CN101986596B - Key management mechanism - Google Patents
Key management mechanism Download PDFInfo
- Publication number
- CN101986596B CN101986596B CN201010515064.7A CN201010515064A CN101986596B CN 101986596 B CN101986596 B CN 101986596B CN 201010515064 A CN201010515064 A CN 201010515064A CN 101986596 B CN101986596 B CN 101986596B
- Authority
- CN
- China
- Prior art keywords
- key
- composition
- encryption device
- administrator
- cryptographic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to the field of computer information security, and discloses a safe and convenient key management mechanism. The key management mechanism comprises the following steps: firstly, primitively initializing cryptographic equipment in an initial state, and then generating an equipment signature key and an administrator signature key; issuing all administrator certificates, and then generating a backup key, a backup equipment key and a memory equipment key to finish primitive initialization; and electrifying for initializing the cryptographic equipment in a ready state. By adopting the technical scheme, the key management mechanism ensures key safety management, and ensures key safety use by explaining the initialization mode and process through various types of key initialization, thus solving the problem of realizing the safety and reliability of the cryptographic equipment in terms of key management and use.
Description
Technical field
The present invention relates to field of computer information security, relate in particular to a kind of being applied to take PKI technology in basic information safety devices, to guarantee safe, the key management mechanism easily of key management in this equipment.
Background technology
At present, take PKI technology in basic information safety devices, grow existing key management undesirable, the use that occurs device keys cannot reach and meet the not requirement to application open system, key does not produce and stores by safe method; Key except PKI often there will be with plaintext form and appears at outside encryption device; The key of encryption device storage inside does not possess effective key protection mechanism, the phenomenon that there will be stranger to dissect, survey and illegally read; The key of encryption device storage inside does not possess mechanism of authorization control based simultaneously, often occurs illegal use and illegal situation about deriving; In a word, cannot there is a kind of available strategy of key management.
Summary of the invention
The use that the present invention is directed to the device keys existing in prior art cannot meet the requirements of the customers, and cannot solve encryption device in key management and use the problem of fail safe, and a kind of safe, key management mechanism is easily provided.
In order to solve the problems of the technologies described above, the present invention is solved by following technical proposals:
One, first set forth classification and the effect of lower key:
Two, general, in system, there are five class keys, wherein 1~4 key for management use, is mainly used in key management, and 5 keys of using for work, are mainly applications cryptographic service are provided:
Three, 1, device keys: the key of asymmetric arithmetic is the identity key of encryption device, for the information exchange of administrative center, sign and issue administrator certificate and authentic administrator signature.
2, keeper's signature key: the key of asymmetric arithmetic, one of each keeper, for keeper's authentication and operation signature.
3, cipher key backup key: 128 symmetric keys, for by device keys, user job cipher key backup outside encryption device, when multiple encryption device co-operation, this key can be as synchronisation key.
4, cryptographic key protection key: the symmetric key of 2 128, for device keys, user job key and cipher key backup key are encrypted to storage in encryption device.
5, user job key: user job key comprises symmetry algorithm key and asymmetric arithmetic key, is used to host that the crypto-operation services such as data encrypting and deciphering, data compression, digital signature, digital envelope are provided.
Two, key management mechanism, the step of described key management is as follows:
1, key management method, is characterized in that: the step of described key management is as follows:
First step: the encryption device under initial condition is carried out to original initialization, remove all keys in encryption device key storage district, generate the symmetric key that is called composition 1 and composition 2 of 2 128, composition 1 is deposited in to the key storage district of encryption device, form cryptographic key protection key composition 1, composition 2 is temporary in internal memory, forms cryptographic key protection key composition 2;
Second step: reproducing device signature key, generate a pair of public and private key and be deposited into as the signature key of equipment the signature key memory block of this this key, to devices encrypt key storage district, allow encryption device in ready state device subscription phase-key replication;
Third step: regeneration keeper signature key, on the password storage medium of supporting asymmetric cryptographic algorithm, produce a pair of public and private key as keeper's signature key, the PKI of keeper's signature key is signed and issued into administrator certificate by device subscription private key, and the composition of administrator certificate and Protective Key 2 is downloaded in administrator's password storage medium;
The 4th step: repeat third step, sign and issue out all administrator certificate, then remove the cryptographic key protection key composition 2 in internal memory;
The 5th step: regeneration cipher key backup key, remove the user job key storage district of encryption device, then generate 128 symmetric keys as cipher key backup key, deposit in the memory block of cipher key backup key, this key is divided into three parts by secret shared mechanism, three key compositions are encrypted separately with three custodians' password respectively, and ciphertext hands over three custodians to preserve;
The 6th step: carry out alternate device key, recall the composition 2 of the cryptographic key protection key in administrator's password storage medium, add with cipher key backup key mould two, its result is as the key of symmetry algorithm, encryption device key, and encrypted result is preserved separately, device keys is the key of asymmetric arithmetic, the identity key of encryption device, for the information exchange of administrative center, sign and issue administrator certificate and authentic administrator signature;
The 7th step: carry out again memory device key, recall the composition 2 of the cryptographic key protection key in administrator's password storage medium, add with cryptographic key protection key composition 1 mould two in encryption device key storage district, its result is as the key of symmetry algorithm, encryption device key and cipher key backup key, to ciphertext do verification and, deposit encryption device key storage district in together with ciphertext, so far original initialization completes;
The 8th step: allow and complete above-mentioned steps, encryption device in ready state carries out power-up initializing, first to check device keys in encryption device key storage district and cipher key backup key verification and, if checksum error, repeat above-mentioned 1-7 step and recover initialization, if verification and correct, recall the composition 2 of the cryptographic key protection key in administrator's password storage medium, add with cryptographic key protection key composition 1 mould two in encryption device key storage district, its result is as the key of symmetry algorithm, all keys in clear crytpographic key device keys memory block are to internal memory, so far complete power-up initializing.
According to technical scheme of the present invention, composition and the application mode of all kinds of keys are set forth, guarantee the correct use of key, the step and method of key management is described by the differentiated control of key, set forth the security mechanism of key in generation, derivation, importing and during Destruction, guarantee the safety management of key, by the initialized mode of all kinds of initializing declarations and the process of key, guarantee the safe handling of key, arrive a safe and reliable difficult problem thereby solve encryption device in key management and use.
Accompanying drawing explanation
Fig. 1 a carries out original initialized process step schematic diagram to the encryption device under initial condition in the present invention;
Fig. 2 a is the process step schematic diagram that carries out power-up initializing in the present invention to carrying out original initialized encryption device;
Fig. 3 a recovers initialized process step schematic diagram to carrying out original initialized encryption device in the present invention.
Embodiment
Below in conjunction with accompanying drawing and embodiment, the present invention is described in further detail
Embodiment 1
Key management mechanism, as shown in Fig. 1 a, Fig. 2 a and Fig. 3 a, step is as follows:
Key management mechanism, the step of described key management is as follows:
First step: the encryption device under initial condition is carried out to original initialization, remove all keys in encryption device key storage district, generate the symmetric key that is called composition 1 and composition 2 of 2 128, the key storage district that composition 1 is deposited in to encryption device, composition 2 is temporary in internal memory;
Second step: reproducing device signature key, generate a pair of public and private key and be deposited into as the signature key of equipment the signature key memory block of this key, to devices encrypt key storage district, allow encryption device in ready state device subscription phase-key replication;
Third step: regeneration keeper signature key, on the password storage medium of supporting asymmetric cryptographic algorithm, produce a pair of public and private key as keeper's signature key, its PKI is signed and issued into administrator certificate by device subscription private key, and the composition of administrator certificate and Protective Key 2 is downloaded in administrator's password storage medium;
The 4th step: repeat third step, sign and issue out all administrator certificate, then remove the cryptographic key protection key composition 2 in internal memory;
The 5th step: regeneration cipher key backup key, remove the user job key storage district of encryption device, then generate 128 symmetric keys as cipher key backup key, deposit in the memory block of this key, this key is divided into three parts by secret shared mechanism, three key compositions are encrypted separately with three custodians' password respectively, and ciphertext hands over three custodians to preserve; The 6th step: carry out alternate device key, recall the composition 2 of the cryptographic key protection key in administrator's password storage medium, add with cipher key backup key mould two, its result is as the key of symmetry algorithm, encryption device key, and encrypted result is preserved separately, device keys is the key of asymmetric arithmetic, the identity key of encryption device, for the information exchange of administrative center, sign and issue administrator certificate and authentic administrator signature;
The 7th step: carry out again memory device key, recall the composition 2 of the cryptographic key protection key in administrator's password storage medium, add with cryptographic key protection key composition 1 mould two in encryption device memory block, its result is as the key of symmetry algorithm, encryption device key and cipher key backup key, to ciphertext do verification and, deposit encryption device key storage district in together with ciphertext, so far original initialization completes;
The 8th step: allow and complete above-mentioned steps, encryption device in ready state carries out power-up initializing, first to check device keys in encryption device key storage district and cipher key backup key verification and, if checksum error, repeat above-mentioned 1-7 step and recover initialization, if verification and correct, recall the composition 2 of the cryptographic key protection key in administrator's password storage medium, add with cryptographic key protection key composition 1 mould two in key storage district, its result is as the key of symmetry algorithm, all keys in decruption key memory block are to internal memory, so far complete power-up initializing.
As preferably, the recovery initialization of described the 8th step, is can only be at encryption device under initial condition, and has at least an intact administrator's password storage medium to carry out, and follow these steps to carry out continuously:
First step: remove all keys in encryption device key storage district, generate 2 symmetric keys of 128 that are called composition 1 and 2, composition 1 is deposited in the key storage district of encryption device, and composition 2 is thrown aside;
Second step: carry out the recovery of cipher key backup key, get any two in three compositions of cipher key backup key, with custodian's password deciphering, two compositions after deciphering are synthesized to complete cipher key backup key, deposit in the memory block of this key;
Third step: carry out device keys recovery, recall the composition 2 of the cryptographic key protection key in administrator's password storage medium, add with cipher key backup key mould two, its result is as the key of symmetry algorithm, the device keys of deciphering backup, the memory block that is deposited in this key, then encryption device is in ready state;
The 4th step: carry out memory device key; recall the composition 2 of the cryptographic key protection key in administrator's password storage medium; add with cryptographic key protection key composition 1 mould two in key storage district; its result is as the key of symmetry algorithm; encryption device key and cipher key backup key, to ciphertext do verification and, deposit the key storage district of encryption device in together with ciphertext; so far, recovering initialization completes.
Embodiment 2
Elaborate some features of key and conversion step to guarantee the safety management of key according to figure below, by the initialized mode of all kinds of initializing declarations and the process of key, guarantee the safe handling of key, arrive a safe and reliable difficult problem thereby solve encryption device in key management and use.
One, the generation of key and storage:
1, device keys: its signature key is to being produced by encryption device when the original initialization, and after this key produces, encryption device is in ready state.Under this state, whenever all can derive its PKI to certificate verification mechanism application certificate.Devices encrypt key is to being produced by external key administrative center, and its private key does digital envelope protection by device subscription PKI, can download in encryption device.Device keys is stored in the key storage district of encryption device with cryptographic key protection secret key encryption.
2, keeper's signature key: produced by administrator's password storage medium in the time of original initialization, its PKI exports in encryption device by device subscription private key its grant a certificate.3, cipher key backup key: produced by encryption device in the time of original initialization, encrypt and be stored in the key storage district of encryption device.
4, cryptographic key protection key: 2 compositions, composition 1 produces in the time of original initialization or recovery initialization, is stored in the key storage district of encryption device; Composition 2 is produced by encryption device in the time of original initialization, is stored in administrator's password storage medium.
Two, the backup of key and recovery:
Pass key-encrypting key in encryption device need backup so that the key in encryption device damage or more renew encryption device time, recover in time key.
In encryption device, need the key of backup to be: cipher key backup key, device keys, user job key.
When many encryption devices are made cluster service, device keys, user job key need to be consistent in many encryption devices, and the operation that realizes this function is called key synchronization.Key synchronization is also used the backup of key and Restoration Mechanism to realize.Cipher key backup key: be made into 3 compositions by secret shared mechanism, use respectively after 3 custodians' password encryption, by custodian's keeping, realize the backup of this key; When recovery, need the composition of any 2 custodians keeping, with after corresponding password deciphering, in encryption device, synthetic complete key, realizes the recovery of this key.Other key: with the composition 2 of the cryptographic key protection key in administrator's password storage medium, add with cipher key backup key mould two, its result, as the key of symmetry algorithm, is encrypted the key that needs backup, and ciphertext stores in medium, realizes the backup of these keys; When recovery, with identical way generation key, to the key decrypt ciphertext in medium, realize the recovery of these keys.
Three, the renewal of key and cancelling
The composition 2 of device keys, cipher key backup key and cryptographic key protection key can not upgrade and cancel, unless carried out original initialization.
The composition 1 of cryptographic key protection key can upgrade in the time recovering initialized, but can not cancel.
User job key can add by call number, upgrade and cancel.
Four, the initialization of key
The initialization of key is mainly used in generation and the installation of key, is divided into original initialization, recovers initialization and power-up initializing.Original initial work comprises: in encryption device, generate device keys, generate administrator certificate, generate cipher key backup key and cryptographic key protection key, store the secret key encryption of generation into key storage district, and back up.Recovery initial work comprises: recover cipher key backup key, recover previously each key of backup, and the secret key encryption after recovering is stored in key storage district.The work of power-up initializing comprises: from key storage district, read ciphertext the deciphering of cipher key backup key, user job key, be stored in the key storage district of internal memory.
In a word, the foregoing is only preferred embodiment of the present invention, all equalizations of doing according to the present patent application the scope of the claims change and modify, and all should belong to the covering scope of patent of the present invention.
Claims (1)
1. key management method, is characterized in that: the step of described key management is as follows:
First step: the encryption device under initial condition is carried out to original initialization, remove all keys in encryption device key storage district, generate the symmetric key that is called composition 1 and composition 2 of 2 128, composition 1 is deposited in to the key storage district of encryption device, form cryptographic key protection key composition 1, composition 2 is temporary in internal memory, forms cryptographic key protection key composition 2;
Second step: reproducing device signature key, generate a pair of public and private key and be deposited into as the signature key of equipment the signature key memory block of this key, to devices encrypt key storage district, allow encryption device in ready state device subscription phase-key replication;
Third step: regeneration keeper signature key, on the password storage medium of supporting asymmetric cryptographic algorithm, produce a pair of public and private key as keeper's signature key, the PKI of keeper's signature key is signed and issued into administrator certificate by device subscription private key, and the composition of administrator certificate and Protective Key 2 is downloaded in administrator's password storage medium;
The 4th step: repeat third step, sign and issue out all administrator certificate, then remove the cryptographic key protection key composition 2 in internal memory;
The 5th step: regeneration cipher key backup key, remove the user job key storage district of encryption device, then generate 128 symmetric keys as cipher key backup key, deposit in the memory block of cipher key backup key, this key is divided into three parts by secret shared mechanism, three key compositions are encrypted separately with three custodians' password respectively, and ciphertext hands over three custodians to preserve;
The 6th step: carry out alternate device key, recall the composition 2 of the cryptographic key protection key in administrator's password storage medium, add with cipher key backup key mould two, its result is as the key of symmetry algorithm, encryption device key, and encrypted result is preserved separately, device keys is the key of asymmetric arithmetic, the identity key of encryption device, for the information exchange of administrative center, sign and issue administrator certificate and authentic administrator signature;
The 7th step: carry out again memory device key, recall the composition 2 of the cryptographic key protection key in administrator's password storage medium, add with cryptographic key protection key composition 1 mould two in encryption device key storage district, its result is as the key of symmetry algorithm, encryption device key and cipher key backup key, to ciphertext do verification and, deposit encryption device key storage district in together with ciphertext, so far original initialization completes;
The 8th step: allow and complete above-mentioned steps, encryption device in ready state carries out power-up initializing, first to check device keys in encryption device key storage district and cipher key backup key verification and, if checksum error, repeat above-mentioned 1-7 step and recover initialization, if verification and correct, recall the composition 2 of the cryptographic key protection key in administrator's password storage medium, add with cryptographic key protection key composition 1 mould two in encryption device key storage district, its result is as the key of symmetry algorithm, all keys in clear crytpographic key device keys memory block are to internal memory, so far complete power-up initializing.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010515064.7A CN101986596B (en) | 2010-10-21 | 2010-10-21 | Key management mechanism |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010515064.7A CN101986596B (en) | 2010-10-21 | 2010-10-21 | Key management mechanism |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101986596A CN101986596A (en) | 2011-03-16 |
| CN101986596B true CN101986596B (en) | 2014-06-25 |
Family
ID=43710902
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010515064.7A Expired - Fee Related CN101986596B (en) | 2010-10-21 | 2010-10-21 | Key management mechanism |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101986596B (en) |
Families Citing this family (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102932140A (en) * | 2012-11-20 | 2013-02-13 | 成都卫士通信息产业股份有限公司 | Key backup method for enhancing safety of cipher machine |
| EP2932644B1 (en) * | 2013-01-07 | 2019-04-24 | Acano (UK) Limited | Secrets renewability |
| CN103475474B (en) * | 2013-08-28 | 2017-02-08 | 华为技术有限公司 | Method for providing and acquiring shared enciphered data and identity authentication equipment |
| CN103580855B (en) * | 2013-11-07 | 2017-01-18 | 江南大学 | Usbkey management method based on sharing technology |
| CN104753661A (en) * | 2013-12-30 | 2015-07-01 | 上海格尔软件股份有限公司 | Secret key description file for commercial code equipment |
| CN104219044B (en) * | 2014-09-22 | 2017-12-26 | 杭州华澜微电子股份有限公司 | A kind of key secret method for being used to encrypt storage device |
| CN105553661B (en) * | 2014-10-29 | 2019-09-17 | 航天信息股份有限公司 | Key management method and device |
| CN105656621A (en) * | 2014-11-12 | 2016-06-08 | 江苏威盾网络科技有限公司 | Safety management method for cryptographic device |
| CN105933113A (en) * | 2016-06-13 | 2016-09-07 | 北京三未信安科技发展有限公司 | Secret key backup recovering method and system, and related devices |
| CN106330868B (en) * | 2016-08-14 | 2019-11-26 | 北京数盾信息科技有限公司 | A kind of high speed network encryption storage key management system and method |
| CN106781789A (en) * | 2016-11-18 | 2017-05-31 | 广东小天才科技有限公司 | The changing method and device of a kind of video classes, user equipment |
| CN108418677B (en) * | 2017-02-09 | 2021-01-15 | 杭州海康威视数字技术股份有限公司 | Key backup and recovery method and device |
| CN107682355B (en) * | 2017-10-27 | 2018-12-18 | 北京深思数盾科技股份有限公司 | Data guard method and device, data reconstruction method and device |
| CN109088729B (en) * | 2018-09-28 | 2021-03-26 | 北京金山安全软件有限公司 | Key storage method and device |
| CN109495247A (en) * | 2018-11-21 | 2019-03-19 | 北京深思数盾科技股份有限公司 | Cipher key backup, the method for recovery and encryption equipment |
| CN109934013B (en) * | 2019-03-21 | 2021-01-08 | 北京纬百科技有限公司 | Data protection method and device |
| KR20210017268A (en) | 2019-08-07 | 2021-02-17 | 삼성전자주식회사 | Electronic device operating encryption for user data |
| CN111200602B (en) * | 2019-12-30 | 2021-07-13 | 北京深思数盾科技股份有限公司 | Rights-sharing management method, encryption card, administrator lock and cipher machine |
| CN112738083B (en) * | 2020-12-28 | 2023-05-19 | 福建正孚软件有限公司 | System and method for managing secure access key based on cross-network and cross-border data transmission |
| CN113382001B (en) * | 2021-06-09 | 2023-02-07 | 湖南快乐阳光互动娱乐传媒有限公司 | Communication encryption method and related device |
| CN113541937A (en) * | 2021-06-25 | 2021-10-22 | 华东师范大学 | Cipher key management method based on cipher strategy |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1558580A (en) * | 2004-02-03 | 2004-12-29 | 胡祥义 | A network data safety protection method based on cryptography |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7693286B2 (en) * | 2004-07-14 | 2010-04-06 | Intel Corporation | Method of delivering direct proof private keys in signed groups to devices using a distribution CD |
-
2010
- 2010-10-21 CN CN201010515064.7A patent/CN101986596B/en not_active Expired - Fee Related
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1558580A (en) * | 2004-02-03 | 2004-12-29 | 胡祥义 | A network data safety protection method based on cryptography |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101986596A (en) | 2011-03-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101986596B (en) | Key management mechanism | |
| CN106548345B (en) | Method and system for realizing block chain private key protection based on key partitioning | |
| CN106330868B (en) | A kind of high speed network encryption storage key management system and method | |
| CN106789052B (en) | Remote key issuing system based on quantum communication network and use method thereof | |
| CN100417064C (en) | Information processing system and its method, information recording medium and ,program providing medium | |
| CN103580855B (en) | Usbkey management method based on sharing technology | |
| CN105323070B (en) | A kind of safety E-mail implementation method based on digital envelope | |
| CN101640590B (en) | Method for obtaining a secret key for identifying cryptographic algorithm and cryptographic center thereof | |
| CN101515319B (en) | Cipher key processing method, cipher key cryptography service system and cipher key consultation method | |
| US20100005318A1 (en) | Process for securing data in a storage unit | |
| CN101989984A (en) | Electronic document safe sharing system and method thereof | |
| CN102075544A (en) | Encryption system, encryption method and decryption method for local area network shared file | |
| CN105656621A (en) | Safety management method for cryptographic device | |
| CN102236756A (en) | File encryption method based on TCM (trusted cryptography module) and USBkey | |
| CN103236930A (en) | Data encryption method and system | |
| CN107154848A (en) | A kind of data encryption based on CPK certifications and storage method and device | |
| CN102299793A (en) | Certificate authentication system based on trusted computing password support platform | |
| CN111625852A (en) | Electronic signature method based on document and user private key under hybrid cloud architecture | |
| CN111815815B (en) | Electronic lock safety system | |
| CN107911221B (en) | Key management method for secure storage of solid-state disk data | |
| TWI476629B (en) | Data security and security systems and methods | |
| CN102811124B (en) | Based on the system Authentication method of two card trigram technology | |
| CN102769525B (en) | The user key backup of a kind of TCM and restoration methods | |
| CN111815810A (en) | Safe unlocking method and device for electronic lock | |
| CN1953366B (en) | Password management method and system for intelligent secret key device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20140625 Termination date: 20191021 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |