CN115225269A - Key management method, device and system for distributed password card - Google Patents
Key management method, device and system for distributed password card Download PDFInfo
- Publication number
- CN115225269A CN115225269A CN202210868461.5A CN202210868461A CN115225269A CN 115225269 A CN115225269 A CN 115225269A CN 202210868461 A CN202210868461 A CN 202210868461A CN 115225269 A CN115225269 A CN 115225269A
- Authority
- CN
- China
- Prior art keywords
- key
- card
- cryptographic
- request
- cryptographic operation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
- H04L9/0897—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
A key management method, device and system of distributed password card, the server is connected with multiple password cards, each password card is set up in a terminal; firstly, a cipher card receives a key use request sent by a service process in a terminal; the cipher card judges whether the cipher card has a cipher key corresponding to a service identifier for caching the request for cryptographic operation based on the cipher key use request; if the cache exists, directly obtaining the secret key, and carrying out cryptographic operation on the service process based on the secret key; if no cache exists, generating and sending a key request to the server; then, the server receives the key request, acquires a key according to the key request and sends the key to the password card; finally, after the cipher card receives the key sent by the server, the cipher operation is carried out on the service process by using the key; therefore, the invention provides a high-speed and low-delay cryptographic operation and key acquisition mode for the service process, avoids the data plaintext in the service process from appearing in a network environment, and improves the safety.
Description
Technical Field
The invention relates to the technical field of information system security, in particular to a key management method, a device and a system of a distributed password card.
Background
The cryptographic algorithm is the basis of the information system service security, the service system uses the cryptographic algorithm to authenticate the access terminal, and encrypts the data traffic to protect the data security, for example, the https-based website service ensures the data security between the website server and the browser through the TLS security protocol and the related cryptographic suite. The security of cryptographic algorithms depends on the cryptographic operating environment and the management mechanism of key management. Generally speaking, cryptographic operation and key management are implemented in an independent Hardware Security Module (HSM), an access interface is provided for the outside, and the calling of the cryptographic algorithm and the protection of the key are implemented.
Common hardware password modules of the information service side include a PCIE password card, a password machine, a signature verification server, and the like. From the type, the system can be divided into a board card form (a password card) and a server form (a password machine and the like).
The cipher card is inserted into a server where the business is located through a PCIE slot, and the key management and cipher operation functions of the PCIE are called through standard interfaces such as GM/T0018 cipher module cipher equipment application interface Specification and JCE. Because the bandwidth of the PCIE bus is extremely high, the implementation mode can provide a high-speed and low-delay cryptographic operation function for a service system. However, since the service key is stored in the cryptographic card, the cryptographic card can only provide service for the service of the current physical host, and is suitable for a small-sized service system, and the flexibility in key management is poor. In the service modes of multi-physical host load balancing and the like, the key needs to be manually and safely backed up from one password card and restored into the password cards of other service hosts, and part of password card products do not provide a backup and restoration function, so that the function cannot be realized. In a distributed cloud environment, a service application may be flexibly deployed to different physical machines along with a virtual machine, but a cryptographic card device on the physical machine does not necessarily have a key of the service application, and the cryptographic card cannot be applied to such a scenario.
The cipher machine, the signature verification server and other server-shaped cipher modules provide service through network. The cryptographic module server monitors network messages, and the service system sends cryptographic operation requests to the IP address and the port of the cryptographic module server to obtain corresponding results of the cryptographic operation. The keys are managed uniformly by the cryptographic module server. The method can be applied to a distributed cloud environment, the service can communicate with the cryptographic module server only by configuring the IP address and the port of the cryptographic module server to request the cryptographic operation function, and when the service is deployed in different physical machines, the stability of the service key can still be ensured because the key is unified in the cryptographic module server. However, with the server-type cryptographic module, the request for cryptographic operation is forwarded through the switch and the network device, and although the key information is not disclosed in this process, there is a risk that the plaintext of the service data may be intercepted. Generally, when the cryptographic module server is deployed, the business service and the business server of the cryptographic module server are unified in a relatively safe domain. Even so, this manner of invocation risks being higher than locally invoking the cryptographic card. In addition, the password operation is requested through the network and needs to be forwarded through network equipment such as a network card, a router, a switch and the like, the call delay is relatively high, and the method cannot be applied to a low-delay scene; however, in the cryptographic operation with large data volume, such as encryption and decryption operation, all the plaintext/ciphertext needs to be forwarded through the network, and the operation efficiency is limited by the network bandwidth, so that the speed cannot be further increased.
In order to integrate different cipher modules such as cipher machines, there is also a scheme of cipher resource pool at present. According to the scheme, intermediate layers are added between equipment such as a cipher machine and a signature verification server and services, and unified scheduling is carried out on the cipher equipment and the operation request. When the system is used, the service sends the request to the service interface of the resource pool, and the resource pool further sends the request to different cryptographic module devices. The disadvantage of the resource pool based on the network is similar to that of the cryptographic module in the server form, so that the risk of forwarding the plaintext on the network equipment exists, and the cryptographic operation efficiency and delay are influenced by the network.
In summary, there is a need for high speed, low latency management and key acquisition, and for avoiding plaintext data in the service process from appearing in the network.
Disclosure of Invention
The invention mainly solves the technical problems of how to perform high-speed and low-delay cryptographic operation and safely obtain a key, and the data plaintext in the service process is prevented from appearing in a network environment.
According to a first aspect, an embodiment provides a key management method for a distributed cryptographic card, which is applied to a server, where the server is connected with a plurality of cryptographic cards; each password card is arranged in a terminal;
the key management method comprises the following steps:
receiving one or more key requests, wherein the key requests comprise service identifications requesting cryptographic operation and cryptographic card identifications sending the key requests;
acquiring one or more keys corresponding to the service identification of the request cryptographic operation according to one or more key requests, wherein the keys correspond to the key requests one by one;
sending one or more keys to the corresponding password card according to the password card identifier; the key is used for carrying out cryptographic operation on the business process requesting the cryptographic operation.
According to a second aspect, an embodiment provides a key management method for a distributed cryptographic card, which is applied to a cryptographic card, where the cryptographic card is connected to a server, and the server is connected to multiple cryptographic cards; each password card is arranged in a terminal;
the key management method comprises the following steps:
receiving a key use request sent by a business process requesting cryptographic operation in the terminal, wherein the key use request comprises a business identifier requesting cryptographic operation;
based on the key use request, judging whether the cipher card has a key corresponding to a service identification request for caching the request for cryptographic operation;
if the cache exists, directly acquiring a key corresponding to the service identifier requesting the cryptographic operation, and carrying out the cryptographic operation on the service process requesting the cryptographic operation based on the key;
if no cache exists, generating and sending the key request to the server; the key request comprises a service identifier requesting cryptographic operation and a cryptographic card identifier corresponding to the cryptographic card;
and receiving a secret key sent by the server, and carrying out cryptographic operation on the business process requesting the cryptographic operation based on the secret key.
According to a third aspect, an embodiment provides a key management device for a distributed cryptographic card, which is applied to a server, where the server is connected with multiple cryptographic cards; each password card is arranged in a terminal;
the key management apparatus includes:
the system comprises a first receiving module, a second receiving module and a third receiving module, wherein the first receiving module is used for receiving one or more secret key requests, and the secret key requests comprise service identifications requesting cryptographic operation and cryptographic card identifications sending the secret key requests;
a first key obtaining module, configured to obtain, according to one or more key requests, one or more keys corresponding to service identifiers that request cryptographic operations, where the keys correspond to the key requests one to one;
the key sending module is used for sending one or more keys to the corresponding password card according to the password card identifier; the key is used for carrying out cryptographic operation on the business process requesting the cryptographic operation.
According to a fourth aspect, an embodiment provides a key management device for a distributed cryptographic card, which is applied to a cryptographic card, the cryptographic card is connected to a server, and the server is connected to a plurality of cryptographic cards; each password card is arranged in a terminal;
the key management apparatus includes:
a second receiving module, configured to receive a key usage request sent by a service process requesting cryptographic operation in the terminal, where the key usage request includes a service identifier requesting cryptographic operation;
the judgment module is used for judging whether the cipher card has a cipher key corresponding to a service identifier for caching the request for cryptographic operation or not based on the cipher key use request;
the second key acquisition module is used for directly acquiring a key corresponding to the service identifier of the request cryptographic operation if the cache exists, and carrying out cryptographic operation on the service process of the request cryptographic operation based on the key corresponding to the service identifier of the request cryptographic operation;
a key request sending module, configured to generate and send the key request to the server if there is no cache; the key request comprises a service identifier requesting cryptographic operation and a cryptographic card identifier corresponding to the cryptographic card;
and the third key acquisition module is used for receiving the key sent by the server and carrying out cryptographic operation on the service process requesting the cryptographic operation based on the key.
According to a fifth aspect, an embodiment provides a key management system for distributed cryptographic cards, including a plurality of cryptographic cards and a server, where the server is connected to the plurality of cryptographic cards; each password card is arranged in a terminal;
the server is configured to:
receiving one or more key requests, wherein the key requests comprise service identifications requesting cryptographic operation and cryptographic card identifications sending the key requests;
acquiring one or more keys corresponding to the service identification of the request cryptographic operation according to one or more key requests, wherein the keys correspond to the key requests one by one;
sending one or more keys to the corresponding password card according to the password card identifier; the key is used for carrying out cryptographic operation on the business process requesting the cryptographic operation.
The password card is used for:
receiving a key use request sent by a business process requesting cryptographic operation in the terminal, wherein the key use request comprises a business identifier requesting cryptographic operation;
judging whether the cipher card has a cipher key corresponding to a service identifier for caching the request for cryptographic operation or not based on the cipher key use request;
if the cache exists, directly acquiring a key corresponding to the service identifier requesting the cryptographic operation, and performing the cryptographic operation on the service process requesting the cryptographic operation based on the key corresponding to the service identifier requesting the cryptographic operation;
if no cache exists, generating and sending the key request to the server; the key request comprises a service identifier requesting cryptographic operation and a cryptographic card identifier corresponding to the cryptographic card;
and receiving a secret key sent by the server, and carrying out cryptographic operation on the business process requesting the cryptographic operation based on the secret key.
According to the key management method, the device and the system of the distributed password card in the embodiment, the server is connected with a plurality of password cards, and each password card is arranged in one terminal; firstly, the cipher card receives a key use request sent by a service process requesting cipher operation in a terminal; the cipher card judges whether the cipher card has a cipher key corresponding to a service identifier for caching the request for cryptographic operation based on the cipher key use request; if the cache exists, directly obtaining the secret key, and encrypting the business process requesting the cryptographic operation based on the secret key; if no cache exists, generating and sending a key request to the server; then, the server receives the key request, acquires a key according to the key request and sends the key to the password card; finally, after the cipher card receives the cipher key sent by the server, the cipher key is used for responding to the business process cipher operation request; therefore, the invention provides high-speed and low-delay cryptographic operation and secure key acquisition for the service process, avoids the data plaintext in the service process from appearing in a network environment, and improves the security.
Drawings
FIG. 1 is a schematic structural diagram of a key management system of a distributed cryptographic card according to an embodiment;
FIG. 2 is a flowchart of a key management method for a distributed cryptographic card according to an embodiment;
FIG. 3 is a flowchart of a key management method for a distributed cryptographic card according to another embodiment;
FIG. 4 is a diagram illustrating an exemplary key management apparatus of a distributed cryptographic card;
fig. 5 is a schematic structural diagram of a key management device of a distributed cryptographic card according to another embodiment.
Detailed Description
The present invention will be described in further detail with reference to the following detailed description and accompanying drawings. Wherein like elements in different embodiments have been given like element numbers associated therewith. In the following description, numerous specific details are set forth in order to provide a better understanding of the present application. However, one skilled in the art will readily recognize that some of the features may be omitted or replaced with other elements, materials, methods in different instances. In some instances, certain operations related to the present application have not been shown or described in this specification in order not to obscure the core of the present application with unnecessary detail, and it is not necessary for those skilled in the art to describe these operations in detail, so that they may be fully understood from the description in the specification and the general knowledge in the art.
Furthermore, the features, operations, or characteristics described in the specification may be combined in any suitable manner to form various embodiments. Also, the various steps or actions in the method descriptions may be transposed or transposed in order, as will be apparent to one of ordinary skill in the art. Thus, the various sequences in the specification and drawings are for the purpose of clearly describing certain embodiments only and are not intended to imply a required sequence unless otherwise indicated where a certain sequence must be followed.
The ordinal numbers used herein for the components, such as "first," "second," etc., are used merely to distinguish between the objects described, and do not have any sequential or technical meaning. The term "connected" and "coupled" as used herein includes both direct and indirect connections (couplings), unless otherwise specified.
In the embodiment of the invention, a plurality of password cards are respectively arranged in a plurality of terminals to form a distributed password card, the password card is provided with a network interface besides a PCIE interface, and the network interface is used for connecting each password card to a server for key management, so that when a certain business process in one terminal needs to carry out password operation, the business process sends a key using request to the password card arranged in the terminal, the password card sends the key request to the server based on the received key using request, the server searches and obtains a key from a memory based on the received key request, then sends the key to the password card, and after the password card receives the key, the terminal carries out the password operation on the business process by using the key. In addition, the cipher card can cache the historically received keys, and when the same service process acquires the keys again, the cipher card does not need to acquire the keys from the server, and can directly send the cached keys to the terminal so as to perform cryptographic operation on the same service process.
Referring to fig. 1, fig. 1 is a key management system of a distributed cryptographic card according to an embodiment, which is hereinafter referred to as a key management system for short, and the key management system includes: the terminal comprises a plurality of terminals 10, a plurality of password cards 20 and a server 30, wherein the terminals 10 correspond to the password cards 20 one by one, each password card 20 is arranged in the corresponding terminal 10, and the password cards 20 are connected with the server 30 through a network.
The cipher card 20 includes a PCIE interface and a network interface, and the cipher card 20 accesses the terminal 10 through the PCIE interface, where the service process runs in different terminals 10 in the form of a virtual machine or an independent process. Since the key and the service process are in one-to-one correspondence, that is, when the same service process runs in different terminals 10, the corresponding key is the same; when different service processes run in the same terminal 10, the corresponding keys are also different.
Referring to fig. 2, fig. 2 is a flowchart of a key management method applied to a distributed cryptographic card of the cryptographic card, which is hereinafter referred to as a key management method for short, according to an embodiment.
Step 101: the cryptographic card 20 receives a key use request sent by a service process requesting cryptographic operation in the terminal 10, where the key use request includes a service identifier requesting cryptographic operation, and the service identifier requesting cryptographic operation is used to identify the service process requesting cryptographic operation. It should be noted that, the terminal 10 in step 101 is a terminal device to which the cryptographic card 20 is accessed through a PCIE interface, and the service process requesting cryptographic operation refers to a virtual machine or an independent process running in the terminal 10.
Step 102: the cryptographic card 20 determines whether the cryptographic card 20 has a key corresponding to the service identifier for caching the cryptographic operation based on the key use request. The cryptographic card 20 has a certain buffer space inside, but the buffer space is small, and only a small number of keys can be buffered.
Step 103: if the cache exists, directly obtaining a key corresponding to the service identifier requesting the cryptographic operation, and encrypting the service process requesting the cryptographic operation based on the key corresponding to the service identifier requesting the cryptographic operation. After receiving the key use request, the cryptographic card 20 first determines whether the key has been cached before, and if so, the cryptographic card is directly sent to the service process for encryption without being acquired from the server 30 through the network, thereby improving the cryptographic operation efficiency of the service process to a certain extent.
Step 104: if no cache exists, the cryptographic card 20 generates and sends a key request to the server 30; the key request comprises a service identifier for requesting the cryptographic operation and a cryptographic card identifier corresponding to the cryptographic card. Since the cache space of the cryptographic card 20 is limited and cannot store too many keys, when the key corresponding to the service process requesting the cryptographic operation is not cached in the cryptographic card 20, the cryptographic card 20 needs to send a key request to the server 30 to obtain the key. Although the process of obtaining the key from the server 30 by the cryptographic card 20 is performed in the network environment, only the key is transmitted in the network environment, and the data of the business process is not transmitted in the network environment, so that the risk of plaintext forwarding in the existing cryptographic engine scheme does not exist. In addition, the key is encrypted when it is transmitted over the network between the server 30 and the cryptographic card 20.
Step 105: the cryptographic card 20 receives the key sent by the server 30, and performs an encryption operation on the business process requesting the cryptographic operation based on the key. The cryptographic card 20 according to the embodiment of the present invention is an existing cryptographic card, and a dedicated cryptographic algorithm chip is built in the cryptographic card, and is capable of performing cryptographic operation on data in a service process, where the cryptographic card 20 specifically responds to a cryptographic operation request of the service process by using a key, and the cryptographic operation request may adopt any existing cryptographic operation method, which is not described herein again.
Since the cryptographic card 20 has a certain cache space, after receiving the key sent by the server 30, the cryptographic card 20 encrypts the service process based on the key and caches the received key when the cache space allows. If the cache space in the cryptographic card 20 is insufficient, the received key is cached after deleting the previously cached key. Therefore, the cryptographic card 20 does not need to repeatedly acquire the key for the same service process, and the cryptographic operation efficiency is improved.
In an embodiment, in the key management system of the distributed cryptographic card, the cryptographic cards 20 may send the key requests to the server 30 synchronously, and the server 30 processes the received key requests synchronously and sends the keys to the cryptographic cards 20.
Referring to fig. 3, fig. 3 is a flowchart of a key management method of a distributed cryptographic card applied to a server according to an embodiment, which is hereinafter referred to as a key management method for short.
Step 201: the server 30 receives one or more key requests, wherein the key requests comprise a service identification requesting a cryptographic operation and a cryptographic card identification sending the key request. The server 30 may receive key requests sent by multiple cryptographic cards 20 at the same time, that is, receive multiple key requests, or may receive a key request sent by only one cryptographic card 20, that is, receive one key request. The key request includes a service identifier corresponding to a service process requesting a cryptographic operation and a cryptographic card identifier of a cryptographic card sending the key request, so that the server 30 can search for a corresponding key and send the searched key to the corresponding cryptographic card 20.
Step 202: the server 30 obtains one or more keys corresponding to the service identifiers requesting the cryptographic operation according to the one or more key requests, and the keys correspond to the key requests one to one. In an embodiment, the key in the server 30 is stored in the memory, and after receiving the key request, the server 30 needs to analyze the key request to obtain the service identifier requesting the cryptographic operation, and then searches for the corresponding key in the memory based on the service identifier requesting the cryptographic operation. For the case of receiving multiple key requests, the server 30 may analyze the multiple key requests one by one according to a preset rule and search for corresponding keys, as in the case of processing one key request; or after a plurality of key requests are analyzed synchronously, corresponding keys can be searched sequentially or synchronously.
Step 203: the server 30 sends one or more keys to the corresponding cryptographic card according to the cryptographic card identifier; the key is used for carrying out cryptographic operation on the business process requesting the cryptographic operation. In the step 202, when the server 30 parses the received key request, the server 30 obtains the password card identifier at the same time, and the server 30 sends the key to the corresponding password card 20 based on the password card identifier.
In this embodiment, the cryptographic operation and the cache after the cryptographic card 20 receives the key have been described in the above embodiments, and are not described in detail here.
The server 30 and each cryptographic card 20 provided by the embodiment of the present invention have consistency, and when the server 30 receives a key deletion request, the server 30 deletes the corresponding key and sends a deletion request to each cryptographic card 20, so that the cryptographic card 30 can delete the key deleted by the server 30 in the cache.
In one embodiment, the server 30 is further configured to: receiving a key deleting request, wherein the key deleting request comprises a key identifier to be deleted; based on the key deletion request, searching and deleting a key corresponding to the key identifier to be deleted in the memory, and acquiring sending information of the key corresponding to the key identifier to be deleted within preset time, wherein the sending information comprises a password card identifier corresponding to a password card to which the key corresponding to the key identifier to be deleted is sent within the preset time; and generating and sending a deletion request to the corresponding cryptographic card 20 based on the sending information of the key corresponding to the key identifier to be deleted within the preset time so as to delete the key corresponding to the key identifier to be deleted cached in the cryptographic card 20. In this way, the consistency of the 20 password card and the server 30 is maintained.
In this embodiment, only the protected key is transmitted in the network environment connected between the cryptographic card 20 and the server 30, and the data of the service process is not directly transmitted, so that the data plaintext of the service process is prevented from appearing in the network environment, and the overall security is improved. The key transmitted between the cryptographic card 20 and the server 30 is also encrypted, and the specific encryption mode is as follows:
after the connection between the cryptographic card 20 and the server 30 is established, the whole system needs to be initialized, that is, the cryptographic card 20 and the server 30 generate and exchange authentication, the server 30 obtains the device identity information of the cryptographic card 21, the device identity information includes a cryptographic card identifier and a cryptographic card public key, that is, the cryptographic card public key and the cryptographic card 20 correspond to each other one by one, and the server 30 stores the cryptographic card public key obtained during initialization into the memory. After normal operation, the server 30 analyzes the obtained password card identifier according to the received key request, and searches the public key of the password card corresponding to the password card identifier from the memory; encrypting and protecting the corresponding key by using the public key of the password card, and sending the encrypted and protected key to the corresponding password card 20; the cipher card 20 receives and decrypts the encrypted key to obtain the complete key. Therefore, the transmission of data plaintext in a network environment in a service process of requesting cryptographic operation is avoided, and the security of the key is ensured.
Based on the key management method provided in the foregoing embodiment, please refer to fig. 4, this embodiment further provides a key management apparatus for a distributed cryptographic card applied to a server 30, and the key management apparatus provided in this embodiment includes: a first receiving module 301, a first key obtaining module 302 and a key sending module 303.
The first receiving module 301 is configured to receive one or more key requests, where a key request includes a service identifier requesting a cryptographic operation and a cryptographic card identifier sending the key request.
The first key obtaining module 302 is configured to obtain one or more keys corresponding to service identifiers requesting cryptographic operations according to one or more key requests, where the keys correspond to the key requests one to one.
The key sending module 303 is configured to send one or more keys to the corresponding cryptographic card according to the cryptographic card identifier; the key is used for carrying out cryptographic operation on the business process requesting the cryptographic operation.
Each module in the key management apparatus provided in this embodiment corresponds to a method step in the key management method shown in fig. 3 one to one, and a specific implementation thereof has been described in detail in the foregoing embodiments, and is not described again here.
Referring to fig. 5, the present embodiment further provides a key management device applied to a distributed cryptographic card of the cryptographic card 20, and the key management device provided in the present embodiment includes: a second receiving module 401, a judging module 402, a second key obtaining module 403, a key request sending module 404 and a third key obtaining module 405.
The second receiving module 401 is configured to receive a key usage request sent by a service process requesting a cryptographic operation in the terminal 10, where the key usage request includes a service identifier requesting the cryptographic operation.
The determining module 402 is configured to determine, based on the key usage request, whether the cryptographic card has a key corresponding to the service identifier that caches the requested cryptographic operation.
The second key obtaining module 403 is configured to, if there is a cache, directly obtain a key corresponding to the service identifier that requests the cryptographic operation, and perform the cryptographic operation on the service process that requests the cryptographic operation based on the key corresponding to the service identifier that requests the cryptographic operation.
The key request sending module 404 is configured to generate and send a key request to the server if no cache exists; the key request comprises a service identifier for requesting the cryptographic operation and a cryptographic card identifier corresponding to the cryptographic card.
The third key obtaining module 405 is configured to receive a key sent by the server, and perform cryptographic operation on a service process requesting cryptographic operation based on the key.
Each module in the key management apparatus provided in this embodiment corresponds to a method step in the key management method shown in fig. 2 one to one, and a specific implementation thereof has been described in detail in the foregoing embodiments, and is not described again here.
It should be noted that the cryptographic operation according to the embodiment of the present invention includes: data encryption and decryption, signature verification, message authentication code generation and verification and the like.
In the embodiment of the invention, compared with the traditional password card scheme, the invention provides a uniform and flexible key management scheme, and the method can be suitable for available environments in cloud environments and distributed environments. Compared with the traditional cipher service module and cipher resource pool scheme, the invention provides high-speed and low-delay cipher computing capability for the business process, avoids the data plaintext in the business process from appearing in a network environment, and improves the overall security.
Those skilled in the art will appreciate that all or part of the functions of the various methods in the above embodiments may be implemented by hardware, or may be implemented by computer programs. When all or part of the functions of the above embodiments are implemented by a computer program, the program may be stored in a computer-readable storage medium, and the storage medium may include: a read only memory, a random access memory, a magnetic disk, an optical disk, a hard disk, etc., and the program is executed by a computer to realize the above functions. For example, the program may be stored in a memory of the device, and when the program in the memory is executed by the processor, all or part of the functions described above may be implemented. In addition, when all or part of the functions in the above embodiments are implemented by a computer program, the program may be stored in a storage medium such as a server, another computer, a magnetic disk, an optical disk, a flash disk, or a removable hard disk, and may be downloaded or copied to a memory of a local device, or may be version-updated in a system of the local device, and when the program in the memory is executed by a processor, all or part of the functions in the above embodiments may be implemented.
The present invention has been described in terms of specific examples, which are provided to aid understanding of the invention and are not intended to be limiting. For a person skilled in the art to which the invention pertains, several simple deductions, modifications or substitutions may be made according to the idea of the invention.
Claims (10)
1. A secret key management method of a distributed password card is characterized by being applied to a server, wherein the server is connected with a plurality of password cards; each password card is arranged in a terminal;
the key management method comprises the following steps:
receiving one or more key requests, wherein the key requests comprise service identifications requesting cryptographic operations and cryptographic card identifications sending the key requests;
acquiring one or more keys corresponding to the service identification of the request cryptographic operation according to one or more key requests, wherein the keys correspond to the key requests one by one;
sending one or more keys to the corresponding password card according to the password card identifier; the key is used for carrying out cryptographic operation on the business process requesting the cryptographic operation.
2. The key management method of claim 1, wherein obtaining one or more keys corresponding to the service identifier of the requested cryptographic operation based on one or more of the key requests comprises:
and searching and acquiring a key matched with the service identifier of the request cryptographic operation in the key request in a memory according to one or more key requests.
3. The key management method according to claim 1 or 2, further comprising:
receiving a key deleting request, wherein the key deleting request comprises a key identifier to be deleted;
based on the key deletion request, searching and deleting a key corresponding to the key identifier to be deleted in a memory, and acquiring sending information of the key corresponding to the key identifier to be deleted within preset time, wherein the sending information comprises a password card identifier corresponding to a password card to which the key corresponding to the key identifier to be deleted is sent within preset time;
and generating and sending a deletion request to the corresponding password card based on the sending information of the key corresponding to the key identification to be deleted within the preset time so as to delete the key corresponding to the key identification to be deleted cached in the password card.
4. The key management method of claim 1, prior to receiving one or more key requests, further comprising:
and acquiring and storing the equipment identity information of the multiple password cards, wherein the equipment identity information comprises password card identifications and password card public keys, and the equipment identity information corresponds to the password cards one to one.
5. The key management method of claim 4, wherein sending one or more of the keys to the corresponding cryptographic card based on the cryptographic card identification comprises:
acquiring a public key of the password card corresponding to the password card identification according to the password card identification;
and carrying out encryption protection on the corresponding key by using the public key of the password card, and sending the encrypted key to the corresponding password card.
6. A secret key management method of a distributed password card is characterized in that the secret key management method is applied to the password card, the password card is connected with a server, and the server is connected with a plurality of password cards; each password card is arranged in a terminal;
the key management method comprises the following steps:
receiving a key using request sent by a business process requesting cryptographic operation in the terminal, wherein the key using request comprises a business identifier requesting cryptographic operation;
judging whether the cipher card has a cipher key corresponding to a service identification request for caching the request for the cryptographic operation based on the cipher key use request;
if the cache exists, directly acquiring a key corresponding to the service identifier requesting the cryptographic operation, and carrying out the cryptographic operation on the service process requesting the cryptographic operation based on the key;
if no cache exists, generating and sending the key request to the server; the key request comprises a service identifier requesting cryptographic operation and a cryptographic card identifier corresponding to the cryptographic card;
and receiving a secret key sent by the server, and carrying out cryptographic operation on the business process requesting the cryptographic operation based on the secret key.
7. The key management method of claim 6, wherein after receiving the key sent by the server, further comprising:
and caching the received key sent by the server.
8. The key management device of the distributed password card is characterized by being applied to a server, wherein the server is connected with a plurality of password cards; each password card is arranged in a terminal;
the key management apparatus includes:
the system comprises a first receiving module, a second receiving module and a third receiving module, wherein the first receiving module is used for receiving one or more key requests, and the key requests comprise service identifications requesting cryptographic operation and cryptographic card identifications sending the key requests;
a first key obtaining module, configured to obtain, according to one or more key requests, one or more keys corresponding to service identifiers that request cryptographic operations, where the keys correspond to the key requests one to one;
the key sending module is used for sending one or more keys to the corresponding password cards according to the password card identifications; the secret key is used for carrying out cryptographic operation on the business process requesting the cryptographic operation.
9. A secret key management device of a distributed password card is characterized in that the secret key management device is applied to the password card, the password card is connected with a server, and the server is connected with a plurality of password cards; each password card is arranged in a terminal;
the key management apparatus includes:
the second receiving module is used for receiving a key using request sent by a business process requesting cryptographic operation in the terminal, wherein the key using request comprises a business identifier requesting cryptographic operation;
the judgment module is used for judging whether the cipher card has a cipher key corresponding to a service identifier for caching the request for cryptographic operation or not based on the cipher key use request;
the second key acquisition module is used for directly acquiring a key corresponding to the service identifier of the request cryptographic operation if the cache exists, and carrying out cryptographic operation on the service process of the request cryptographic operation based on the key corresponding to the service identifier of the request cryptographic operation;
a key request sending module, configured to generate and send the key request to the server if there is no cache; the key request comprises a service identifier requesting cryptographic operation and a cryptographic card identifier corresponding to the cryptographic card;
and the third key acquisition module is used for receiving the key sent by the server and carrying out cryptographic operation on the service process requesting the cryptographic operation based on the key.
10. A key management system of a distributed password card is characterized by comprising a plurality of password cards and a server, wherein the server is connected with the plurality of password cards; each password card is arranged in a terminal;
the server is configured to:
receiving one or more key requests, wherein the key requests comprise service identifications requesting cryptographic operations and cryptographic card identifications sending the key requests;
acquiring one or more keys corresponding to the service identification of the request cryptographic operation according to one or more key requests, wherein the keys correspond to the key requests one by one;
sending one or more keys to the corresponding password card according to the password card identifier; the secret key is used for carrying out cryptographic operation on the business process requesting the cryptographic operation;
the password card is used for:
receiving a key using request sent by a business process requesting cryptographic operation in the terminal, wherein the key using request comprises a business identifier requesting cryptographic operation;
based on the key use request, judging whether the cipher card has a key corresponding to a service identifier for caching the request for cryptographic operation;
if the cache exists, directly acquiring a key corresponding to the service identifier requesting the cryptographic operation, and performing the cryptographic operation on the service process requesting the cryptographic operation based on the key corresponding to the service identifier requesting the cryptographic operation;
if no cache exists, generating and sending the key request to the server; the key request comprises a service identifier requesting cryptographic operation and a cryptographic card identifier corresponding to the cryptographic card;
and receiving a secret key sent by the server, and carrying out cryptographic operation on the business process requesting the cryptographic operation based on the secret key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210868461.5A CN115225269A (en) | 2022-07-22 | 2022-07-22 | Key management method, device and system for distributed password card |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210868461.5A CN115225269A (en) | 2022-07-22 | 2022-07-22 | Key management method, device and system for distributed password card |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115225269A true CN115225269A (en) | 2022-10-21 |
Family
ID=83614278
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210868461.5A Pending CN115225269A (en) | 2022-07-22 | 2022-07-22 | Key management method, device and system for distributed password card |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115225269A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116074003A (en) * | 2023-03-06 | 2023-05-05 | 中安云科科技发展(山东)有限公司 | Dynamic multithreading load balancing method and system for cipher machine and cipher machine |
| CN116361776A (en) * | 2023-05-30 | 2023-06-30 | 三未信安科技股份有限公司 | Password card resource pooling management system, method, storage medium and product |
| CN117077123A (en) * | 2023-08-18 | 2023-11-17 | 长春吉大正元信息技术股份有限公司 | Service processing method and device for multiple password cards and electronic equipment |
| CN117319092A (en) * | 2023-11-29 | 2023-12-29 | 杭州海康威视数字技术股份有限公司 | Distributed key management method, device, password card and system |
| CN117834137A (en) * | 2024-03-04 | 2024-04-05 | 深圳市纽创信安科技开发有限公司 | Password card switching method, device, computer equipment and storage medium |
-
2022
- 2022-07-22 CN CN202210868461.5A patent/CN115225269A/en active Pending
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116074003A (en) * | 2023-03-06 | 2023-05-05 | 中安云科科技发展(山东)有限公司 | Dynamic multithreading load balancing method and system for cipher machine and cipher machine |
| CN116074003B (en) * | 2023-03-06 | 2023-06-20 | 中安云科科技发展(山东)有限公司 | Dynamic multithreading load balancing method and system for cipher machine and cipher machine |
| CN116361776A (en) * | 2023-05-30 | 2023-06-30 | 三未信安科技股份有限公司 | Password card resource pooling management system, method, storage medium and product |
| CN116361776B (en) * | 2023-05-30 | 2023-08-25 | 三未信安科技股份有限公司 | Password card resource pooling management system, method, storage medium and product |
| CN117077123A (en) * | 2023-08-18 | 2023-11-17 | 长春吉大正元信息技术股份有限公司 | Service processing method and device for multiple password cards and electronic equipment |
| CN117319092A (en) * | 2023-11-29 | 2023-12-29 | 杭州海康威视数字技术股份有限公司 | Distributed key management method, device, password card and system |
| CN117319092B (en) * | 2023-11-29 | 2024-02-09 | 杭州海康威视数字技术股份有限公司 | Distributed key management method, device, password card and system |
| CN117834137A (en) * | 2024-03-04 | 2024-04-05 | 深圳市纽创信安科技开发有限公司 | Password card switching method, device, computer equipment and storage medium |
| CN117834137B (en) * | 2024-03-04 | 2024-05-14 | 深圳市纽创信安科技开发有限公司 | Password card switching method, device, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN115225269A (en) | Key management method, device and system for distributed password card | |
| US8042155B1 (en) | System and method for generating a single use password based on a challenge/response protocol | |
| CN110049016B (en) | Data query method, device, system, equipment and storage medium of block chain | |
| US8300823B2 (en) | Encryption and compression of data for storage | |
| US8898536B2 (en) | Multi-core engine for detecting bit errors | |
| CN111327637B (en) | Service key management method and system | |
| US20210119781A1 (en) | Systems and methods for re-using cold storage keys | |
| US11240008B2 (en) | Key management method, security chip, service server and information system | |
| CN113347206A (en) | Network access method and device | |
| CN110690956B (en) | Bidirectional authentication method and system, server and terminal | |
| CN111447220B (en) | Authentication information management method, server of application system and computer storage medium | |
| CN111770088A (en) | Data authentication method, device, electronic equipment and computer readable storage medium | |
| KR101952329B1 (en) | Method for generating address information used in transaction of cryptocurrency based on blockchain, electronic apparatus and computer readable recording medium | |
| CN113301036A (en) | Communication encryption method and device, equipment and storage medium | |
| CN114244508A (en) | Data encryption method, device, equipment and storage medium | |
| CN108418679B (en) | Method and device for processing secret key under multiple data centers and electronic equipment | |
| CN111988262B (en) | Authentication method, authentication device, server and storage medium | |
| CN115473655B (en) | Terminal authentication method, device and storage medium for access network | |
| CN113784354B (en) | Request conversion method and device based on gateway | |
| CN106972928B (en) | Bastion machine private key management method, device and system | |
| WO2022193494A1 (en) | Permission control method, server, terminal, storage medium, and computer program | |
| CN113098685B (en) | Security verification method and device based on cloud computing and electronic equipment | |
| CN113595962B (en) | Safety control method and device and safety control equipment | |
| CN112565156B (en) | Information registration method, device and system | |
| CN109711207B (en) | Data encryption method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |