CN1365214A - Cipher key managing method based on public cipher key system - Google Patents

Cipher key managing method based on public cipher key system Download PDF

Info

Publication number
CN1365214A
CN1365214A CN 01107422 CN01107422A CN1365214A CN 1365214 A CN1365214 A CN 1365214A CN 01107422 CN01107422 CN 01107422 CN 01107422 A CN01107422 A CN 01107422A CN 1365214 A CN1365214 A CN 1365214A
Authority
CN
China
Prior art keywords
key
safe
accelerator card
private key
cipher key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN 01107422
Other languages
Chinese (zh)
Inventor
吴志强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZHONGXING INTEGRATED CIRCUIT DESIGN CO Ltd SHENZHEN CITY
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZHONGXING INTEGRATED CIRCUIT DESIGN CO Ltd SHENZHEN CITY filed Critical ZHONGXING INTEGRATED CIRCUIT DESIGN CO Ltd SHENZHEN CITY
Priority to CN 01107422 priority Critical patent/CN1365214A/en
Publication of CN1365214A publication Critical patent/CN1365214A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Lock And Its Accessories (AREA)

Abstract

The present invention is a kind of cipher key managing method based on public cipher key system. Random cipher key pair is generated in any one safe speeding card, and private key is stored in n distributive safe speeding cards. The private keys in n safe speeding cards are then stored to other shared n-1 safe speeding cards according to the threshold rule and algorithm in secret sharing cipher system. By means of the cipher key sharing system, the same cipher key is managed by multiple particles to ensure the safety of cipher key. While several speeding cards run in the same safe speeding system, the fault in any one speeding card will not affect the operation of the whole cipher system and this results in improved system reliability.

Description

A kind of key management method based on RSA arithmetic
The present invention relates to the cryptographic technique of information security, especially a kind of method that improves key management fail safe and reliability.
In information security field, the PKI that adopts RSA (a kind of public key algorithm) algorithm is the basic framework of information security running.But all the time, adopt that the computing of RSA signature needs a large amount of big several computings of many precision in the RSA Algorithm, arithmetic speed slow restricted the RSA Algorithm extensive use.(VirtualPrivate Net: Virtual Private Network) system applies occurs based on hard-wired RSA Montgomery Algorithm safety expedite product in a large number in this fast development in several years along with being based upon ecommerce under the public-key cryptography framework security platform and VPN.In these safe expedite product, it is principal mode that hardware PCI (Peripheral Component Interconnect), ISA (a kind of computer communication general line) encrypt integrated circuit board, the assurance of its fail safe generally realizes by following manner: (1) integrated circuit board is just realized hardware-accelerated, realizes key management by the main frame software processes; (2) key is stored in movably on the equipment by computer USB (Universal Serial Bus) mouthful or serial ports; (3) integrated circuit board produces key automatically, and key does not appear at outside the computer card with clear-text way, but by key in the plant maintenance integrated circuit boards such as IC-card.Its reliability generally realizes by following manner: (1) improves the fault-tolerance of software on the integrated circuit board; (2) safe accelerator card backup and cipher key backup realize Hot Spare mechanism.
Aspect fail safe: in above-mentioned three kinds of key management modes, though the third is safe cipher key management scheme, but still also there is certain safety defect: by some any special measures---as dynamic tracking integrated circuit board program, analyze means such as integrated circuit board algorithm, can from integrated circuit board, obtain key information.
Aspect reliability: adopt Hot Spare mechanism, key is placed on two integrated circuit boards simultaneously, increased the difficulty of secret key safety management, make fail safe further reduce.
Purpose of the present invention is intended to overcome above-mentioned the deficiencies in the prior art, proposes the key management method that a kind of fail safe is good, reliability is high.
Realize the technical scheme of above-mentioned purpose: a kind of key management method based on RSA arithmetic is that the distribute keys formula is stored in each safe accelerator card, and its distributed storage method comprises the steps:
(1) the generation random key is right in arbitrary safe accelerator card, and PKI is announced away;
(2) the private key d of cipher key pair is divided into n branch private key d=d at random according to the piece number of safety accelerator card 1+ d 2+ ... + d n(n 〉=3);
(3) deletion private key d;
(4) by IKE, dividing private key d i(i=1,2 ..., n) store in the i piece safety accelerator card;
(5) will divide private key d i(i=1,2 ..., (k, n) (wherein n 〉=2k-1) and algorithm are shared in other n-1 piece safety accelerator card that stores into except that i piece safety accelerator card by IKE n) to share thresholding rule in the cryptographic system according to secret.
When n=3, k=2, described step (5) comprises the steps:
A, will divide private key d 1, d 2, d 3Random division becomes d 1=d 11+ d 12, d 2=d 21+ 22, d 3=d 31+ d 32
B, by IKE, branch private key d 21d 31Share and store in the safe accelerator card 1, dividing private key d 11d 32Share and store in the safe accelerator card 2; Dividing private key d 12d 22Share and store in the safe accelerator card 3.
Adopt technique scheme, the significant technological progress of the present invention is: 1) because key is carried out distributed storage, whenever in any safe accelerator card whole key plain can not appear, pass through secret sharing scheme, in many ways manage same key simultaneously, make secret key safety be protected; 2) by character in the computing of mould power signature, when making compute signature, need not directly recover private key expressly, just can calculate the operation result of key; 3) because can be when lacking any safe accelerator card, can recover key information from other safe accelerator card, therefore, polylith safety accelerator card is the security of operation accelerating system simultaneously, the fault of any integrated circuit board can not influence whole encryption system operation, thereby has improved the reliability of system; 4) the distribute keys formula is stored in each piece safety accelerator card, itself just means and realized automatic cipher key backup; 5) from the security of operation accelerator card, recover key information, realized automatic key recovery.
Below by embodiment also in conjunction with the accompanying drawings, the present invention is further detailed explanation:
Fig. 1 is that the present invention adopts the key of three safe accelerator cards to split flow chart.
Embodiment: a kind of key management method based on RSA arithmetic, the distribute keys formula is stored in 3 safe accelerator cards: with reference to Fig. 1, in key management, safe accelerator card 1 is inner produce key to after, PKI can announce away that private key d then randomness is divided into d=d 1+ d 2+ d 3, delete private key d then, obtain branch private key d 1, d 2, d 3After, according to the thresholding rule (2,3) in the shared cryptographic system of secret, wherein a kind of special form is by d again 1=d 11+ d 12, d 2=d 21+ 22, d 3=d 31+ d 32, random division is passed through IKE then again, dividing private key d 2, d 11, d 32Deliver in the safe accelerator card 2, dividing private key d 3, d 12, d 22Deliver in the safe accelerator card 3,1 of safe accelerator card keeps d 1, d 21, d 31Information.After cutting apart by such key, any safe accelerator card does not all have the information of whole private key, and any two safe accelerator cards can obtain the information of private key simultaneously.System is S=s when calculating Montgomery Algorithm dModN according to three safe accelerator card computational burden, selects two idle relatively safe accelerator cards, is assumed to be accelerator card 1 and accelerator card 3, then calculates mould power S1=s respectively D1+d21ModN and S3=s D3+d22ModN is according to d=d 1+ d 21+ d 22+ d 3, obtain S=S1.S3modN, thereby need not recover the information of private key d, obtain the Montgomery Algorithm result.
Be without loss of generality, present embodiment is expanded to the key management method based on RSA arithmetic of general situation, comprise the steps:
(1) the generation random key is right in arbitrary safe accelerator card, and PKI is announced away;
(2) the private key d of cipher key pair is divided into n branch private key d=d at random according to the piece number of safety accelerator card 1+ d 2+ ... + d n(n>=3);
(3) deletion private key d;
(4) according to IKE, dividing private key d i(i=1,2 ..., n) store in the i piece safety accelerator card;
(5) will divide private key d i(i=1,2 ..., (k, n) (wherein n 〉=2k-1) and algorithm are shared in other n-1 piece safety accelerator card that stores into except that i piece safety accelerator card by IKE n) to share thresholding rule in the cryptographic system according to secret.
According to the method described above, guarantee from any k piece safety accelerator card, all can to obtain all key informations, thereby guarantee that system all can normally move when lacking any n-k piece safety accelerator card.
In sum, in encryption system, adopt the method for polylith safety accelerator card distributed storage private key of the present invention, make the private key separate storage to each minute private key memory cell, even obtained branch private key information in the k-1 piece safety accelerator card, can not obtain whole private key information, guarantee the fail safe of key; And, when any n-k piece safety accelerator card breaks down, can from other safe accelerator card, recover key information, not influence system runs well, and has guaranteed reliability of system operation.

Claims (2)

1, a kind of key management method based on RSA arithmetic is characterized in that: the distribute keys formula is stored in each safe accelerator card, and its distributed storage method comprises the steps:
(1) the generation random key is right in arbitrary safe accelerator card, and PKI is announced away;
(2) the private key d of cipher key pair is counted n according to the piece of safety accelerator card and be divided into n branch private key d=d at random 1+ d 2+ ... + d n(n 〉=3):
(3) deletion private key d;
(4) by IKE, dividing private key d i(i=1,2 ..., n) store in the i piece safety accelerator card;
(5) will divide private key d i(i=1,2 ..., (k, n) (wherein n 〉=2k-1) and algorithm are shared in other n-1 piece safety accelerator card that stores into except that i piece safety accelerator card by IKE n) to share thresholding rule in the cryptographic system according to secret.
2, a kind of key management method based on RSA arithmetic according to claim 1 is characterized in that when n=3, k=2, and described step (5) comprises the steps:
(1) will divide private key d 1, d 2, d 3Random division becomes d 1=d 11+ d 12, d 2=d 21+ 22, d 3=d 31+ d 32
(2) by IKE, dividing private key d 21d 31Share and store in the safe accelerator card 1, dividing private key d 11d 32Share and store in the safe accelerator card 2, dividing private key d 12d 22Share and store in the safe accelerator card 3.
CN 01107422 2001-01-09 2001-01-09 Cipher key managing method based on public cipher key system Pending CN1365214A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 01107422 CN1365214A (en) 2001-01-09 2001-01-09 Cipher key managing method based on public cipher key system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 01107422 CN1365214A (en) 2001-01-09 2001-01-09 Cipher key managing method based on public cipher key system

Publications (1)

Publication Number Publication Date
CN1365214A true CN1365214A (en) 2002-08-21

Family

ID=4656350

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 01107422 Pending CN1365214A (en) 2001-01-09 2001-01-09 Cipher key managing method based on public cipher key system

Country Status (1)

Country Link
CN (1) CN1365214A (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100456669C (en) * 2003-09-22 2009-01-28 华为技术有限公司 Method of distributing group secret keys
CN100466514C (en) * 2003-10-08 2009-03-04 三星电子株式会社 Weighted secret key sharing and reconstructing method
WO2010078825A1 (en) * 2009-01-06 2010-07-15 Shanghai Onbest Electronics Technology Co., Ltd. Secure key system
CN101099327B (en) * 2004-11-11 2011-08-24 塞尔蒂卡姆公司 Secure interface for versatile key derivation function support
CN101478538B (en) * 2008-12-31 2012-06-06 成都市华为赛门铁克科技有限公司 Storage method, apparatus or system for safety management device
CN102957534A (en) * 2011-08-19 2013-03-06 国民技术股份有限公司 Method and system for uniform identification of multiple terminals
CN103312494A (en) * 2012-03-14 2013-09-18 中国人民银行印制科学技术研究所 Data scatter storage method, data recovery method and data card
CN106341226A (en) * 2016-10-11 2017-01-18 山东渔翁信息技术股份有限公司 Data encryption and decryption method and system
CN106357401A (en) * 2016-11-11 2017-01-25 武汉理工大学 Private key storage method and private key use method
CN108471352A (en) * 2018-03-16 2018-08-31 数安时代科技股份有限公司 Processing method, system, computer equipment based on distributed private key and storage medium
CN109760942A (en) * 2018-11-29 2019-05-17 四川商通实业有限公司 A kind of wine bottle cover showing dynamic anti-counterfeiting code and its dynamic anti-fake method
CN113656806A (en) * 2020-07-08 2021-11-16 支付宝(杭州)信息技术有限公司 Trusted starting method and device of block chain all-in-one machine

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100456669C (en) * 2003-09-22 2009-01-28 华为技术有限公司 Method of distributing group secret keys
CN100466514C (en) * 2003-10-08 2009-03-04 三星电子株式会社 Weighted secret key sharing and reconstructing method
CN101099327B (en) * 2004-11-11 2011-08-24 塞尔蒂卡姆公司 Secure interface for versatile key derivation function support
CN101478538B (en) * 2008-12-31 2012-06-06 成都市华为赛门铁克科技有限公司 Storage method, apparatus or system for safety management device
WO2010078825A1 (en) * 2009-01-06 2010-07-15 Shanghai Onbest Electronics Technology Co., Ltd. Secure key system
CN102957534A (en) * 2011-08-19 2013-03-06 国民技术股份有限公司 Method and system for uniform identification of multiple terminals
CN102957534B (en) * 2011-08-19 2016-02-03 国民技术股份有限公司 The method and system of a kind of multiple terminals unified identity authentication
CN103312494A (en) * 2012-03-14 2013-09-18 中国人民银行印制科学技术研究所 Data scatter storage method, data recovery method and data card
CN106341226A (en) * 2016-10-11 2017-01-18 山东渔翁信息技术股份有限公司 Data encryption and decryption method and system
CN106341226B (en) * 2016-10-11 2018-12-18 山东渔翁信息技术股份有限公司 A kind of data encryption/decryption method and system
CN106357401A (en) * 2016-11-11 2017-01-25 武汉理工大学 Private key storage method and private key use method
CN106357401B (en) * 2016-11-11 2019-09-10 武汉理工大学 A kind of storage of private key and application method
CN108471352A (en) * 2018-03-16 2018-08-31 数安时代科技股份有限公司 Processing method, system, computer equipment based on distributed private key and storage medium
CN109760942A (en) * 2018-11-29 2019-05-17 四川商通实业有限公司 A kind of wine bottle cover showing dynamic anti-counterfeiting code and its dynamic anti-fake method
CN113656806A (en) * 2020-07-08 2021-11-16 支付宝(杭州)信息技术有限公司 Trusted starting method and device of block chain all-in-one machine
CN113656806B (en) * 2020-07-08 2024-05-03 支付宝(杭州)信息技术有限公司 Trusted starting method and device of block chain all-in-one machine

Similar Documents

Publication Publication Date Title
CN110825349B (en) Random number generation method, block chain node, system and medium
CN109299336B (en) Data backup method and device, storage medium and computing equipment
CN109474423B (en) Data encryption and decryption method, server and storage medium
CN1365214A (en) Cipher key managing method based on public cipher key system
CN107078903B (en) Ore digging method and device for block chain and node equipment
EP3454519A1 (en) Block generation method and device, and blockchain network
EP3267652B1 (en) Information sharing system, computer, and information sharing method
Maiyya et al. Database and distributed computing fundamentals for scalable, fault-tolerant, and consistent maintenance of blockchains
CN112732297A (en) Method and device for updating federal learning model, electronic equipment and storage medium
CN105162583A (en) Scatter method and system for single asymmetrical secret key pair, single-stage asymmetrical secret key pair and multistage asymmetrical secret key pair
CN103270546B (en) Signature creating device, signature generating method and recording medium
CN109165080A (en) Guard method, device and the physical machine of the online transition process internal storage data of virtual machine
CN115102699A (en) Data security deduplication and data recovery method, system, medium, device and terminal
CN110737725A (en) Electronic information inspection method, device, equipment, medium and system
CN114172659A (en) Message transmission method, device, equipment and storage medium in block chain system
CN104660399A (en) RSA modular exponentiation calculation method and device
CN114760073B (en) Block chain-based warehouse commodity distribution method and device, electronic equipment and medium
CN111611311B (en) Method and system for forming decentralised distributed database, electronic device and computer readable storage medium
CN115361131B (en) Ciphertext data calculation method and device and electronic equipment
CN116010360A (en) Similarity-based electric power text data storage method and device
CN101383823B (en) Network resource access control method in reliable access
CN112751675B (en) Information monitoring method, system, equipment and storage medium based on block chain
CN108923912B (en) Distributed electronic data information security method, device and system
CN106412915A (en) Pseudo-wireless access point identification method and system
CN112182598A (en) Public sample ID identification method, device, server and readable storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
ASS Succession or assignment of patent right

Owner name: ZTE CO., LTD.

Free format text: FORMER OWNER: ZHONGXING INTEGRATED CIRCUIT DESIGN CO. LTD., SHENZHEN CITY

Effective date: 20040423

C41 Transfer of patent application or patent right or utility model
TA01 Transfer of patent application right

Effective date of registration: 20040423

Address after: 518057 Department of law, Zhongxing building, South hi tech Industrial Park, Nanshan District hi tech Industrial Park, Guangdong, Shenzhen

Applicant after: ZTE Corporation

Address before: 518058, Nanshan District 1, Kirin Road, Guangdong, Shenzhen science and Technology Service Center, building nine

Applicant before: Zhongxing Integrated Circuit Design Co., Ltd., Shenzhen City

C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication