CN117478326A - Key escrow method, device, terminal equipment and storage medium - Google Patents
Key escrow method, device, terminal equipment and storage medium Download PDFInfo
- Publication number
- CN117478326A CN117478326A CN202311826485.5A CN202311826485A CN117478326A CN 117478326 A CN117478326 A CN 117478326A CN 202311826485 A CN202311826485 A CN 202311826485A CN 117478326 A CN117478326 A CN 117478326A
- Authority
- CN
- China
- Prior art keywords
- key
- address
- equipment
- random
- type
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 100
- 238000002715 modification method Methods 0.000 claims abstract description 70
- 230000006870 function Effects 0.000 claims description 29
- 238000012795 verification Methods 0.000 claims description 14
- 238000012986 modification Methods 0.000 claims description 5
- 230000004048 modification Effects 0.000 claims description 5
- 230000008569 process Effects 0.000 description 8
- 238000004891 communication Methods 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 5
- 238000013507 mapping Methods 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- QVFWZNCVPCJQOP-UHFFFAOYSA-N chloralodol Chemical compound CC(O)(C)CC(C)OC(O)C(Cl)(Cl)Cl QVFWZNCVPCJQOP-UHFFFAOYSA-N 0.000 description 1
- 230000001143 conditioned effect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000001815 facial effect Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 230000003442 weekly effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
Abstract
The application discloses a key escrow method, a device, terminal equipment and a storage medium, wherein an address-random key table is generated through a random function algorithm, and a random key corresponding to an equipment address is obtained; obtaining a device login mode and a key modification method according to the local address-type table and the local type-method table; and updating the original key of the equipment through the random key corresponding to the equipment address, the equipment login mode and the key modification method. According to the scheme, the network equipment key is automatically updated in batches at regular intervals, so that errors and risks of manual operation can be reduced, meanwhile, randomness and uniqueness of the key are ensured, and the safety of the system is improved.
Description
Technical Field
The present invention relates to the field of IT industry networks, and in particular, to a key escrow method, a device, a terminal device, and a storage medium.
Background
With the popularity and widespread use of cloud computing, more and more organizations migrate their data and applications to cloud platforms. This has led to a new need for key escrow to ensure secure management and protection of keys in cloud environments.
Currently, key escrow techniques employ major methods including manually updating keys, fort escrow keys, and browser escrow keys. The manual key updating is performed by means of manual key generation and updating, but human errors or negligence may exist in the process of manually key updating, so that the key is revealed or maliciously used; the key can be stored and managed by the bastion machine, and the user is required to carry out identity verification and authorization to acquire the key and use the key, but the security of the key is highly dependent on the design and implementation of the bastion machine, and if the security measures of the bastion machine are insufficient or loopholes exist, the key can be stolen or abused; the browser hosting key is mainly generated, stored and used by the browser automatically managing the key, but a malicious plug-in or an extension program possibly exists in the browser to acquire the access right of the browser hosting key and misuse the sensitive information of the user.
In summary, the existing key escrow technology has the problem of key leakage or malicious use caused by insufficient security measures.
Disclosure of Invention
The invention mainly aims to provide a key escrow method, a device, terminal equipment and a storage medium, which aim to solve the technical problem of key leakage or malicious use caused by insufficient security measures.
To achieve the above object, the present invention provides a key escrow method including:
generating an address-random key table through a random function algorithm, and acquiring a random key corresponding to the equipment address;
obtaining a device login mode and a key modification method according to the local address-type table and the local type-method table;
and updating the original key of the equipment through the random key corresponding to the equipment address, the equipment login mode and the key modification method.
Optionally, before the step of generating the address random key table by using the random function algorithm and obtaining the random key corresponding to the device address, the method further includes:
acquiring equipment information, wherein the equipment information comprises equipment addresses, equipment types, equipment login modes and a key modification method;
when the device information changes, updating a device address list, a device type list, a local address-key list, a local type-method list and a local address-type list so as to carry out the device original key updating operation subsequently.
Optionally, the step of obtaining the device login mode and the key modification method according to the local address-type table and the local type-method table includes:
Inquiring a local address-type table to obtain the type of the equipment and the login mode of the equipment;
and inquiring the local type-method table to obtain a key modification method corresponding to the equipment type.
Optionally, the step of updating the device key by the random key corresponding to the device address, the device login mode and the key modification method includes:
according to the equipment login mode, performing equipment identity verification;
if the equipment identity verification is successful, successfully logging in the equipment;
and according to the key modification method, the random key corresponding to the device address is used for covering the original key of the device.
Optionally, after the step of updating the device key by the random key corresponding to the device address, the login mode and the key modification method, the method further includes:
updating the local address-key table according to the updated device key;
the updated local address-key table is stored in a local database for subsequent device authentication and key management.
Optionally, the step of generating an address-random key table and obtaining a random key corresponding to the device address through a random function algorithm includes:
Generating an address-random key through a random function algorithm;
adding the address-random key to an address-random key table;
and acquiring a random key corresponding to the equipment address by inquiring the address-random key table.
Optionally, after the step of obtaining the random key corresponding to the device address by querying the address-random key table, the method further includes:
and storing the random key corresponding to the equipment address into a local address-key table so as to retrieve the random key corresponding to the equipment type from the local address-key table and update the original key of the equipment.
The embodiment of the application also provides a key escrow device, which comprises:
the generation module is used for generating an address random key table through a random function algorithm and acquiring a random key corresponding to the equipment address;
the authentication management module is used for obtaining a device login mode and a key modification method according to the local address-type table and the local type-method table;
and the updating module is used for updating the original key of the equipment through the random key corresponding to the equipment address, the equipment login mode and the key modification method.
The embodiment of the application also provides a key escrow terminal device, which comprises: a memory, a processor, and a key escrow program stored on the memory and executable on the processor, the key escrow program configured to implement the steps of the key escrow method as described above.
The embodiment of the application also provides a storage medium, wherein a key escrow program is stored on the storage medium, and the key escrow program realizes the steps of the key escrow method when being executed by a processor.
The key escrow method, the device, the terminal equipment and the storage medium provided by the embodiment of the application generate an address-random key table through a random function algorithm and acquire a random key corresponding to the equipment address; obtaining a device login mode and a key modification method according to the local address-type table and the local type-method table; and updating the original key of the equipment through the random key corresponding to the equipment address, the equipment login mode and the key modification method. According to the scheme, the network equipment key is automatically updated in batches at regular intervals, so that errors and risks of manual operation can be reduced, meanwhile, randomness and uniqueness of the key are ensured, and the safety of the system is improved.
Drawings
Fig. 1 is a schematic diagram of functional modules related to a terminal device to which a key escrow device belongs in the present application;
FIG. 2 is a flow chart of a first exemplary embodiment of a key escrow method of the present application;
FIG. 3 is a flow chart of a second exemplary embodiment of a key escrow method of the present application;
FIG. 4 is a flow chart of a third exemplary embodiment of a key escrow method of the present application;
fig. 5 is a flow chart of a fourth exemplary embodiment of a key escrow method of the present application.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
The main solutions of the embodiments of the present application are: generating an address-random key table through a random function algorithm, and acquiring a random key corresponding to the equipment address; obtaining a device login mode and a key modification method according to the local address-type table and the local type-method table; and updating the original key of the equipment through the random key corresponding to the equipment address, the equipment login mode and the key modification method. According to the scheme, the network equipment key is automatically updated in batches at regular intervals, so that errors and risks of manual operation can be reduced, meanwhile, randomness and uniqueness of the key are ensured, and the safety of the system is improved.
In the embodiment of the application, the fact that the key is revealed or maliciously used due to human errors or loopholes of security measures exists in the conventional related technology is considered.
Based on the above, the embodiment of the application provides a solution, which can automatically update the network device key in batches at regular intervals, improve the security of key escrow and reduce the risks of key leakage and malicious use.
Specifically, referring to fig. 1, fig. 1 is a schematic functional block diagram of a terminal device to which a key escrow device of the present application belongs. The key escrow device may be a device independent of the terminal device, capable of data processing, which may be carried on the terminal device in the form of hardware or software. The terminal equipment can be equipment with certain computing and data processing capabilities such as personal computers, mobile phones and servers. The embodiments of the present application are illustrated with a personal computer.
In this embodiment, the terminal device of the key escrow apparatus includes at least a generating module 110, a processor 120, a memory 130, and a management module 140.
The memory 130 stores an operating system and a key escrow program, and the key escrow apparatus may store device-related information, a key, and a task of updating the key in the memory 130; the generation module 110 generates a secure key according to specific algorithms and parameters; the management module 140 includes functions of updating, revoking, backing up, etc. of the key, and rights management and auditing functions of the key.
Wherein the key escrow method program in the memory 130 when executed by the processor 120 performs the steps of:
generating an address-random key table through a random function algorithm, and acquiring a random key corresponding to the equipment address;
obtaining a device login mode and a key modification method according to the local address-type table and the local type-method table;
and updating the original key of the equipment through the random key corresponding to the equipment address, the equipment login mode and the key modification method.
Further, the key escrow method program in the memory 130 when executed by the processor 120 also performs the steps of:
acquiring equipment information, wherein the equipment information comprises equipment addresses, equipment types, equipment login modes and a key modification method;
when the device information changes, updating a device address list, a device type list, a local address-key list, a local type-method list and a local address-type list so as to carry out the device original key updating operation subsequently.
Further, the key escrow method program in the memory 130 when executed by the processor 120 also performs the steps of:
inquiring a local address-type table to obtain the type of the equipment and the login mode of the equipment;
And inquiring the local type-method table to obtain a key modification method corresponding to the equipment type.
Further, the key escrow method program in the memory 130 when executed by the processor 120 also performs the steps of:
according to the equipment login mode, performing equipment identity verification;
if the equipment identity verification is successful, successfully logging in the equipment;
and according to the key modification method, the random key corresponding to the device address is used for covering the original key of the device.
Further, the key escrow method program in the memory 130 when executed by the processor 120 also performs the steps of:
updating the local address-key table according to the updated device key;
the updated local address-key table is stored in a local database for subsequent device authentication and key management.
Further, the key escrow method program in the memory 130 when executed by the processor 120 also performs the steps of:
generating an address-random key through a random function algorithm;
adding the address-random key to an address-random key table;
and acquiring a random key corresponding to the equipment address by inquiring the address-random key table.
Further, the key escrow method program in the memory 130 when executed by the processor 120 also performs the steps of:
and storing the random key corresponding to the equipment address into a local address-key table so as to retrieve the random key corresponding to the equipment type from the local address-key table and update the original key of the equipment.
According to the scheme, an address-random key table is generated through a random function algorithm, and a random key corresponding to the equipment address is obtained; obtaining a device login mode and a key modification method according to the local address-type table and the local type-method table; and updating the original key of the equipment through the random key corresponding to the equipment address, the equipment login mode and the key modification method. According to the scheme, the network equipment key is automatically updated in batches at regular intervals, so that errors and risks of manual operation can be reduced, meanwhile, randomness and uniqueness of the key are ensured, and the safety of the system is improved.
Based on the above terminal device architecture, but not limited to the above architecture, the method embodiments of the present application are presented.
Referring to fig. 2, fig. 2 is a schematic flow chart of a first exemplary embodiment of a key escrow method according to the present application. The key escrow method comprises the following steps:
Step S10, an address-random key table is generated through a random function algorithm, and a random key corresponding to the device address is obtained.
The random function algorithm is an algorithm for generating random numbers and can comprise a pseudo-random number generator, a true random number generator and an encrypted random number generator;
the address-random key table is a table or data structure for storing addresses and corresponding random keys, mainly stores the addresses and the keys in the table, and can quickly search the corresponding keys according to the addresses so as to perform encryption, decryption, signature, verification and other operations.
In the current key escrow method, the key is usually revealed or abused maliciously because of low security coefficient or human error.
In order to ensure the security of the key to reduce the risk of disclosure and abuse of the key, in this embodiment, a method for modifying the key by a centralized management device and the key are proposed, so as to improve the security and reliability of the key.
In this embodiment, it is necessary to first generate an address-random key table by a random function algorithm and acquire a random key corresponding to the device address.
Specifically, first, a task for periodically updating the key is newly added to the task list of the main control computer. The method can enter a task management interface or a console of the main control computer, find an option of a newly added task in a task list or click a button to enter the newly added task interface, set a task name, can be set as a 'periodical update key', and select a condition of task triggering, which can be timing triggering or event triggering. Whereas in the present embodiment a timed trigger is selected, for example, performed daily, weekly or monthly.
In the task execution action, an operation of executing the update key is added. May be a command to invoke a key update function or script. Then, a specific time or time interval for task execution is set. And setting a time point or a time interval for task execution according to the selected timing trigger condition.
When the task of periodically updating the key is initiated, the range of device addresses, e.g., from 1 to N, is first validated.
A random key is then generated for each device address using a random function algorithm. This key will be used to encrypt and decrypt communication data between the devices. The random function algorithm may be a pseudo random number generation algorithm commonly used in cryptography, such as AES-CTR (Advanced Encryption Standard-Counter Mode ), SHA256 (Secure Hash Algorithm 256-bit, secure hash algorithm 256 bits), and the like.
The master then adds the generated address-random key to the address-random key table to establish a correspondence between the device address and the random key. Each row in its address-random key table represents a device address and its corresponding random key. Wherein the structure of the address-random key table may be in the form of a key-value pair with the address as the key and the random key as the value.
And storing the random key corresponding to the equipment address into a local address-key table. When the original key of the device needs to be updated, the master control can acquire the corresponding random key from the local address-key table according to the address of the device.
Through the steps, the corresponding random key can be quickly acquired according to the address of the equipment, and meanwhile, the complexity of the key is increased and the security of the key is improved because the key is randomly generated.
Step S20, obtaining a device login mode and a key modification method according to the local address-type table and the local type-method table.
In order to update the device keys of different addresses IP periodically, a device login mode and a key modification method are also needed to be obtained according to the local address-type table, then the device is logged in according to the device login mode, and the original key of the device can be updated by using the key modification method.
Specifically, first, the local address-type table is a table or database that records the device addresses and corresponding device types. By querying the local address-type table, device type information may be obtained from the device's address.
While the device type may be some predefined classification, such as cameras, sensors, door locks, etc. The device login means may be a user name and password, a certificate, an API (Application Programming Interface ) key, etc.
Then, when the local address-type table is queried, the corresponding device type and device login mode can be found according to the address of the device.
The local type-method table is then a table or database that records the device type and corresponding key modification methods. By querying the local type-method table, the key modification method corresponding to the device can be obtained according to the type of the device.
The key modification method refers to specific steps and operations for updating a device key. Different device types may have different key modification methods.
When querying the local type-method table, a corresponding key modification method can be found according to the type of the device.
Finally, the key modification may also be performed through a device management interface, or through a specific command or protocol.
Through the above steps, the device login mode and the key modification method can be obtained according to the local address-type table, thereby realizing the update and management of the device key.
Step S30, the original secret key of the equipment is updated through the random secret key corresponding to the equipment address, the equipment login mode and the secret key modification method.
Specifically, the device identity verification is performed according to a login mode corresponding to the device address, such as a user name and a password. This may be accomplished by sending a login request to the device and providing the corresponding credentials.
The device then verifies that the provided credentials match the credentials stored in the device after receiving the login request. If the verification is successful, the device identity verification is successful.
Once the device authentication is successful, it can be considered to be a successful login device. At this time, a subsequent operation such as updating the original key of the device may be performed. Specifically, the principle of operation of the original key of the update device is as follows.
Specifically, first, according to the device type recorded in the local address-type table, the obtained key modification method determines how to use the random key corresponding to the device to cover the original password of the device.
Then, according to the key modification method, the random key corresponding to the device is applied to the device to cover the original password. This may be accomplished through a device management interface, specific commands, or protocols.
Finally, the completion of the key modification operation is confirmed, and whether the corresponding random key is successfully applied to the device is verified.
Through the steps, the equipment identity verification is carried out according to the equipment login mode, and if the verification is successful, the equipment is successfully logged in. Then, according to the key modification method, the original key of the device is covered with the random key corresponding to the device address. The security of the device may be increased to prevent unauthorized access and attacks.
Further, referring to fig. 3, fig. 3 is a schematic flow chart of a second exemplary embodiment of the key escrow method of the present application. In this embodiment, based on the step S10, before generating the address-random key table by using a random function algorithm and obtaining the random key corresponding to the device address, the method further includes:
step S101, acquiring equipment information, wherein the equipment information comprises equipment addresses, equipment types, equipment login modes and a key modification method;
step S102, when the device information changes, updating a device address list, a device type list, a local address-key list, a local type-method list and a local address-type list so as to carry out the device original key updating operation subsequently.
Where the device address refers to a unique identifier or network address used to identify and locate the device. It may be a physical address, such as a MAC (Media Access Control, medium access control) address, or a logical address, such as an IP address.
The device type refers to a category or class to which the device belongs. It is used to distinguish between different types of devices for management, configuration and operation.
In order to centrally manage and protect the keys, provide a flexible key updating mode and simplify the key management flow, in this embodiment, a solution is provided, before generating an address-random key table by a random function algorithm and acquiring a random key corresponding to an address of a device, firstly, when a new device joins a network, information parameters such as a device address, a device type, a device login mode, a key modification method and the like of the device are reported to a main control computer.
When the device information changes, the master may update the device address list, the device type list, the local address-key table, the local type-method table, and the local address-type table.
Specifically, a list of device addresses is maintained, and address information of all known devices is recorded. When the address of the device changes, the address information of the corresponding device in the list is updated.
A list of device types is maintained, recording the type information of all known devices. When the device type changes, the type information of the corresponding device in the list is updated.
A local address-key table is maintained, recording the device address and corresponding key information. When the address of the device changes, the address information of the corresponding device in the table is updated.
A local type-method table is maintained, recording device types and corresponding key modification methods. When the device type changes, the type information of the corresponding device in the table is updated.
A local address-type table is maintained, recording device addresses and corresponding device type information. When the device type or the device address changes, the type information of the corresponding device in the table is updated.
By the method, the local device address list, the device type list, the address-key list, the type-method list and the address-type list are updated, the accuracy and consistency of the device information are ensured, and necessary information and basis are provided for the subsequent device original key updating operation.
Further, referring to fig. 4, fig. 4 is a schematic flow chart of a third exemplary embodiment of the key escrow method of the present application. In this embodiment, based on the step S20, according to the local address-type table, the device login mode and the key modification method are further refined, including:
Step S21, inquiring a local address-type table to obtain a device type and a device login mode;
step S22, inquiring a local type-method table to obtain a key modification method corresponding to the equipment type.
Wherein the local address-type table is a mapping table recording device addresses and corresponding device types;
the local type-method table is a table or database that records the device type and corresponding key modification methods. It is used to store the mapping relationship between the device type and the device key modification method.
Specifically, when the device type and the device login mode need to be queried, the device address can be used as a query condition to search in a local address-type table to find the corresponding device type. The process of querying may be implemented using a query function in a data queriable language or a programming language.
Through the query operation, the type information of the equipment can be acquired, and the acquired type information of the equipment is returned to the equipment type and the equipment login mode corresponding to the equipment address. Wherein the device type may be a predetermined set of values, such as "camera," "sensor," "door lock," etc.; the device login mode may be "user name password", "API key", "OAuth (Open Authorization )", or the like. The device login mode can be a character string or other data structures.
Because the device type table includes the name or identifier of the device type, the specific description of the login mode of the device or the method name, the modification method of the key, and other parameters, the key modification method corresponding to the device type can be obtained by only querying the local type-method table according to the device type.
And because in the local type-method table, each row record contains the mapping relationship of the device type and the device login mode and the key modification method. Thus, by the inquiry operation, the key modification method corresponding to the device type can be acquired.
The device type is exemplified by a printer, a camera, and a sensor.
For example, the local addresses corresponding to the printer, the camera and the sensor can be "192.168.1.1", "192.168.1.2" and "192.168.1.3", respectively; the corresponding equipment login modes are user password login, API key login and no-login; the corresponding key modification methods are "USB connection", "Web interface", and "no modification", respectively.
If the device address is "192.168.1.1", the corresponding device type and device login mode are searched in the local address-type table. And a record of the equipment address of '192.168.1.1' is found in a local address-type table, the corresponding equipment type is a printer, and the equipment login mode is user password login.
And searching a corresponding key modification method in a local type-method table according to the device type printer.
The record that the device type is the printer is found in the local type-method table, and the corresponding key modification method is "USB connected".
If the device address is "192.168.1.2", the corresponding device type and device login mode are searched in the local address-type table. And a record of the equipment address of '192.168.1.2' is found in a local address-type table, the corresponding equipment type is a camera, and the equipment login mode is 'API key login'.
And searching a corresponding key modification method in a local type-method table according to the equipment type camera.
The record of which the equipment type is a camera is found in a local type-method table, and the corresponding key modification method is a Web interface.
If the device address is 192.168.1.3, the corresponding device type and device login mode are searched in the local address-type table. And a record of the equipment address as 192.168.1.3 is found in a local address-type table, the corresponding equipment type is a sensor, and the equipment login mode is no need of login.
And searching a corresponding key modification method in a local type-method table according to the device type sensor.
The record of the device type as the sensor is found in the local type-method table, and the corresponding key modification method is "no modification required".
Through the method of the embodiment, the type and the login mode of the equipment can be queried according to the local address of the equipment, and then the corresponding key modification method is queried according to the type of the equipment. In this way, the key information of the device can be managed and updated conveniently.
Further, referring to fig. 5, fig. 5 is a schematic flow chart of a fourth exemplary embodiment of the key escrow method of the present application. In this embodiment, based on the step S30, after updating the original key of the device by using the random key corresponding to the device address, the device login mode, and the key modification method, the method further includes:
step S301, updating a local address-key table according to the updated device key;
step S302, the updated local address-key table is stored in the local database for subsequent device authentication and key management.
In contrast to the above-described embodiments, a method that can update a local address-key table is also included in the present embodiment.
To ensure that the communication between the devices is secure and to prevent unauthorized devices from accessing the system, it is also necessary to update the local address-key table on the host computer after the key update is completed.
Specifically, first, the host computer needs to obtain the local address of the updated device, and find the corresponding key information in the local address-key table according to the local address of the device.
The key field in the record is then updated to the new device key. It is ensured that the device key stored in the local address-key table is up-to-date.
Finally, a table is created in the local database for storing records of the local address-key table. Wherein the record in the updated local address-key table may be inserted into a table of the local database. The updated local address-key table is stored in a local database for subsequent device authentication and key management.
By the method of the embodiment, the local address-key table can be updated according to the updated device key, and the updated table is stored in the local database. Thus, the accuracy and the safety of the equipment key can be ensured, and the subsequent equipment identity verification and key management operation are convenient.
The method of the embodiment of the present application is described in detail below in conjunction with a specific scenario.
For example, there is a smart home system that includes a plurality of devices, such as smart door locks, smart cameras, and smart light bulbs. These devices require authentication by local address and key and batch periodic updates of the key to improve the security factor of the system network.
Specifically, first, the smart home system generally uses a wireless communication protocol, such as Wi-Fi, bluetooth, zigbee (Zigbee Wireless Networking Technology, zigbee wireless network technology), loRa (Long Range, remote communication technology), and the like, to communicate with the main control computer. These protocols allow devices to communicate without requiring physical connections, thereby enabling remote control and automation. The device may also be connected to the host computer using wired communication means, such as ethernet or power line communication.
Each device then needs to register locally. This includes assigning a unique local address and generating an original key. The device sends its own device information, such as device type, model, etc., as well as the local address and original key to the server of the smart home system for registration.
When each device joins the network, the device information parameters such as the device address, the device type, the device login mode, the key modification method and the like are reported to the main control computer. For example, when the intelligent camera joins the network, the device address reported to the main control computer contains the original key of the camera, so as to ensure that only authorized devices can access the data of the camera. The device type includes a login mode of the camera, such as a user name, a password, fingerprint identification and the like, and a method for modifying a secret key.
After the main control computer receives equipment information parameters such as equipment address, equipment type, equipment login mode, key modification method and the like, when the equipment information changes, an equipment address list, an equipment type list, a local address-key list, a local type-method list and a local address-type list are automatically updated, so that the equipment original key updating operation is carried out subsequently.
Then, the user can update the key of the intelligent camera every other day, update the key of the intelligent door lock every other two days, and the like by adding a task for updating the key periodically in the task list of the main control computer; or may be conditioned on event triggering, e.g., automatically updating the key when the smart camera detects abnormal behavior; or automatically updating the key when the intelligent door lock is illegally attempted to be unlocked.
When the master control machine performs a single address key update task, a specific operation flow is as follows.
In order to ensure security and privacy of communications, encryption and decryption operations are typically performed using random keys.
First, the master may use a random function algorithm (e.g., a pseudo-random number generator) to generate a random key for each device address. For example, the device addresses corresponding to the smart Camera, the smart door Lock, and the smart Light bulb are "Camera1", "Lock1", and "Light1", respectively. Corresponding random keys are generated using a random function algorithm, respectively "abc123", "xyz789" and "123456".
And creates an address-random key table for storing the device address and the corresponding random key. Each row in the table represents a device address and its corresponding random key.
When the main control computer receives the address data input by the equipment, the input equipment address data is read in the address-random key table, and a random key corresponding to the equipment address is found.
Then, the address-random key table is associated, and a local address-type table is obtained, wherein the local address-type table comprises a local address of the intelligent Camera, a local address of the intelligent door Lock and a local address of the intelligent bulb, the local address of the intelligent Camera is 'Camera 1', the local address of the intelligent door Lock is 'Lock 1', and the local address of the intelligent lamp board is 'Light 1'.
And then, inquiring a local address-type table, determining the device address, and searching the corresponding device type and related information in the local address-type table according to the device address.
And determining the login mode of the equipment according to the equipment type recorded in the local address-type table. For example, the smart camera may log in by a user name and password, and the smart door lock may log in by authentication through facial recognition of the user.
And acquiring a corresponding key modification method according to the device type recorded in the local address-type table.
Once the device authentication is successful, it can be considered to be a successful login device. At this time, a subsequent operation such as updating the original key of the device may be performed. Specifically, the principle of operation of the original key of the update device is as follows.
The control application program of the intelligent Camera can be opened for the intelligent Camera 'Camera 1'. The option or setting to find the key update is typically in the device setting or security setting. And inputting a random key 'abc 123' corresponding to the device address, and using the corresponding random key 'abc 123' to cover the original key and save the setting. Finally, whether the key is successfully updated or not needs to be confirmed.
For intelligent door Lock "Lock1" the control application of the intelligent door Lock can be opened. The option or setting to find the key update is typically in the device setting or security setting. And inputting the random key 'xyz 789' corresponding to the device address, and using the corresponding random key 'xyz 789' to cover the original key and save the setting. Finally, whether the key is successfully updated or not needs to be confirmed.
For the smart Light bulb "Light1", the control application of the smart Light bulb may be turned on. The option or setting to find the key update is typically in the device setting or security setting. And inputs the random key "123456" corresponding to the device address, overwrites the original key with the corresponding random key "123456" and saves the settings. Finally, whether the key is successfully updated or not needs to be confirmed.
After the remote device key updating is completed, the main control machine also needs to acquire the updated local address of the device, and find the corresponding key information in the local address-key table according to the local address of the device.
And updates the key field in the record to the new device key. It is ensured that the device key stored in the local address-key table is up-to-date.
Finally, a table is created in the local database for storing records of the local address-key table. Wherein the record in the updated local address-key table may be inserted into a table of the local database. The updated local address-key table is stored in a local database for subsequent device authentication and key management.
By the method, the security of the equipment can be improved by updating the secret key of the intelligent home, unauthorized access is prevented, the secret key updating process is simplified, and the equipment is convenient to manage and maintain. The intelligent household system is very important for protecting the privacy and data security of users, and meanwhile, the overall safety and reliability of the intelligent household system are improved.
Through the scheme of the embodiment, the address-random key table is generated specifically through a random function algorithm, and the random key corresponding to the equipment address is obtained; obtaining a device login mode and a key modification method according to the local address-type table and the local type-method table; and updating the original key of the equipment through the random key corresponding to the equipment address, the equipment login mode and the key modification method. According to the scheme, the network equipment key is automatically updated in batches at regular intervals, so that errors and risks of manual operation can be reduced, meanwhile, randomness and uniqueness of the key are ensured, and the safety of the network equipment and the convenience of key management are improved.
In addition, the embodiment also provides a key escrow device, which comprises:
the principle and implementation process of key escrow are implemented in this embodiment, please refer to the above embodiments, and are not repeated here.
In addition, the embodiment of the application also provides a key escrow terminal device, which comprises: a memory, a processor, and a key escrow program stored on the memory and executable on the processor, the key escrow program configured to implement the steps of the error log analysis method as described above.
Because the key escrow program is executed by the processor, all the technical solutions of all the embodiments are adopted, and therefore, at least all the beneficial effects brought by all the technical solutions of all the embodiments are provided, and are not described in detail herein.
In addition, the embodiment of the application also provides a storage medium, wherein a key escrow program is stored on the storage medium, and the key escrow program realizes the steps of the key escrow method when being executed by a processor.
Because the key escrow program is executed by the processor, all the technical solutions of all the embodiments are adopted, and therefore, at least all the beneficial effects brought by all the technical solutions of all the embodiments are provided, and are not described in detail herein.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
From the above description of embodiments, it will be clear to a person skilled in the art that the above embodiment method may be implemented by means of software plus a necessary general hardware platform, but may of course also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) as described above, comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present invention.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.
Claims (10)
1. A key escrow method, characterized in that the key escrow method comprises the steps of:
generating an address-random key table through a random function algorithm, and acquiring a random key corresponding to the equipment address;
obtaining a device login mode and a key modification method according to the local address-type table and the local type-method table;
and updating the original key of the equipment through the random key corresponding to the equipment address, the equipment login mode and the key modification method.
2. The key escrow method of claim 1, wherein before the step of generating the address-random key table by a random function algorithm and obtaining the random key corresponding to the device address, further comprising:
acquiring equipment information, wherein the equipment information comprises equipment addresses, equipment types, equipment login modes and a key modification method;
When the device information changes, updating a device address list, a device type list, a local address-key list, a local type-method list and a local address-type list so as to carry out the device original key updating operation subsequently.
3. The key escrow method of claim 2, wherein the step of obtaining the device login style and the key modification style from the local address-type table and the local type-method table comprises:
inquiring a local address-type table to obtain the type of the equipment and the login mode of the equipment;
and inquiring a local type-method table to obtain a key modification method corresponding to the equipment type.
4. A method according to any one of claims 2-3, wherein the step of updating the device key by means of the random key corresponding to the device address, the device login method, and the key modification method comprises:
according to the equipment login mode, performing equipment identity verification;
if the equipment identity verification is successful, successfully logging in the equipment;
and according to the key modification method, the random key corresponding to the device address is used for covering the original key of the device.
5. The key escrow method of claim 4, wherein after the step of updating the device key by the random key corresponding to the device address, the login method, and the key modification method, further comprising:
updating the local address-key table according to the updated device key;
the updated local address-key table is stored in a local database for subsequent device authentication and key management.
6. The key escrow method of claim 1, wherein the step of generating an address-random key table by a random function algorithm and obtaining a random key corresponding to the device address comprises:
generating an address-random key through a random function algorithm;
adding the address-random key to an address-random key table;
and acquiring a random key corresponding to the equipment address by inquiring the address-random key table.
7. The key escrow method of claim 6, wherein after the step of obtaining the random key corresponding to the device address by querying the address-random key table, further comprising:
and storing the random key corresponding to the equipment address into a local address-key table so as to retrieve the random key corresponding to the equipment type from the local address-key table and update the original key of the equipment.
8. A key escrow device, the key escrow device comprising:
the generation module is used for generating an address random key table through a random function algorithm and acquiring a random key corresponding to the equipment address;
the authentication management module is used for obtaining a device login mode and a key modification method according to the local address-type table and the local type-method table;
and the updating module is used for updating the original key of the equipment through the random key corresponding to the equipment address, the equipment login mode and the key modification method.
9. A key escrow terminal device, the key escrow terminal device comprising: a memory, a processor, and a key escrow program stored on the memory and executable on the processor, the key escrow program configured to implement the steps of the key escrow method of any one of claims 1 to 7.
10. A storage medium having stored thereon a key escrow program, which when executed by a processor, implements the steps of the key escrow method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311826485.5A CN117478326B (en) | 2023-12-28 | 2023-12-28 | Key escrow method, device, terminal equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311826485.5A CN117478326B (en) | 2023-12-28 | 2023-12-28 | Key escrow method, device, terminal equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117478326A true CN117478326A (en) | 2024-01-30 |
| CN117478326B CN117478326B (en) | 2024-04-09 |
Family
ID=89638285
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311826485.5A Active CN117478326B (en) | 2023-12-28 | 2023-12-28 | Key escrow method, device, terminal equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117478326B (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101309138A (en) * | 2007-05-14 | 2008-11-19 | 三星电子株式会社 | Encryption-based security protection method for processor and apparatus thereof |
| CN103873454A (en) * | 2012-12-18 | 2014-06-18 | 中国移动通信集团山东有限公司 | Authentication method and equipment |
| CN112560015A (en) * | 2020-12-17 | 2021-03-26 | 北京百度网讯科技有限公司 | Password updating method, device, equipment and storage medium of electronic equipment |
| CN113037702A (en) * | 2020-12-16 | 2021-06-25 | 重庆扬成大数据科技有限公司 | Agricultural worker login system safe working method based on big data analysis |
| CN114297685A (en) * | 2021-12-29 | 2022-04-08 | 深圳市汇川技术股份有限公司 | Product key burning method, system, device, terminal equipment and storage medium |
| CN114938269A (en) * | 2022-03-14 | 2022-08-23 | 武汉零感网御网络科技有限公司 | Public safety video monitoring digital asset key escrow method and system |
| CN115333803A (en) * | 2022-07-27 | 2022-11-11 | 中国电信股份有限公司 | User password encryption processing method, device, equipment and storage medium |
| CN115842663A (en) * | 2022-11-23 | 2023-03-24 | 宝鸡创天清航科技发展有限责任公司 | IP address protection application management method and system |
| CN116015683A (en) * | 2022-12-30 | 2023-04-25 | 苏州万店掌网络科技有限公司 | Authentication method, device, equipment and storage medium based on random key |
| CN116707782A (en) * | 2023-06-06 | 2023-09-05 | 杭州明实科技有限公司 | Password batch automatic changing method and device, electronic equipment and storage medium |
-
2023
- 2023-12-28 CN CN202311826485.5A patent/CN117478326B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101309138A (en) * | 2007-05-14 | 2008-11-19 | 三星电子株式会社 | Encryption-based security protection method for processor and apparatus thereof |
| US20080285747A1 (en) * | 2007-05-14 | 2008-11-20 | Samsung Electronics Co., Ltd. | Encryption-based security protection method for processor and apparatus thereof |
| CN103873454A (en) * | 2012-12-18 | 2014-06-18 | 中国移动通信集团山东有限公司 | Authentication method and equipment |
| CN113037702A (en) * | 2020-12-16 | 2021-06-25 | 重庆扬成大数据科技有限公司 | Agricultural worker login system safe working method based on big data analysis |
| CN112560015A (en) * | 2020-12-17 | 2021-03-26 | 北京百度网讯科技有限公司 | Password updating method, device, equipment and storage medium of electronic equipment |
| CN114297685A (en) * | 2021-12-29 | 2022-04-08 | 深圳市汇川技术股份有限公司 | Product key burning method, system, device, terminal equipment and storage medium |
| CN114938269A (en) * | 2022-03-14 | 2022-08-23 | 武汉零感网御网络科技有限公司 | Public safety video monitoring digital asset key escrow method and system |
| CN115333803A (en) * | 2022-07-27 | 2022-11-11 | 中国电信股份有限公司 | User password encryption processing method, device, equipment and storage medium |
| CN115842663A (en) * | 2022-11-23 | 2023-03-24 | 宝鸡创天清航科技发展有限责任公司 | IP address protection application management method and system |
| CN116015683A (en) * | 2022-12-30 | 2023-04-25 | 苏州万店掌网络科技有限公司 | Authentication method, device, equipment and storage medium based on random key |
| CN116707782A (en) * | 2023-06-06 | 2023-09-05 | 杭州明实科技有限公司 | Password batch automatic changing method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117478326B (en) | 2024-04-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110463161B (en) | Password state machine for accessing protected resources | |
| CN109417553B (en) | Detecting attacks using leaked credentials via internal network monitoring | |
| US9867051B2 (en) | System and method of verifying integrity of software | |
| US9769655B2 (en) | Sharing security keys with headless devices | |
| KR101861026B1 (en) | Secure proxy to protect private data | |
| US10136322B2 (en) | Anonymous authentication system | |
| US9027086B2 (en) | Securing organizational computing assets over a network using virtual domains | |
| KR101720160B1 (en) | Authenticated database connectivity for unattended applications | |
| US10601813B2 (en) | Cloud-based multi-factor authentication for network resource access control | |
| US9256723B2 (en) | Security key using multi-OTP, security service apparatus, security system | |
| US20060075230A1 (en) | Apparatus and method for authenticating access to a network resource using multiple shared devices | |
| US8601264B2 (en) | Systems and methods of user authentication | |
| US11757877B1 (en) | Decentralized application authentication | |
| US9954853B2 (en) | Network security | |
| US20150328119A1 (en) | Method of treating hair | |
| CN111247521B (en) | Remote locking of multi-user devices to user sets | |
| EP2795522B1 (en) | Techniques to store secret information for global data centers | |
| KR101133210B1 (en) | Mobile Authentication System and Central Control System | |
| US20090327704A1 (en) | Strong authentication to a network | |
| US11893105B2 (en) | Generating and validating activation codes without data persistence | |
| CN117478326B (en) | Key escrow method, device, terminal equipment and storage medium | |
| US10756899B2 (en) | Access to software applications | |
| WO2018051236A1 (en) | Protection of authentication tokens | |
| US20240106816A1 (en) | Secure endpoint authentication credential control | |
| US20230412569A1 (en) | Protected configuration of a virtual private network server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |