CN101437145A - Safety management method and apparatus for layering cipher key, and enciphering/deciphering device - Google Patents

Safety management method and apparatus for layering cipher key, and enciphering/deciphering device Download PDF

Info

Publication number
CN101437145A
CN101437145A CNA2008102404216A CN200810240421A CN101437145A CN 101437145 A CN101437145 A CN 101437145A CN A2008102404216 A CNA2008102404216 A CN A2008102404216A CN 200810240421 A CN200810240421 A CN 200810240421A CN 101437145 A CN101437145 A CN 101437145A
Authority
CN
China
Prior art keywords
layering
cipher key
cipher
local
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2008102404216A
Other languages
Chinese (zh)
Other versions
CN101437145B (en
Inventor
胡勇新
张晶
相全双
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING NOVEL-SUPERTV DIGITAL TV TECHNOLOGY Co Ltd
Original Assignee
BEIJING NOVEL-SUPERTV DIGITAL TV TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING NOVEL-SUPERTV DIGITAL TV TECHNOLOGY Co Ltd filed Critical BEIJING NOVEL-SUPERTV DIGITAL TV TECHNOLOGY Co Ltd
Priority to CN2008102404216A priority Critical patent/CN101437145B/en
Publication of CN101437145A publication Critical patent/CN101437145A/en
Application granted granted Critical
Publication of CN101437145B publication Critical patent/CN101437145B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention provides a method and a device for the security management of a layered key, and an encryption-decryption device. The method comprises the following steps: generating a local encrypted layered key cryptograph according to the layered key generation request sent by a key management unit, and transmitting the local encrypted layered key cryptograph to the key management unit to be stored. The method and the device for the security management of the layered key, and the encryption-decryption device provided by the embodiment of the invention make up the defect of a universal encryption device and an external key management system thereof on the method for the security management of the layered key, and ensure that the key does not appear in a plaintext at any time outside the universal encryption device.

Description

A kind of layering cipher key method for managing security, device and ciphering and deciphering device
Technical field
The present invention relates to the layering cipher key in the digital TV field condition receiving system, relate in particular to a kind of layering cipher key method for managing security, device and ciphering and deciphering device.
Background technology
In order to reach the purpose of safe storage, key is more and more used by every field, and layering cipher key is exactly one of representative wherein.Layering cipher key is meant, under the multilayer key cryptosystem, the key that is used for content-encrypt is a bottom key, the key of other level all is used for encrypting its one deck key down, the key of top layer is the core of whole key code system, because bottom key with the most use is usually changed, and that high-rise key is used is less, make code breaker's difficulty increase, because this multilayer key cryptosystem has been strengthened the reliability of cryptographic system greatly, layering cipher key is extensive use of by growing field, especially in the digital TV field condition receiving system, its outstanding application is well-known especially, so the safety issue of layering cipher key management also more and more receives much concern.
At present, the implementation of layering cipher key safety management mainly contains two kinds: specialized encryptor and general encryption equipment and external key management system thereof.The inventor finds in realizing process of the present invention, mode for specialized encryptor, safety management to layering cipher key is carried out in specialized encryptor inside fully, key plain can not appear at the outside of specialized encryptor, can reach purpose of safety, yet owing to the layering cipher key safety management that this specialized encryptor provides is served at certain specific area or company, therefore, can not be in the layering cipher key safety management service in other field by general; Mode for general encryption equipment and external key management system thereof, although the layering cipher key safety management that it provides service is not at certain specific area or company, but because the outside pending data of general encryption equipment must enter general encryption equipment in mode expressly, therefore, if pending data are keys, as layering cipher key, key plain is in the outside danger of being leaked with regard to existence of general encryption equipment so.
Summary of the invention
The main purpose of the embodiment of the invention is to provide a kind of layering cipher key method for managing security, device and ciphering and deciphering device, to solve the problem that layering cipher key expressly may be leaked outside general encryption equipment.
The embodiment of the invention provides a kind of layering cipher key method for managing security, and described method comprises: the layering cipher key that sends according to cipher key management unit generates the layering cipher key ciphertext that request generates local cipher; The layering cipher key ciphertext of described local cipher is sent to described cipher key management unit preservation; The layered encryption request that sends according to cipher key management unit is carried out this locality to the upper strata layering cipher key ciphertext of the layering cipher key of the local cipher that comprises in the request and described layering cipher key and is deciphered, and described layering cipher key is carried out layered encryption with the upper strata layering cipher key of described layering cipher key, the layering cipher key ciphertext of described layered encryption is sent to described cipher key management unit preserve; The layering decoding request that sends according to cipher key management unit is carried out this locality to the upper strata layering cipher key ciphertext by the layering cipher key of layered encryption of the local cipher that comprises in the request and is deciphered, and use by the upper strata layering cipher key of the layering cipher key of layered encryption carried out the layering deciphering by the layering cipher key ciphertext of layered encryption, and the layering cipher key that layering deciphering draws carried out local cipher, the layering cipher key ciphertext of described local cipher is sent to described cipher key management unit preserve.
The embodiment of the invention also provides a kind of layering cipher key security control apparatus, and described management devices comprises cipher key management unit and encryption/decryption element, and wherein: described cipher key management unit is used for the storage hierarchy key; Described encryption/decryption element, be used for generating layering cipher key according to the request of cipher key management unit, or layering cipher key is carried out encryption and decryption according to the request of cipher key management unit, this encryption/decryption element comprises: receiver module is used to receive layering cipher key generation request, layered encryption request or the layering decoding request that cipher key management unit sends; The layering cipher key generation module is used for generating request according to described layering cipher key and generates layering cipher key; The layered encryption module is used to utilize the upper strata layering cipher key of layering cipher key that described layering cipher key is carried out layered encryption; The layering deciphering module is used to utilize the layering cipher key ciphertext by layered encryption of the upper strata layering cipher key of layering cipher key to carry out the layering deciphering; Local encryption module is used to utilize the described layering cipher key of local secret key encryption, obtains the layering cipher key ciphertext of a local cipher; Sending module is used for the layering cipher key ciphertext of described local cipher is sent to described cipher key management unit preservation.
The embodiment of the invention also provides a kind of ciphering and deciphering device, and described device comprises: receiving element is used to receive layering cipher key generation request, layered encryption request or the layering decoding request that cipher key management unit sends; The layering cipher key generation unit is used for generating request according to described layering cipher key and generates layering cipher key; The layered encryption unit is used to utilize the upper strata layering cipher key of layering cipher key that described layering cipher key is carried out layered encryption; The layering decrypting device is used to utilize the layering cipher key ciphertext by layered encryption of the upper strata layering cipher key of layering cipher key to carry out the layering deciphering; The local cipher unit is used to utilize the described layering cipher key of local secret key encryption, obtains the layering cipher key ciphertext of a local cipher; Transmitting element is used for the layering cipher key ciphertext of described local cipher is sent to described cipher key management unit preservation.
The layering cipher key method for managing security, device and the ciphering and deciphering device that provide by the embodiment of the invention, remedied general encryption equipment and external key management system thereof defective, guaranteed when key waits not expressly to occur general encryption equipment local official the layering cipher key method for managing security.
Description of drawings
Accompanying drawing described herein is used to provide further understanding of the present invention, constitutes the application's a part, does not constitute limitation of the invention.In the accompanying drawings:
Fig. 1 is an embodiment of the invention layering cipher key method for managing security flow chart;
Fig. 2 is a further process chart embodiment illustrated in fig. 1;
Fig. 3 is another embodiment of the present invention method flow diagram;
Fig. 4 is a further process chart embodiment illustrated in fig. 3;
Fig. 5 is another embodiment of the present invention method flow diagram;
Fig. 6 is a further process chart embodiment illustrated in fig. 5;
Fig. 7 is an embodiment of the invention layering cipher key security control apparatus composition frame chart;
Fig. 8 is an embodiment of the invention ciphering and deciphering device composition frame chart;
Fig. 9 is the mutual schematic diagram of the method for embodiment illustrated in figures 1 and 2;
Figure 10 is Fig. 3 and the mutual schematic diagram of method embodiment illustrated in fig. 4;
Figure 11 is Fig. 5 and the mutual schematic diagram of method embodiment illustrated in fig. 6.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention is clearer,, the embodiment of the invention is described in further details below in conjunction with embodiment and accompanying drawing.At this, illustrative examples of the present invention and explanation thereof are used to explain the present invention, but not as a limitation of the invention.
Embodiment one
The embodiment of the invention provides a kind of layering cipher key method for managing security, below in conjunction with accompanying drawing present embodiment is elaborated.
Fig. 1 is the method flow diagram of present embodiment, please refer to Fig. 1, and the layering cipher key method for managing security of present embodiment mainly comprises:
101: the layering cipher key that sends according to cipher key management unit generates the layering cipher key ciphertext that request generates local cipher;
In the present embodiment, this step 101 can realize by several concrete steps as shown in Figure 2, please refer to Fig. 2, mainly comprises:
1011: receive the layering cipher key generation request that comprises the layering cipher key feature set that cipher key management unit sends;
In the present embodiment, the layering cipher key feature set is the indication information that is used to describe layering cipher key, the for example layering cipher key, the descriptor of layering cipher key of which layer etc., this feature set can obtain from the security context of generating feature collection, as obtaining, also can generate by cipher key management unit from believable third party.
1012: utilize described stratification feature set to generate layering cipher key;
1013: utilize the described layering cipher key of local secret key encryption, obtain the layering cipher key ciphertext of a local cipher.
In the present embodiment, local key can be a symmetric key, also can be unsymmetrical key.
102: the layering cipher key ciphertext of described local cipher is sent to described cipher key management unit preservation.
Because being saved in the layering cipher key of cipher key management unit is the form of ciphertext all the time, therefore reached the purpose of safe storage and management.
Method according to present embodiment provides after the layering cipher key ciphertext with local cipher sends to the cipher key management unit preservation, can also comprise the following steps, please refer to Fig. 3:
201: the layered encryption request that sends according to cipher key management unit is decrypted and layered encryption the layering cipher key ciphertext of local cipher, obtains by the layering cipher key ciphertext of layered encryption;
In the present embodiment, this step 201 can realize by several concrete steps shown in Figure 4, please refer to Fig. 4, mainly comprises:
2011: the layered encryption request of the layering cipher key ciphertext of the layering cipher key ciphertext that comprises local cipher that the reception cipher key management unit sends and the local cipher of upper strata layering cipher key thereof;
In the present embodiment, owing to will carry out layered encryption to the layering cipher key of certain one deck, so, not only to get access to the layering cipher key ciphertext of the local cipher of this layer, also to get access to the layering cipher key ciphertext of local cipher of the last layer of this layer, therefore, in the layered encryption request that cipher key management unit sends, then comprised foregoing.
2012: utilize the layering cipher key ciphertext of the local cipher of the layering cipher key ciphertext of the described local cipher of described local secret key decryption and described upper strata layering cipher key, obtain layering cipher key and upper strata layering cipher key;
In the present embodiment, because all being the form with ciphertext, the layering cipher key that enters above-mentioned steps 2011 occurs, therefore, in this step 2012, at first to this layer layering cipher key and the upper strata layering cipher key of above-mentioned ciphertext form be decrypted, to obtain expressly this layer layering cipher key and the upper strata layering cipher key of form.
2013: utilize described upper strata layering cipher key that described layering cipher key is carried out layered encryption, obtain by the layering cipher key ciphertext of layered encryption.
In the present embodiment, obtain this layer layering cipher key and upper strata layering cipher key of form expressly according to step 2012 after, can carry out layered encryption to this layering cipher key in order to using layer layering cipher key, obtain by the layering cipher key ciphertext of layered encryption.
202: described layering cipher key ciphertext by layered encryption is sent to described cipher key management unit preserve.
Because be saved in the layering cipher key of cipher key management unit, perhaps the layering cipher key that obtains from cipher key management unit is the form of ciphertext all the time, therefore reached the purpose of safe storage and management.
Method according to present embodiment provides after the layering cipher key ciphertext with layered encryption sends to the cipher key management unit preservation, can also comprise the following steps, please refer to Fig. 5:
301: the layering decoding request that sends according to cipher key management unit is decrypted described layering cipher key ciphertext by layered encryption, obtains layering cipher key;
In the present embodiment, this step 301 can realize by several concrete steps shown in Figure 6, please refer to Fig. 6, mainly comprises:
3011: receive comprising of cipher key management unit transmission by the layering decoding request of the layering cipher key ciphertext of the local cipher of a layering cipher key ciphertext of layered encryption and its upper strata layering cipher key;
In the present embodiment, owing to will the layering cipher key ciphertext of a layered encryption be decrypted, and this layering cipher key ciphertext utilizes its upper strata layering cipher key to encrypt, therefore, except the layering cipher key ciphertext of the layered encryption that obtains this layer, also to obtain the layering cipher key ciphertext of local cipher of the layering cipher key on its upper strata, therefore, in the layered encryption request that cipher key management unit sends, then comprised foregoing.
3012: utilize the upper strata layering cipher key ciphertext of the local cipher of the described upper strata of described local secret key decryption layering cipher key, obtain the upper strata layering cipher key;
In the present embodiment, because all being the form with ciphertext, the layering cipher key that enters above-mentioned steps 3011 occurs, as this layer layering cipher key is to occur with the ciphertext form of layered encryption, the upper strata layering cipher key is the ciphertext form appearance with local cipher, and this layer layering cipher key utilizes the upper strata layering cipher key to encrypt, therefore, and in this step 3012, at first to the upper strata layering cipher key ciphertext of local cipher be decrypted, to obtain the expressly upper strata layering cipher key of form.
3013: utilize described upper strata layering cipher key that a described layering cipher key ciphertext by layered encryption is carried out the layering deciphering, obtain layering cipher key.
In the present embodiment, obtain the upper strata layering cipher key of form expressly according to step 3012 after, promptly can utilize this upper strata layering cipher key that this layer layering cipher key ciphertext of layered encryption is decrypted, obtain this layer layering cipher key.
302: utilize the described layering cipher key of described local secret key encryption, obtain the layering cipher key ciphertext of local cipher;
In the present embodiment, in order to reach the purpose of safe storage, this step 302 also will be carried out local cipher to the layering cipher key that obtains in the above-mentioned steps, obtains the layering cipher key of ciphertext form.
303: the layering cipher key ciphertext of described local cipher is sent to described cipher key management unit preservation.
Because be saved in the layering cipher key of cipher key management unit, perhaps the layering cipher key that obtains from cipher key management unit is the form of ciphertext all the time, therefore reached the purpose of safe storage and management.
The layering cipher key method for managing security that provides according to present embodiment, layering cipher key is stored in external memory with the form of ciphertext, in cipher key management unit, in use, the layering cipher key that obtains from this external memory is with the transmission of ciphertext form all the time, the danger of so promptly having avoided layering cipher key expressly may be leaked.
Embodiment two:
The embodiment of the invention also provides a kind of layering cipher key security control apparatus, utilizes the method for embodiment one, reaches the purpose of layering cipher key safe storage and management, below in conjunction with accompanying drawing present embodiment is elaborated.
Fig. 7 is the layering cipher key security control apparatus composition frame chart of present embodiment, please refer to Fig. 7, and the device of present embodiment mainly comprises cipher key management unit 71 and encryption/decryption element 72, wherein:
Cipher key management unit 71 is used for sending the request that generates layering cipher keys to encryption/decryption element 72, or layering cipher key is carried out the request of layered encryption or layering deciphering, with the safe storage layering cipher key;
Encryption/decryption element 72 is used for generating layering cipher key according to the request of cipher key management unit 71, or according to the request of cipher key management unit layering cipher key is carried out encryption and decryption, and wherein this encryption/decryption element 72 mainly comprises:
Receiver module 721 is used to receive layering cipher key generation request, layered encryption request or the layering decoding request that cipher key management unit 71 sends;
In the present embodiment, layering cipher key generates request package and contains the layering cipher key feature set, so that the relevant information of the layering cipher key that needs generation to be provided.About feature set explanation in embodiment one, in this omission.
In the present embodiment, the layered encryption request package contains the ciphertext of local cipher of the upper strata layering cipher key of the ciphertext of local cipher of the layering cipher key that needs layered encryption and this layering cipher key that needs layered encryption, so that utilize the upper strata layering cipher key that the layering cipher key that needs layered encryption is carried out layered encryption.
In the present embodiment, the layering decoding request includes by the layering cipher key ciphertext of the local cipher of the layering cipher key ciphertext of layered encryption and its upper strata layering cipher key, so that utilize this upper strata layering cipher key to carried out the layering deciphering by the layering cipher key ciphertext of layered encryption.
Layering cipher key generation module 723 is used for generating request according to described layering cipher key and generates layering cipher key;
Local encryption module 724 is used to utilize the described layering cipher key of local secret key encryption, obtains the layering cipher key ciphertext of a local cipher;
In the present embodiment, local key can be a symmetric key, also can be unsymmetrical key, in the local generation of this ciphering and deciphering device.
Sending module 728 is used for the layering cipher key ciphertext of described local cipher is sent to described cipher key management unit 71 preservations.
According to present embodiment, exist with the ciphertext form owing to send to the layering cipher key of cipher key management unit 71, therefore, the possibility of having avoided layering cipher key to be leaked.
According to present embodiment, described encryption/decryption element 72 also comprises:
Local deciphering module 725 is used to utilize the layering cipher key ciphertext of local secret key decryption local cipher, obtains layering cipher key;
In the present embodiment, when the request of sending from cipher key management unit 71 that receives when receiver module 721 is the layered encryption request, at first will be by the decrypt ciphertext of this this locality deciphering module 725 with the local cipher of the layering cipher key that needs layered encryption that comprises in the layered encryption request and upper strata layering cipher key thereof.
Layered encryption module 726 is used to utilize the upper strata layering cipher key of layering cipher key that described layering cipher key is carried out layered encryption, obtains to be sent to described cipher key management unit 71 by the layering cipher key ciphertext of layered encryption by described sending module 728 and preserves.
In the present embodiment, decrypt the layering cipher key and upper strata layering cipher key thereof of needs encryption by above-mentioned local deciphering module 725 after, just can carry out layered encryption, send to described cipher key management unit 71 by sending module 728 then and preserve by the layering cipher key that this layered encryption module 726 utilizes the upper strata layering cipher key that needs are encrypted.
According to present embodiment, because being the ciphertext form with local cipher, the layering cipher key that the layered encryption request that receives from cipher key management unit 71 is comprised exists, and being ciphertext form with layered encryption, the layering cipher key that sends to cipher key management unit 71 exists, therefore, the possibility of having avoided layering cipher key to be leaked.
According to present embodiment, described encryption/decryption element 72 also comprises:
Layering deciphering module 727, be used to utilize the upper strata layering cipher key of layering cipher key that the layering cipher key ciphertext by layered encryption of described layering cipher key is carried out the layering deciphering, obtain to send to described cipher key management unit 71 by described sending module 728 after layering cipher key is encrypted through described local encryption module 724 and preserve.
In the present embodiment, when the request of sending from cipher key management unit 71 that receives when receiver module 721 is the layering decoding request, at first will be by the decrypt ciphertext of local deciphering module 725 with the local cipher of the upper strata layering cipher key that comprises in the layering decoding request, obtain the upper strata layering cipher key, then by this layering deciphering module 727 utilize the above-mentioned upper strata layering cipher key that decrypts to comprise in the layering decoding request by the layering cipher key decrypt ciphertext of layered encryption, obtain layering cipher key, after carrying out local cipher through local encryption module 724 pairs of these layering cipher keys more at last, the layering cipher key ciphertext of local cipher is sent to described cipher key management unit 71 by sending module 728 preserve.
According to present embodiment, because the layering cipher key that the layering decoding request that receives from cipher key management unit 71 is comprised is to exist with the ciphertext form of local cipher or the ciphertext form of layered encryption, and being ciphertext form with local cipher, the layering cipher key that sends to cipher key management unit 71 exists, therefore, the possibility of having avoided layering cipher key to be leaked.
According to present embodiment, described encryption/decryption element 72 also comprises:
Judge module 722, the type of the request message that is used to judge that receiver module 721 receives is to send to described layering cipher key generation module 723 or local deciphering module 725 according to the result who judges with described request message.
Layering cipher key security control apparatus by present embodiment, the layering cipher key that makes encryption/decryption element produce is stored at this encryption/decryption element external security with the form of ciphertext all the time, when encryption/decryption element carries out layered encryption to layering cipher key, can directly use from the ciphertext of the outside relevant layering cipher key that obtains of this encryption/decryption element, need not at the outside plaintext that obtains relevant layering cipher key earlier of encryption/decryption element, again key plain is sent into encryption/decryption element, so just can avoid key plain when entering encryption/decryption element, to be leaked.
According to present embodiment, above-mentioned encryption/decryption element 72 can be realized by general encryption equipment, and cipher key management unit 71 can realize by the outer key management system of general encryption equipment.
Embodiment three:
The embodiment of the invention also provides a kind of ciphering and deciphering device, utilizes the method for embodiment one, reaches the purpose of layering cipher key safe storage and management, below in conjunction with accompanying drawing present embodiment is elaborated.
Fig. 8 is the ciphering and deciphering device composition frame chart of present embodiment, please refer to Fig. 8, and the ciphering and deciphering device of present embodiment mainly comprises:
Receiving element 81 is used to receive layering cipher key generation request, layered encryption request or the layering decoding request that cipher key management unit sends;
In the present embodiment, layering cipher key generates request package and contains the layering cipher key feature set, so that the relevant information of the layering cipher key that needs generation to be provided.About feature set explanation in embodiment one, in this omission.
In the present embodiment, the layered encryption request package contains the ciphertext of local cipher of the upper strata layering cipher key of the ciphertext of local cipher of the layering cipher key that needs layered encryption and this layering cipher key that needs layered encryption, so that utilize the upper strata layering cipher key that the layering cipher key that needs layered encryption is carried out layered encryption.
In the present embodiment, the layering decoding request includes by the layering cipher key ciphertext of the local cipher of the layering cipher key ciphertext of layered encryption and its upper strata layering cipher key, so that utilize this upper strata layering cipher key to carried out the layering deciphering by the layering cipher key ciphertext of layered encryption.
Layering cipher key generation unit 83 is used for generating request according to described layering cipher key and generates layering cipher key;
Local cipher unit 84 is used to utilize the described layering cipher key of local secret key encryption, obtains the layering cipher key ciphertext of a local cipher;
In the present embodiment, local key can be a symmetric key, also can be unsymmetrical key, in the local generation of this ciphering and deciphering device.
Transmitting element 88 is used for the layering cipher key ciphertext of described local cipher is sent to described cipher key management unit preservation.
According to present embodiment, exist with the ciphertext form owing to send to the layering cipher key of cipher key management unit, therefore, the possibility of having avoided layering cipher key to be leaked.
According to present embodiment, described ciphering and deciphering device also comprises:
Local decrypting device 85 is used to utilize the layering cipher key ciphertext of local secret key decryption local cipher, obtains layering cipher key;
In the present embodiment, when the request of sending from cipher key management unit that receives when receiving element 81 is the layered encryption request, at first will be by the decrypt ciphertext of this this locality decrypting device 85 with the local cipher of the layering cipher key that needs layered encryption that comprises in the layered encryption request and upper strata layering cipher key thereof.
Layered encryption unit 86 is used to utilize the upper strata layering cipher key of layering cipher key that described layering cipher key is carried out layered encryption, obtains to be sent to described cipher key management unit by the layering cipher key ciphertext of layered encryption by described transmitting element 88 and preserves.
In the present embodiment, decrypt the layering cipher key and upper strata layering cipher key thereof of needs encryption by above-mentioned local decrypting device 85 after, just can send to described cipher key management unit by transmitting element 88 then and preserve by this layered encryption unit 86 so that the layering cipher key that utilizes the upper strata layering cipher key that needs are encrypted carries out layered encryption.
According to present embodiment, because being the ciphertext form with local cipher, the layering cipher key that the layered encryption request that receives from cipher key management unit is comprised exists, and being ciphertext form with layered encryption, the layering cipher key that sends to cipher key management unit exists, therefore, the possibility of having avoided layering cipher key to be leaked.
According to present embodiment, described ciphering and deciphering device also comprises:
Layering decrypting device 87, be used to utilize the upper strata layering cipher key of layering cipher key that the layering cipher key ciphertext by layered encryption of described layering cipher key is carried out the layering deciphering, obtain to send to described cipher key management unit by described transmitting element 88 after layering cipher key is encrypted through described local cipher unit 84 and preserve.
In the present embodiment, when the request of sending from cipher key management unit that receives when receiving element 81 is the layering decoding request, at first will be by the decrypt ciphertext of local decrypting device 85 with the local cipher of the upper strata layering cipher key that comprises in the layering decoding request, obtain the upper strata layering cipher key, then by this layering decrypting device 87 utilize the above-mentioned upper strata layering cipher key that decrypts to comprise in the layering decoding request by the layering cipher key decrypt ciphertext of layered encryption, obtain layering cipher key, after carrying out local cipher through local cipher unit 84 pairs of these layering cipher keys more at last, the layering cipher key ciphertext of local cipher is sent to described cipher key management unit by transmitting element 88 preserve.
According to present embodiment, because the layering cipher key that the layering decoding request that receives from cipher key management unit is comprised is to exist with the ciphertext form of local cipher or the ciphertext form of layered encryption, and being ciphertext form with local cipher, the layering cipher key that sends to cipher key management unit exists, therefore, the possibility of having avoided layering cipher key to be leaked.
According to present embodiment, described ciphering and deciphering device also comprises:
Judging unit 82, the type of the request message that is used to judge that receiving element 81 receives is to send to described layering cipher key generation unit 83 or local decrypting device 85 according to the result who judges with described request message.
Ciphering and deciphering device by present embodiment, the layering cipher key that makes this ciphering and deciphering device produce is stored at this ciphering and deciphering device external security with the form of ciphertext all the time, when ciphering and deciphering device carries out layered encryption to layering cipher key, can directly use from the ciphertext of the outside relevant layering cipher key that obtains of this ciphering and deciphering device, need not at the outside plaintext that obtains relevant layering cipher key earlier of ciphering and deciphering device, again key plain is sent into ciphering and deciphering device, so just can avoid key plain when entering ciphering and deciphering device, to be leaked.
In the present embodiment, ciphering and deciphering device can be realized by general encryption equipment, and cipher key management unit can realize by the outer key management system of general encryption equipment, but present embodiment not with this as restriction.
For making the embodiment of the invention clear more understandable, enumerate several examples below the method for the embodiment of the invention is described.In following example, the layering cipher key method for managing security of embodiment one is applied to the encryption/decryption element of general encryption equipment, and cipher key management unit realizes by the outer key management system of general encryption equipment.In addition, in following example, K iThe layering cipher key of representing the i layer, K I-1Expression K iThe upper strata key, K 1Be top layer key, wherein, i=2,3 ..., n, n are the numbers of plies of key; K KRepresent local key, be used for layering cipher key K iCarry out local cipher, generate the layering cipher key ciphertext of local cipher, with K i' expression; E Ki(K I+1) expression K iTo K I+1Carrying out the result of layered encryption, also is the layering cipher key ciphertext of layered encryption.
Example one:
This example is the flow process that generates layering cipher key, cipher key management unit safe storage layering cipher key with encryption/decryption element, please refer to flow chart shown in Figure 9.
(1) cipher key management unit sends to encryption/decryption element and generates i layer layering cipher key (K i) request, comprise in this request that encryption/decryption element is used to generate layering cipher key K iFeature set, this feature set can obtain from security context;
(2) encryption/decryption element utilizes the feature set generation layering cipher key K that cipher key management unit sends i
(3) encryption/decryption element utilizes local key K KEncrypt the stratification key K i, obtain layering cipher key K iThe ciphertext (K of local cipher i'), local key K KCan be symmetric key, also can be unsymmetrical key;
(4) encryption/decryption element returns layering cipher key K to cipher key management unit iThe ciphertext (K of local cipher i');
(5) cipher key management unit storage hierarchy key K iThe ciphertext (K of local cipher i').
According to this example one, after encryption/decryption element generates layering cipher key, by this layering cipher key being carried out send to the cipher key management unit storage behind the local cipher, avoided layering cipher key outside encryption/decryption element, to occur with the plaintext form, and then the possibility of having avoided this layering cipher key to be leaked.
Example two:
This example is with encryption/decryption element layering cipher key to be carried out the flow process of layered encryption, in this example two, and be by the ciphertext (K of the local cipher of the layering cipher key of layered encryption i') and the ciphertext (K of the local cipher of its last layer layering cipher key I-1') be generated and on cipher key management unit by safe storage, please refer to flow chart shown in Figure 10.
(1) cipher key management unit sends i layer stratification key K to encryption/decryption element iCarry out the request of layered encryption, this request comprises will be by the ciphertext (K of the local cipher of the layering cipher key of layered encryption i') and the ciphertext (K of the last layer layering cipher key of this layering cipher key I-1');
(2) the local key K of encryption/decryption element KThe layering cipher key ciphertext K of deciphering local cipher i' and the upper strata layering cipher key ciphertext K of local cipher I-1', obtain layering cipher key K iWith upper strata layering cipher key K I-1
(3) encryption/decryption element is used a layer stratification key K I-1Encrypt the stratification key K i, obtain by the K of layered encryption iCiphertext (E Ki-1(K i));
(4) encryption/decryption element returns by the layering cipher key K of layered encryption to cipher key management unit iCiphertext E Ki-1(K i).
According to this example two, the layering cipher key that receives from cipher key management unit is that the ciphertext form with local cipher exists, and process is to behind the layering cipher key layered encryption, the layering cipher key that sends to cipher key management unit exists by the ciphertext form of layered encryption again, avoided layering cipher key outside encryption/decryption element, to occur with the plaintext form, and then the possibility of having avoided this layering cipher key to be leaked.
Example three:
This example be with encryption/decryption element to carried out the flow process of layering deciphering by the layering cipher key of layered encryption, in this example three, the ciphertext (E of the layered encryption of the layering cipher key that be deciphered by layering Ki-1(K i)) and the ciphertext (K of the local cipher of its last layer layering cipher key I-1') be generated and on cipher key management unit by safe storage, please refer to flow chart shown in Figure 11.
(1) cipher key management unit sends the request of the layering cipher key ciphertext of layered encryption being carried out the layering deciphering to encryption/decryption element, and this request comprises the ciphertext (E of the layered encryption of the layering cipher key that will be deciphered by layering Ki-1(K i)) and the ciphertext (K of the local cipher of the upper strata layering cipher key of this layering cipher key I-1');
(2) the local key K of encryption/decryption element KThe ciphertext K of the local cipher of deciphering upper strata layering cipher key I-1', obtain upper strata layering cipher key K I-1
(3) encryption/decryption element is used a layer stratification key K I-1The ciphertext E of the layered encryption of layering deciphering layering cipher key Ki-1(K i), obtain layering cipher key K i
(4) the local key K of encryption/decryption element KEncrypt the stratification key K i, obtain layering cipher key K iThe ciphertext (K of local cipher i');
(5) encryption/decryption element sends the ciphertext K of layering cipher key local cipher to cipher key management unit i'.
According to this example three, the layering cipher key that receives from cipher key management unit is to exist with the ciphertext form of local cipher or the ciphertext form of layered encryption, and through after the layering cipher key layering is deciphered, the layering cipher key that sends to cipher key management unit exists with the ciphertext form of local cipher again, avoided layering cipher key outside encryption/decryption element, to occur with the plaintext form, and then the possibility of having avoided this layering cipher key to be leaked.
Above-described specific embodiment; purpose of the present invention, technical scheme and beneficial effect are further described; institute is understood that; the above only is specific embodiments of the invention; and be not intended to limit the scope of the invention; within the spirit and principles in the present invention all, any modification of being made, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (14)

1. a layering cipher key method for managing security is characterized in that, described method comprises:
The layering cipher key that sends according to cipher key management unit generates the layering cipher key ciphertext that request generates local cipher;
The layering cipher key ciphertext of described local cipher is sent to described cipher key management unit preservation.
2. method according to claim 1 is characterized in that, the step that the described layering cipher key that sends according to cipher key management unit generates the layering cipher key ciphertext of a local cipher of request generation comprises:
Receive the layering cipher key generation request that comprises the layering cipher key feature set that cipher key management unit sends;
Utilize described stratification feature set to generate layering cipher key;
Utilize the described layering cipher key of local secret key encryption, obtain the layering cipher key ciphertext of a local cipher.
3. method according to claim 2 is characterized in that, described method also comprises:
The layered encryption request that sends according to cipher key management unit is decrypted and layered encryption the layering cipher key ciphertext of local cipher, obtains by the layering cipher key ciphertext of layered encryption;
Described layering cipher key ciphertext by layered encryption is sent to described cipher key management unit preserves.
4. method according to claim 3 is characterized in that, the layering cipher key ciphertext of described local cipher is decrypted in the described layered encryption request that sends according to cipher key management unit and the step of layered encryption comprises:
The layered encryption request of the layering cipher key ciphertext of the layering cipher key ciphertext that comprises local cipher that the reception cipher key management unit sends and the local cipher of upper strata layering cipher key thereof;
Utilize the layering cipher key ciphertext of the local cipher of the layering cipher key ciphertext of the described local cipher of described local secret key decryption and described upper strata layering cipher key, obtain layering cipher key and upper strata layering cipher key;
Utilize described upper strata layering cipher key that described layering cipher key is carried out layered encryption, obtain by the layering cipher key ciphertext of layered encryption.
5. method according to claim 4 is characterized in that, described method also comprises:
The layering decoding request that sends according to cipher key management unit is decrypted described layering cipher key ciphertext by layered encryption, obtains layering cipher key;
Utilize the described layering cipher key of described local secret key encryption, obtain the layering cipher key ciphertext of local cipher;
The layering cipher key ciphertext of described local cipher is sent to described cipher key management unit preservation.
6. method according to claim 5 is characterized in that, the described layering decoding request that sends according to cipher key management unit is decrypted described layering cipher key ciphertext by layered encryption, and the step that obtains layering cipher key comprises:
Receive comprising of cipher key management unit transmission by the layering decoding request of the layering cipher key ciphertext of the local cipher of a layering cipher key ciphertext of layered encryption and its upper strata layering cipher key;
Utilize layering cipher key ciphertext last time of the local cipher of the described upper strata of described local secret key decryption layering cipher key, obtain the upper strata layering cipher key;
Utilize described upper strata layering cipher key that a described layering cipher key ciphertext by layered encryption is carried out the layering deciphering, obtain layering cipher key.
7. a layering cipher key security control apparatus is characterized in that, described management devices comprises cipher key management unit and encryption/decryption element, wherein:
Described cipher key management unit is used for the storage hierarchy key;
Described encryption/decryption element is used for generating layering cipher key according to the request of cipher key management unit, or according to the request of cipher key management unit layering cipher key is carried out encryption and decryption, and this encryption/decryption element comprises:
Receiver module is used to receive layering cipher key generation request, layered encryption request or the layering decoding request that cipher key management unit sends;
The layering cipher key generation module is used for generating request according to described layering cipher key and generates layering cipher key;
Local encryption module is used to utilize the described layering cipher key of local secret key encryption, obtains the layering cipher key ciphertext of a local cipher;
Sending module is used for the layering cipher key ciphertext of described local cipher is sent to described cipher key management unit preservation.
8. management devices according to claim 7 is characterized in that, described encryption/decryption element also comprises:
Local deciphering module is used to utilize the layering cipher key ciphertext of local secret key decryption local cipher, obtains layering cipher key;
The layered encryption module is used to utilize the upper strata layering cipher key of layering cipher key that described layering cipher key is carried out layered encryption, obtains to be sent to described cipher key management unit by the layering cipher key ciphertext of layered encryption by described sending module and preserves.
9. management devices according to claim 8 is characterized in that, described encryption/decryption element also comprises:
The layering deciphering module, be used to utilize the upper strata layering cipher key of layering cipher key that the layering cipher key ciphertext by layered encryption of described layering cipher key is carried out the layering deciphering, obtain to send to described cipher key management unit by described sending module after layering cipher key is encrypted through described local encryption module and preserve.
10. management devices according to claim 9 is characterized in that, described encryption/decryption element also comprises:
Judge module, the type of the request message that is used to judge that receiver module receives is to send to described layering cipher key generation module or local deciphering module according to the result who judges with described request message.
11. a ciphering and deciphering device is characterized in that, described device comprises:
Receiving element is used to receive layering cipher key generation request, layered encryption request or the layering decoding request that cipher key management unit sends;
The layering cipher key generation unit is used for generating request according to described layering cipher key and generates layering cipher key;
The local cipher unit is used to utilize the described layering cipher key of local secret key encryption, obtains the layering cipher key ciphertext of a local cipher;
Transmitting element is used for the layering cipher key ciphertext of described local cipher is sent to described cipher key management unit preservation.
12. device according to claim 11 is characterized in that, described device also comprises:
Local decrypting device is used to utilize the layering cipher key ciphertext of local secret key decryption local cipher, obtains layering cipher key;
The layered encryption unit is used to utilize the upper strata layering cipher key of layering cipher key that described layering cipher key is carried out layered encryption, obtains to be sent to described cipher key management unit by the layering cipher key ciphertext of layered encryption by described transmitting element and preserves.
13. device according to claim 12 is characterized in that, described device also comprises:
The layering decrypting device, be used to utilize the upper strata layering cipher key of layering cipher key that the layering cipher key ciphertext by layered encryption of described layering cipher key is carried out the layering deciphering, obtain to send to described cipher key management unit by described transmitting element after layering cipher key is encrypted through described local cipher unit and preserve.
14. device according to claim 13 is characterized in that, described device also comprises:
Judging unit, the type of the request message that is used to judge that receiving element receives is to send to described layering cipher key generation unit or local decrypting device according to the result who judges with described request message.
CN2008102404216A 2008-12-19 2008-12-19 Safety management method and apparatus for layering cipher key, and enciphering/deciphering device Active CN101437145B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2008102404216A CN101437145B (en) 2008-12-19 2008-12-19 Safety management method and apparatus for layering cipher key, and enciphering/deciphering device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2008102404216A CN101437145B (en) 2008-12-19 2008-12-19 Safety management method and apparatus for layering cipher key, and enciphering/deciphering device

Publications (2)

Publication Number Publication Date
CN101437145A true CN101437145A (en) 2009-05-20
CN101437145B CN101437145B (en) 2011-01-05

Family

ID=40711337

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2008102404216A Active CN101437145B (en) 2008-12-19 2008-12-19 Safety management method and apparatus for layering cipher key, and enciphering/deciphering device

Country Status (1)

Country Link
CN (1) CN101437145B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103051935A (en) * 2012-12-18 2013-04-17 深圳国微技术有限公司 Implementation method and device of key ladder
CN106803980A (en) * 2017-02-28 2017-06-06 国家新闻出版广电总局广播科学研究院 The guard method of encrypted control word, hardware security module, master chip and terminal
CN110598440A (en) * 2019-08-08 2019-12-20 中腾信金融信息服务(上海)有限公司 Distributed automatic encryption and decryption system

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103051935A (en) * 2012-12-18 2013-04-17 深圳国微技术有限公司 Implementation method and device of key ladder
CN103051935B (en) * 2012-12-18 2015-06-10 深圳国微技术有限公司 Implementation method and device of key ladder
CN106803980A (en) * 2017-02-28 2017-06-06 国家新闻出版广电总局广播科学研究院 The guard method of encrypted control word, hardware security module, master chip and terminal
WO2018157724A1 (en) * 2017-02-28 2018-09-07 国家新闻出版广电总局广播科学研究院 Method for protecting encrypted control word, hardware security module, main chip and terminal
US11308242B2 (en) 2017-02-28 2022-04-19 Academy Of Broadcasting Science, Nrta Method for protecting encrypted control word, hardware security module, main chip and terminal
CN110598440A (en) * 2019-08-08 2019-12-20 中腾信金融信息服务(上海)有限公司 Distributed automatic encryption and decryption system

Also Published As

Publication number Publication date
CN101437145B (en) 2011-01-05

Similar Documents

Publication Publication Date Title
US20100054463A1 (en) Communication system and method for protecting messages between two mobile phones
CN102333093A (en) Data encryption transmission method and system
JPH0823330A (en) Safe data communication
CN1777097A (en) Enciphered data issuing method, enciphering device and programe, deciphering device and programe,
CN102740239B (en) The method and system of secure transmission of media information
CN101448130A (en) Method, system and device for protecting data encryption in monitoring system
CN110138795B (en) Multi-step mixed encryption and decryption method in communication process
CN107181584B (en) Asymmetric completely homomorphic encryption and key replacement and ciphertext delivery method thereof
CN107579903B (en) Picture message secure transmission method and system based on mobile device
CN112020038A (en) Domestic encryption terminal suitable for rail transit mobile application
CN102264068B (en) Shared key consultation method, system, network platform and terminal
CN112055022A (en) High-efficiency and high-security network file transmission double encryption method
CN103414564A (en) Secrete key card, secrete key device and method for protecting private key
CN101883102A (en) Link generation method
CN101626484A (en) Method for protecting control word in condition access system, front end and terminal
CN1649295A (en) Device and its method for end-to-end enciphering and deenciphering in clony system
CN101437145B (en) Safety management method and apparatus for layering cipher key, and enciphering/deciphering device
CN105191332A (en) Method and device to embed watermark in uncompressed video data
CN101964039B (en) Encryption protection method and system of copyright object
CN109857421A (en) The encryption upgrade method and system of embedded device
CN101159500A (en) Method, system and equipment of protecting mobile multimedia service
CN109995519A (en) A kind of quantum key traffic service method and system
CN101902610B (en) Method for realizing secure communication between IPTV set top box and smart card
CN104618355B (en) A kind of safety storage and the method for transmission data
CN104601451B (en) Instant information communication method and system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant