN114598453A CN 114598453 A CN114598453 A CN 114598453A CN 202011307313 A CN202011307313 A CN 202011307313A CN 114598453 A CN114598453 A CN 114598453A
- Authority
- CN
- China
- Prior art keywords
- state machine
- operation mode
- machine operation
- mode
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The embodiment of the application provides a secret key updating method, a secret key updating device, electronic equipment and a storage medium, wherein the method comprises the following steps: selecting a state machine operation mode according to a preset rule; informing the state machine operation mode to a slave node so that the slave node configures a state machine according to the state machine operation mode; and updating the key according to the running mode of the state machine. According to the method and the device, the running mode of the state machine of the slave node is notified, the device is prevented from being failed in butt joint, the stability of key updating is improved, and the safety of communication between devices is improved.
Description
Technical Field
The present invention relates to the field of data communications, and in particular, to a method and an apparatus for updating a secret key, an electronic device, and a storage medium.
Background
Media Access Control security (MACsec) is a security standard defined in IEEE802.1ae, which defines a security infrastructure that provides confidentiality and integrity of data, and can satisfy the requirement of two-layer communication data security by applying the MACsec protocol standard, and since the MACsec protocol only provides a framework for encapsulating and encrypting data, a key (SAK) required by the standard is negotiated and generated by an MKA protocol in the IEEE 802.1X-2010 standard protocol. Since the MACsecx protocol only provides a framework for encapsulating and encrypting data, a Key (SAK) required by the standard is negotiated and generated by a MACsec Key Agreement protocol (MKA) in the IEEE 802.1X-2010 standard protocol. The Connectivity Association (CA) is composed of a plurality of MAC Security entities (SecY) that implement MACsec functions, and the MKA is responsible for discovery, authentication, and authorization of SecY, and a CA member who possesses a CA password selects one of them as a key server according to a rule, and generates a key by the key server and distributes it to all members in the CA, and each CA member can use the same key to complete secure communication between them.
In the MKA protocol, the CP state machine plays a crucial role in the system, and defines different states of the MKA protocol during long-running of the system and corresponding processing methods, including INIT, CHANGE, ALLOWED, authencated, SECURED states before communication protection and RECEIVE, READY, TRANSMIT, ABANDON, TRANSMIT, and return states after communication protection entry. According to the description of the MKA protocol, when the Key server is ready to negotiate a new Key, the Key server enters a RECEIVE state, generates a new Key of a Latest Key Identifier (LKI), and distributes the new Key to other members in the CA. When all members in the CA are installed with new keys, all members in the CA including the Key server enter a RETIRE state, the new keys identified by the LKI are assigned to Old keys of Old Key Identifiers (OKI), the LKI is eliminated at the same time, and the keys identified by the OKI are used in the whole CA to encrypt and decrypt communication data so as to realize data protection.
In the existing solutions for implementing CP state of MKA, because the understanding of the state machine is different, the operations used by the solutions when processing the state of RETIRE are not completely consistent, some solutions process the key to be used in a manner of retaining LKI and clearing OKI, and because the protocol parameter set 3 for distributing the key by using the MKA protocol message carries and processes two state machine parameters of LKI and OKI, this has a certain influence on the docking between different devices or between a terminal and a device, and may cause device docking failure.
Disclosure of Invention
The embodiment of the application mainly aims to provide a key updating method, a key updating device, electronic equipment and a storage medium, and aims to realize the synchronization of the running mode of a state machine between a master node and a slave node, prevent the failure of equipment butt joint in the key updating process and improve the safety of communication between the master node and the slave node.
In order to achieve the above object, an embodiment of the present application provides a key updating method, which is applied to a master node, and the method includes:
selecting a state machine operation mode according to a preset rule; informing the state machine operation mode to a slave node so that the slave node configures a state machine according to the state machine operation mode; and updating the key according to the running mode of the state machine.
In order to achieve the above object, an embodiment of the present application further provides a key updating method applied to a slave node, where the method includes:
acquiring a state machine running mode notified by a main node; configuring a state machine according to the state machine operation mode, and feeding back configuration completion information to the main node; and updating the key according to the running mode of the state machine.
In order to achieve the above object, an embodiment of the present application further provides a key updating apparatus, which is applied to a master node, and includes:
the mode determining module is used for selecting the running mode of the state machine according to a preset rule;
the mode synchronization module is used for informing the slave node of the state machine operation mode so as to enable the slave node to configure the state machine according to the state machine operation mode;
and the key updating module is used for updating a key according to the running mode of the state machine.
In order to achieve the above object, an embodiment of the present application further provides a key updating apparatus, which is applied to a slave node, and includes:
the mode acquisition module is used for acquiring the state machine operation mode notified by the main node;
the information feedback module is used for configuring the state machine according to the running mode of the state machine and feeding back configuration completion information to the main node;
and the key updating module is used for updating a key according to the running mode of the state machine.
In order to achieve the above object, an embodiment of the present application further provides an electronic device, where the electronic device includes:
one or more processors;
a memory for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement a rekeying method as described in any of the embodiments of the present application.
In order to achieve the above object, the present application further provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the key updating method as described in any of the embodiments of the present application.
According to the method and the device, the state machine operation mode is selected and sent to the slave node, the slave node is configured according to the state machine operation mode, encryption communication between the master node and the slave node is achieved according to key updating of the selected state machine operation mode, the state machine operation modes between different nodes are unified, device butt joint failure is prevented, and stability of communication between the master node and the slave node is improved.
Drawings
Fig. 1 is a flowchart of a key updating method provided in an embodiment of the present application;
fig. 2 is a flowchart of another key updating method provided in an embodiment of the present application;
fig. 3 is a schematic structural diagram of a communication packet according to an embodiment of the present application;
fig. 4 is a flowchart of a key updating method provided in an embodiment of the present application;
fig. 5 is an exemplary diagram of a key update method provided in an embodiment of the present application;
fig. 6 is a schematic structural diagram of a key update apparatus according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a key update apparatus according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
In the following description, suffixes such as "module", "part", or "unit" used to indicate elements are used only for facilitating the explanation of the present invention, and have no peculiar meaning by themselves. Thus, "module", "component" or "unit" may be used mixedly.
Fig. 1 is a flowchart of a key update method provided in an embodiment of the present application, where the embodiment of the present application is applicable to a case where a key update is performed between a master node and a slave node, for example, a key update between a key server and a MAC entity in a federation, and the method may be performed by a key update apparatus, which may be implemented by software and/or hardware, and may be generally integrated in a master node, for example, a key server in a federation, referring to fig. 1, where the method provided in the embodiment of the present application specifically includes the following steps:
and step 110, selecting a state machine operation mode according to a preset rule.
The preset rule may be a mode that the master node selects a state machine operation mode, and includes determining according to device performances of the master node and the slave node, or determining according to a pre-stored configuration parameter, and the like, and the state machine operation mode may be a flow of the master node and/or the slave node processing key update, for example, keeping an OKI in a retry state, and clearing an LKI; alternatively, LKI may be retained in the RETIRE state, OKI may be cleared, and so on.
Specifically, the master node may select the state machine operation mode to be used according to a preset rule, for example, the state machine operation mode may be set in a manner configured in advance.
And step 120, notifying the slave node of the state machine operation mode so that the slave node configures the state machine according to the state machine operation mode.
In this embodiment of the present application, after determining the state machine operation mode used in the key updating process, the master node may send the state machine operation mode to the slave node, and the slave node may perform configuration according to the received state machine operation mode, so that the state machine of the slave node operates according to the state machine operation mode selected by the master node.
And step 130, updating the key according to the running mode of the state machine.
Specifically, after the slave node is configured according to the state machine operation mode selected by the master node, the key may be updated according to the processing rule corresponding to the state machine operation module, for example, when the state machine operation mode is state 1, the OKI may be retained in the RETIRE state, and the LKI may be cleared, and when the state machine operation mode is state 2, the LKI may be retained in the RETIRE state, and the PKI may be cleared.
According to the method and the device, the state machine operation mode is selected and sent to the slave node, so that the slave node is configured according to the state machine operation mode, encryption communication between the master node and the slave node is achieved according to the key update of the selected state machine operation mode, the state machine operation modes between different nodes are unified, the device butt joint failure is prevented, and the stability of communication between the master node and the slave node is improved.
Fig. 2 is a flowchart of another key updating method provided in an embodiment of the present application, which is embodied on the basis of the foregoing embodiment, and referring to fig. 2, the method provided in the embodiment of the present application specifically includes the following steps:
and step 210, acquiring the locally pre-stored state machine configuration parameters as the state machine operation mode parameters.
The state machine configuration parameter may be configuration information locally stored in the master node, and the state machine configuration parameter may indicate a state machine operation mode used by the master node and the slave node when performing key update.
In this embodiment of the present application, when the master node performs key update, the state configuration parameter that is locally pre-stored may be obtained, the state configuration parameter may be used as a state machine operation mode parameter, and after the master node selects the state machine operation mode parameter, the local state machine may be configured according to the parameter, so that the master node may process key update in a corresponding manner.
And step 220, packaging the state machine operation mode into a communication message according to a preset format, wherein the communication message at least comprises a current state machine operation mode field and a state machine operation mode field.
The communication message can be used for data interaction between a master node and a slave node, the communication message can be packaged according to a preset format, and the communication message can be composed of a current state machine operation mode field and a state machine operation mode parameter field, wherein the current state machine operation mode field can store the state machine operation mode of the current node, different identifiers can be used in the current state machine operation mode field to represent different state machine operation modes, and the state machine operation mode parameter field can store the state machine operation mode to be configured.
Specifically, the master node may package the state machine operation mode into a communication message when selecting the state machine operation mode, may represent different state machine operation modes in different numerical values in fixed fields in the communication message, may include at least a current state machine operation mode field and a state machine operation mode field in the communication message, and may mark the current state machine operation mode field and the state machine operation mode field in the communication message respectively through the current state machine operation mode of the master node and the selected state continuation operation mode. For example, fig. 3 is a schematic structural diagram of a communication packet provided in an embodiment of the present application, and referring to fig. 3, a packet for sending an operation mode of a state machine may include a parameter set type field, a state field, a parameter set length field, and a state machine operation mode field, where the parameter set type field may occupy 8 bits, and a value of the parameter set type field shown in the figure is 12, which indicates a corresponding parameter set type, for example, a CP run mode type. The state field may indicate a currently used state machine operation mode, and occupies 1 bit, and a value of 0 indicates that the state machine mode is not used, and a value of 1 indicates that the state machine mode is used. The parameter set length, which takes 12 bits, indicates the length of the parameter set in the communication message, and may not include the parameter header length. The state machine operation mode field may indicate an operation mode of the state machine, and occupies 8 bits, and different values may correspond to different state machine operation modes, for example, the value of the state machine operation mode field is 1, which indicates that the state machine operation mode is: the RETIRE state is kept with OKI, and LKI is eliminated; the value of the state machine operation mode field is 0, which indicates that the state machine operation mode is RETIRE state retention LKI and eliminates OKI.
Specifically, the master node may send the communication packet to the slave node, and the slave node may advance a state machine operation mode in the communication packet and configure the slave node according to the state machine mode, so that the slave node processes the key update according to the state machine operation mode.
And 240, extracting the current state machine operation mode from the communication message fed back from the node.
In the embodiment of the application, the slave node can feed back information to the master node through the communication message to inform the slave node of completing the configuration of the running mode of the state machine. The current state machine operation mode can be extracted from the communication message, the message format of the communication message can be the same as the message format sent by the master node to the slave node, the current state machine operation mode can be located in the current state machine operation mode field, and different state machine operation modes are represented by using different identification information.
And step 250, determining that the current state machine operation mode is the same as the state machine operation mode, and updating the key according to the state machine operation mode.
Specifically, the master node may compare the selected state machine operation mode with the current state machine operation mode, and determine whether the selected state machine operation mode is consistent with the current state machine operation mode, if so, it is determined that the state machine operation mode configuration of the slave node is completed, the master node and the slave node may perform key update according to the same state machine operation mode, thereby preventing the device from being failed in docking, and if not, it is determined that the state machine operation mode of the slave node is not configured, and the key update is not performed on the slave node.
And step 260, not updating the key of the slave node which does not feed back the configuration completion information within the preset time.
The preset time may be the longest waiting time for the master node to control the slave node to configure the state machine operation mode, and when it is not determined that the slave node completes configuration of the state machine operation mode within the preset time, it may be considered that the slave node fails, and no key update is performed on the slave node.
In this embodiment of the present application, when the master node notifies the state machine operation mode of the slave node, a timer may be set, a timing length of the timer may be a preset time, if information fed back by the slave node is not received within a time range of the timer, it may be determined that the slave node does not complete configuration of the state machine operation mode, and when performing key update, a new key may not be sent to the slave node to complete key update.
In the embodiment of the application, the operating mode parameters of the state machine are selected through the locally pre-stored configuration parameters of the state machine, the operating mode parameters of the state machine are packaged into a communication message, the communication message is sent to the slave node to complete corresponding state machine configuration, the parameters of the operating mode fields of the state machine are determined to be the same as the operating mode of the state machine in the current operating mode fields of the state machine in the communication message fed back by the slave node, then key updating is carried out according to the operating mode of the state machine, key updating is not carried out on the slave node which does not feed back configuration completion information within the preset time, the operating modes of the state machine of the master node and the slave node are unified, encrypted communication between the master node and the slave node is realized, equipment butt joint failure is prevented, and the stability of communication between the master node and the slave node is improved.
Further, on the basis of the above application embodiment, the parameter field of the operating mode of the state machine expands the value according to the operating mode of the newly added state machine.
In the embodiment of the application, when the state operation modes of the state machines of the master node and the slave node are updated, a new identifier can be determined in a negotiation mode to be marked, and correspondingly, a new identifier can be added in the parameter field of the state machine operation mode to expand the value range.
For example, to solve the problem that occurs in the protocol application in the process of interfacing with other CP state machines except for the retry state, a new value may be defined in the parameter field of the state machine operation mode of the communication packet to indicate a new negotiation manner for solving the problem, so as to implement the scalability of the communication packet.
Fig. 4 is a flowchart of a key update method provided in an embodiment of the present application, where the embodiment of the present application is applicable to a case where a key update is performed between a master node and a slave node, for example, a key update between a key server and a MAC entity in a federation, and the method may be performed by a key update apparatus, which may be implemented by software and/or hardware, and may be generally integrated in a slave node, for example, a MAC entity in a federation, see fig. 4, where the method provided in the embodiment of the present application specifically includes the following steps:
and step 310, acquiring the state machine running mode notified by the main node.
In this embodiment of the present application, the slave node may receive the state machine operation mode notified by the master node, and the state machine operation mode may be transmitted in a message manner.
And 320, configuring the state machine according to the running mode of the state machine, and feeding back configuration completion information to the main node.
Specifically, after receiving the state machine operation mode, the slave node may configure a local state machine to the state machine operation mode notified by the master node, so that the processing flow of the slave node when processing the key update is consistent with that of the master node, thereby reducing the failure probability of device docking. After the configuration is completed, the slave node may feed back configuration completion information to the master node, where the configuration completion information may include a current state machine operation mode of the slave node, and is used to notify the master node of completing the configuration of the state machine operation mode.
And step 330, updating the key according to the running mode of the state machine.
In this embodiment of the present application, the slave node performs key update according to a current state machine operation mode, different state machine operation modes may correspond to different key update flows, for example, when the state machine operation mode is state 1, the slave node retains an OKI in a RETIRE state and clears an LKI, and if the state machine operation mode is state 2, the slave node retains an LKI in the RETIRE state and clears the OKI.
According to the method and the device, the state machine operation mode notified by the main node is acquired, the configuration is carried out according to the state machine operation mode, the configuration completion information is fed back to the main node after the configuration is completed, the key updating is realized based on the flow corresponding to the state machine operation mode, the key updating of the main node and the slave node is realized, the butt joint failure between the devices is prevented through unifying the state machine operation modes of the main node and the slave node, and the safety and the stability of information interaction between the devices are improved.
Further, on the basis of the above application embodiment, configuring a state machine according to the state machine operation mode includes:
and judging whether the configured running mode of the state machine is the same as the running mode of the state machine or not, if not, changing the running mode of the state machine, and if so, not changing the running mode of the state machine.
In the embodiment of the application, the configured operation mode of the slave node may be compared with the state machine operation mode notified by the master node, if the configured operation mode of the slave node is the same as the state machine operation mode notified by the master node, it is determined that the state machine operation mode of the slave node does not need to be changed, and if the configured operation mode of the slave node is different from the state machine operation mode notified by the master node, the state machine operation mode of the slave node is changed into the state machine operation mode notified by the master node.
Further, on the basis of the embodiment of the above application, the feeding back configuration completion information to the master node includes:
feeding back the configuration completion information to the main node through a communication message; the communication message at least comprises a current state machine operation mode field and a state machine operation mode parameter field.
Specifically, the slave node may feed back configuration completion information to the master node through the communication packet, where the communication packet may at least include a current state machine operation mode field and a state machine operation mode parameter field, and may use a mode of identifying the current state machine operation mode field as the configuration completion information, for example, setting the current state machine operation mode field so that the identification value represents the state machine operation mode notified by the master node, and may use the set communication packet as the configuration completion information.
Further, on the basis of the embodiment of the above application, the updating a key according to the state machine operation mode includes: and receiving a new key of the main node, and processing a local old key according to the running mode of the state machine.
In this embodiment of the present application, the slave node has different processing procedures for updating the key in different state machine operation modes, and may process the new key and the local old key sent by the master node according to the state machine operation mode currently used by the slave node, for example, if the state machine operation mode of the slave node is state 1, the old key is deleted and the new key is retained in the retry state, and if the state machine operation mode of the slave node is state 2, the new key is deleted and the old key is retained in the retry state.
Fig. 5 is an exemplary diagram of a key updating method provided in an embodiment of the present application, and referring to fig. 5, after all CA members complete key server election, they all enter a secure state, where the key server starts to run a CP state machine running mode negotiation, and includes the following steps:
And step 420, receiving messages which are sent from the key server and carry the 'CP state machine operation mode' parameters by other members in the CA, analyzing the parameters and comparing the analyzed parameters with the local CP state machine operation mode to determine whether the parameters are consistent with the local CP state machine operation mode, and if the parameters are not consistent with the local CP state machine operation mode, modifying the local CP state machine operation mode to be the same as the mode used by the key server. And after the setting is finished, sending a message carrying a CP state machine operation mode parameter to the key server, wherein the collocation state bit is 1, and the CP state machine operation mode setting is finished.
Fig. 6 is a schematic structural diagram of a key update apparatus provided in an embodiment of the present application, which is capable of executing a key update method provided in any embodiment of the present application, and specifically executing functional modules and beneficial effects corresponding to the method. The apparatus may be implemented by software and/or hardware, and is generally integrated in a master node, for example, a key server in a connection federation, and specifically includes: a mode determination module 501, a mode synchronization module 502, and a key update module 503.
And a mode determining module 501, configured to select a state machine operation mode according to a preset rule.
A mode synchronization module 502, configured to notify the slave node of the state machine operation mode, so that the slave node configures the state machine according to the state machine operation mode.
And a key updating module 503, configured to update a key according to the state machine operation mode.
According to the embodiment of the application, the state machine operation mode is selected through the mode determining module and is sent to the slave node, the mode synchronizing module enables the slave node to be configured according to the state machine operation mode, the key updating module updates the key according to the selected state machine operation mode, encrypted communication between the master node and the slave node is achieved, the state machine operation modes between different nodes are unified, equipment butt joint failure is prevented, and stability of communication between the master node and the slave node is improved.
Further, on the basis of the above-mentioned application embodiments, the mode determining module 501 is specifically configured to: and acquiring the locally pre-stored state machine configuration parameters as state machine operation mode parameters.
Further, on the basis of the embodiment of the above application, the mode synchronization module 502 includes:
and the communication message unit is used for packaging the state machine operation mode into a communication message according to a preset format, wherein the communication message at least comprises a current state machine operation mode field and a state machine operation mode field.
And the message sending unit is used for sending the communication message to the slave node so that the slave node configures the state machine according to the state machine operation mode in the communication message.
Further, on the basis of the above application embodiment, the parameter field of the operating mode of the state machine in the mode synchronization module 502 extends a value according to the operating mode of the newly added state machine.
Further, on the basis of the embodiment of the above application, the method further comprises: and the exception handling module is used for not updating the key of the slave node which does not feed back the configuration completion information within the preset time.
Further, on the basis of the embodiment of the above application, the key updating module 503 includes:
and the information extraction unit is used for extracting the current state machine operation mode from the communication message fed back by the slave node.
And the updating execution unit is used for updating the key according to the running mode of the state machine if the running mode of the current state machine is the same as the running mode of the state machine.
Fig. 7 is a schematic structural diagram of a key update apparatus according to an embodiment of the present application, which is capable of executing a key update method according to any embodiment of the present application, and specifically executing functional modules and beneficial effects corresponding to the method. The apparatus may be implemented by software and/or hardware, and is generally integrated in a slave node, for example, a MAC entity in a connection federation, and specifically includes: mode acquisition module 601, information feedback module 602 and key update module 603
The mode obtaining module 601 is configured to obtain a state machine operation mode notified by the master node.
An information feedback module 602, configured to configure the state machine according to the state machine operation mode, and feed back configuration completion information to the master node.
And a key updating module 603, configured to update a key according to the state machine operation mode.
According to the method and the device, the mode acquisition module acquires the state machine operation mode notified by the main node, the information feedback module is configured according to the state machine operation mode, configuration completion information is fed back to the main node after configuration is completed, the key updating module realizes key updating based on the flow corresponding to the state machine operation mode, key updating of the main node and the slave node is realized, butt joint failure between devices is prevented through unifying the state machine operation modes of the main node and the slave node, and safety and stability of information interaction between the devices are improved.
Further, on the basis of the above application embodiment, the mode obtaining module 601 is specifically configured to: and judging whether the configured running mode of the state machine is the same as the running mode of the state machine or not, if not, changing the running mode of the state machine, and if so, not changing the running mode of the state machine.
Further, on the basis of the embodiment of the above application, the information feedback module 602 includes:
the feedback unit is used for feeding back the configuration completion information to the main node through a communication message; the communication message at least comprises a current state machine operation mode field and a state machine operation mode parameter field.
Further, on the basis of the embodiment of the above application, the key updating module 603 is specifically configured to: and receiving a new key of the main node, and processing a local old key according to the running mode of the state machine.
Fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present application, where as shown in fig. 8, the electronic device includes a processor 70, a memory 71, an input device 72, and an output device 73; the number of processors 70 in the device may be one or more, and one processor 70 is taken as an example in fig. 8; the device processor 70, memory 71, input device 72, and output device 73 may be connected by a bus or other means, as exemplified by the bus connection in fig. 8.
The memory 71 is a computer-readable storage medium, and can be used for storing software programs, computer-executable programs, and modules, such as modules (the mode determining module 501, the mode synchronizing module 502, and the key updating module 503, or the mode acquiring module 601, the information feedback module 602, and the key updating module 603) corresponding to the key updating apparatus in the embodiment of the present application. The processor 70 executes various functional applications of the device and data processing by executing software programs, instructions, and modules stored in the memory 71, that is, implements the above-described key update method.
The memory 71 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory 71 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the memory 71 may further include memory located remotely from the processor 70, which may be connected to the device over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 72 may be used to receive entered numeric or character information and to generate key signal inputs relating to user settings and function controls of the apparatus. The output device 73 may include a display device such as a display screen.
Embodiments of the present application further provide a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements a key updating method as provided in any embodiment of the present application, where the method includes:
selecting a state machine operation mode according to a preset rule; informing the state machine operation mode to a slave node so that the slave node configures a state machine according to the state machine operation mode; and updating the key according to the running mode of the state machine.
Alternatively, the first and second electrodes may be,
acquiring a state machine running mode notified by a main node; configuring a state machine according to the state machine operation mode, and feeding back configuration completion information to the main node; and updating the key according to the running mode of the state machine.
Of course, the storage medium provided in the embodiments of the present application contains computer-executable instructions, and the computer-executable instructions are not limited to the method operations described above, and may also perform related operations in the key update method provided in any embodiment of the present application.
From the above description of the embodiments, it is obvious for those skilled in the art that the present application can be implemented by software and necessary general hardware, and certainly can be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.
It should be noted that, in the embodiment of the key updating apparatus, the included units and modules are merely divided according to functional logic, but are not limited to the above division, as long as the corresponding functions can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
One of ordinary skill in the art will appreciate that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof.
In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.
The preferred embodiments of the present invention have been described above with reference to the accompanying drawings, and are not to be construed as limiting the scope of the invention. Any modifications, equivalents and improvements which may occur to those skilled in the art without departing from the scope and spirit of the present invention are intended to be within the scope of the claims.
Claims (14)
1. A key updating method is applied to a main node, and comprises the following steps:
selecting a state machine operation mode according to a preset rule;
informing the state machine operation mode to a slave node so that the slave node configures a state machine according to the state machine operation mode;
and updating the key according to the running mode of the state machine.
2. The method of claim 1, wherein selecting the state machine operation mode according to the preset rule comprises:
and acquiring the locally pre-stored state machine configuration parameters as state machine operation mode parameters.
3. The method of claim 1, wherein notifying the slave node of the state machine operating mode comprises:
packaging the state machine operation mode into a communication message according to a preset format, wherein the communication message at least comprises a current state machine operation mode field and a state machine operation mode field;
and sending the communication message to the slave node so that the slave node configures the state machine according to the state machine operation mode in the communication message.
4. The method of claim 3, wherein the state machine operating mode parameter field extends values according to a new state machine operating mode.
5. The method of claim 1, further comprising:
and not updating the key of the slave node which does not feed back the configuration completion information within the preset time.
6. The method of claim 1, wherein the rekeying according to the state machine mode of operation comprises:
extracting the current state machine operation mode from the communication message fed back by the slave node;
and if the current state machine operation mode is determined to be the same as the state machine operation mode, updating the key according to the state machine operation mode.
7. A key update method applied to a slave node, the method comprising:
acquiring a state machine running mode notified by a main node;
configuring a state machine according to the state machine operation mode, and feeding back configuration completion information to the main node;
and updating the key according to the running mode of the state machine.
8. The method of claim 7, wherein configuring the state machine according to the state machine operating mode comprises:
and judging whether the configured running mode of the state machine is the same as the running mode of the state machine or not, if not, changing the running mode of the state machine, and if so, not changing the running mode of the state machine.
9. The method of claim 7, wherein the feeding back configuration completion information to the primary node comprises:
feeding back the configuration completion information to the main node through a communication message;
the communication message at least comprises a current state machine operation mode field and a state machine operation mode parameter field.
10. The method of claim 7, wherein the rekeying according to the state machine mode of operation comprises:
and receiving a new key of the main node, and processing a local old key according to the running mode of the state machine.
11. A key update apparatus applied to a master node, the apparatus comprising:
the mode determining module is used for selecting the running mode of the state machine according to a preset rule;
the mode synchronization module is used for informing the slave node of the state machine operation mode so as to enable the slave node to configure the state machine according to the state machine operation mode;
and the key updating module is used for updating a key according to the running mode of the state machine.
12. A key update apparatus applied to a slave node, the apparatus comprising:
the mode acquisition module is used for acquiring the state machine operation mode notified by the main node;
the information feedback module is used for configuring the state machine according to the running mode of the state machine and feeding back configuration completion information to the main node;
and the key updating module is used for updating a key according to the running mode of the state machine.
13. An electronic device, characterized in that the electronic device comprises:
one or more processors;
a memory for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the rekeying method of any of claims 1-6 or 7-10.
14. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method for updating keys according to any one of claims 1 to 6 or 7 to 10.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011307313.3A CN114598453A (en) | 2020-11-19 | 2020-11-19 | Key updating method and device, electronic equipment and storage medium |
| PCT/CN2021/131294 WO2022105809A1 (en) | 2020-11-19 | 2021-11-17 | Key updating method and apparatus, electronic device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011307313.3A CN114598453A (en) | 2020-11-19 | 2020-11-19 | Key updating method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114598453A true CN114598453A (en) | 2022-06-07 |
Family
ID=81708375
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011307313.3A Pending CN114598453A (en) | 2020-11-19 | 2020-11-19 | Key updating method and device, electronic equipment and storage medium |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN114598453A (en) |
| WO (1) | WO2022105809A1 (en) |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7539311B2 (en) * | 2006-03-17 | 2009-05-26 | Cisco Technology, Inc. | Techniques for managing keys using a key server in a network segment |
| CN103209072B (en) * | 2013-04-27 | 2017-08-22 | 新华三技术有限公司 | A kind of MACsec key updating methods and equipment |
| EP3316528B1 (en) * | 2015-07-17 | 2021-06-30 | Huawei Technologies Co., Ltd. | Packet transmission method, apparatus and system |
| US10778662B2 (en) * | 2018-10-22 | 2020-09-15 | Cisco Technology, Inc. | Upstream approach for secure cryptography key distribution and management for multi-site data centers |
-
2020
- 2020-11-19 CN CN202011307313.3A patent/CN114598453A/en active Pending
-
2021
- 2021-11-17 WO PCT/CN2021/131294 patent/WO2022105809A1/en active Application Filing
Also Published As
| Publication number | Publication date |
|---|---|
| WO2022105809A1 (en) | 2022-05-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8572700B2 (en) | Method and system for exchanging setup configuration protocol information in beacon frames in a WLAN | |
| US20080123852A1 (en) | Method and system for managing a wireless network | |
| EP3487116B1 (en) | Method for ensuring security of data transformation, and network device | |
| EP3316528B1 (en) | Packet transmission method, apparatus and system | |
| CN101288063B (en) | Wireless device discovery and configuration | |
| KR20100044199A (en) | Network and method for initializing a trust center link key | |
| US20170078288A1 (en) | Method for accessing communications network by terminal, apparatus, and communications system | |
| CN113992427A (en) | Data encryption sending method and device based on adjacent nodes | |
| US20220167440A1 (en) | Previous connection status report | |
| JP6537115B2 (en) | Network device, configuration exchange method, maintenance exchange method, configuration exchange program, and maintenance exchange program | |
| CN114598453A (en) | Key updating method and device, electronic equipment and storage medium | |
| JP7196533B2 (en) | Communication device and computer program for the communication device | |
| CN110602693A (en) | Networking method and equipment of wireless network | |
| WO2022078058A1 (en) | Decryption method, server and storage medium | |
| JP2018174550A (en) | Communication system | |
| CN114036576A (en) | Method and device for recovering ipsec tunnel and readable storage medium | |
| Cisco | Command Publication Tunnels | |
| CN113709069B (en) | Lossless switching method and device for data transmission | |
| US20060251254A1 (en) | Method and apparatus for auto setting security mechanism of WLAN | |
| CN112787803A (en) | Method and equipment for secure communication | |
| CN114500007B (en) | Method, device, medium and equipment for realizing MACsec in M-LAG system | |
| CN115037504A (en) | Communication method and device | |
| CN113766497B (en) | Key distribution method, device, computer readable storage medium and base station | |
| US20220255911A1 (en) | Method for Secure Communication and Device | |
| EP4228306A1 (en) | Early indication for changing cryptographic strength during configuration |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |