CN102013976B - Key management method and system - Google Patents

Key management method and system Download PDF

Info

Publication number
CN102013976B
CN102013976B CN201010597643.0A CN201010597643A CN102013976B CN 102013976 B CN102013976 B CN 102013976B CN 201010597643 A CN201010597643 A CN 201010597643A CN 102013976 B CN102013976 B CN 102013976B
Authority
CN
China
Prior art keywords
key
mic
person
key person
computing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201010597643.0A
Other languages
Chinese (zh)
Other versions
CN102013976A (en
Inventor
李志勇
颜湘
张化鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Iwncomm Co Ltd
Original Assignee
China Iwncomm Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Iwncomm Co Ltd filed Critical China Iwncomm Co Ltd
Priority to CN201010597643.0A priority Critical patent/CN102013976B/en
Publication of CN102013976A publication Critical patent/CN102013976A/en
Application granted granted Critical
Publication of CN102013976B publication Critical patent/CN102013976B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention relates to a key management method and system. The method comprises the following steps: 1) carrying out information integrity check code message integrity check (MIC) operation on a plurality of key member commands by utilizing grouping encryption algorithm, thus obtaining MIC check values; and 2) completing key management operation by taking the MIC check values obtained in step 1 as identity authentication references for key members. By utilizing the key management method and system provided by the invention, the key member commands can be prevented from being revealed, and the reliability of key management is enhanced.

Description

A kind of key management method and system
Technical field
The invention belongs to field of information security technology, relate to a kind of key management method and system.
Background technology
All secrets are resided among the key, are basic principles of contemporary cryptology.In public-key cryptosystem, the fail safe of key information has determined whole reliability of communication procedure, and effectively key management method provides sound assurance to the fail safe of key information.In the key management method specific implementation process, adopt a plurality of key management persons to implement cipher key management operation simultaneously, be the main security control form of current key management.Cryptographic algorithm can disclose, and encryption device can be lost, but key can not be revealed.Enciphered message just can be decoded fully in case key is revealed, and no confidentiality can be sayed.In addition, the approach of stealing key is more much smaller than the cost of the algorithm that breaks a code, and in many incidents of network attack, the safety management of key is a key link of attacking.Therefore, must strengthen key management for the fail safe that improves system.As shown in Figure 1, key management is a comprehensive technology, and under the general situation, key management mainly comprises five kinds of operations: key generation and renewal, the renewal of key person's password, key recovery, cipher key backup and cipher key destruction.Include key person's password verification (as the step among Fig. 1) in the flow process of these five kinds of operations.Yet there is the danger of revealing in key person's password, and this can cause key management system to be attacked.
Summary of the invention
In order to solve the above-mentioned technical problem that exists in the background technology, the invention provides a kind of key person's password that can prevent and reveal, promoted the key management method and the system of the reliability of key management.
Technical solution of the present invention is: the invention provides a kind of key management method, its special character is: said method comprising the steps of:
1) adopts block encryption algorithm to carry out information integrity check code MIC computing some key person's passwords, obtain the MIC check value;
2) the resulting MIC check value of step 1) is finished cipher key management operation as the foundation that each key person's identity is differentiated.
Above-mentioned cipher key management operation comprises that carrying out key generates with renewal operation, key person's password renewal operation, key recovery operation, cipher key backup is operated and the cipher key destruction operation.
Above-mentioned some key persons carry out the cipher key management operation or the optional cipher key management operation of key person of all key person's participations.
When above-mentioned some key persons carried out the cipher key management operation of all key person's participations, described some key persons are on the scene and Attended Operation simultaneously, and at this moment, the specific implementation of described step 1) is:
1.1.1) key person's password choosing arbitrarily in some key person's passwords makes up Key;
1.1.2) utilize except that step 1.1.1) and all key person's passwords structure data;
1.1.3) adopt block encryption algorithm to utilize step 1.1.1) constructed Key is to step 1.1.2) constructed data carry out the MIC computing, obtain the MIC operation result, described MIC operation result is the MIC check value.
Above-mentioned key management method be all key persons participate in cipher key management operation the time, described step 2) specific implementation be:
2.1.1) key person's password choosing in some key person's passwords makes up Key ', wherein, making up selected key person of Key ' and step 1.1.1) the selected key person of the middle Key of structure is same key person, and the building mode of Key ' is consistent with the building mode of Key;
2.1.2) utilize except that step 2.1.1) and all key person's passwords structure data;
2.1.3) adopt block encryption algorithm to utilize step 2.1.1) constructed Key ' is to step 2.1.2) constructed data carry out the MIC computing, obtain the MIC operation result, described MIC operation result is a MIC ' check value, wherein building mode and the input order and step 1.1.3 of input data in the computing MIC ' process) building mode and the input order of importing data in the computing MIC process be consistent;
2.1.4) with step 2.1.3) resulting MIC ' check value and step 1.1.3) resulting MIC check value compares, if compare successfully, then allows key person to implement cipher key management operation; If comparison is unsuccessful, then withdraw from cipher key management operation.
When above-mentioned some key persons carried out the optional cipher key management operation of key person, described some key persons' number was M, and it is N that the key person of the optional cipher key management operation of described key person participates in quantity, described M>N 〉=2; At this moment, the specific implementation of described step 1) is:
1.2.1) to M position key person according to 1,2,3......M-1, M nature preface is numbered;
1.2.2) in the key person of M position, choose N position key person arbitrarily and constitute a combination, co-exist in C M NIndividual combination in combination in any, is chosen the minimum key person's password structure Key of numbering among the key person of N position;
1.2.3) utilize except that step 1.2.2) and all the other N-1 position key person's passwords structure data;
1.2.4) adopt block encryption algorithm to utilize step 1.2.2) constructed Key is to step 1.2.3) constructed data carry out the MIC computing, obtain the MIC operation result, described MIC operation result is the MIC check value;
1.2.5) choose and choose N position key person among the key person of M position arbitrarily and constitute described C M NStep 1.2.2 is adopted in next combination in the individual combination)~step 1.2.4) in same compute mode N position key person's password in this combination is carried out the MIC computing, obtain the MIC operation result;
1.2.6) repeating step 1.2.5), until covering described C M NThe MIC operation result of individual combination.
When above-mentioned some key persons carried out the optional cipher key management operation of key person, when described cipher key management operation was the cipher key backup operation, M position key person is Attended Operation simultaneously, this moment described step 2) specific implementation be:
2.2.1.1) choose first and make up to N position key person, make up Key ' with first key person's password;
2.2.1.2) utilize except that step 2.2.1.1) and all the other N-1 position key person's passwords structure data;
2.2.1.3) adopt block encryption algorithm to utilize step 2.2.1.1) constructed Key ' is to step 2.2.1.2) constructed data carry out MIC ' computing; Wherein, the building mode of described Key ' and step 1.2.2) in the building mode of Key consistent; Building mode and the input order and step 1.2.4 of input data in the computing MIC ' process) import data in the computing MIC process building mode and input order consistent;
2.2.1.4) with MIC ' operation result and step 1.2.4) and in resulting each MIC compare one by one, if compare successfully, carry out next group combination MIC ' computing and with each MIC of storage operation of comparing one by one, otherwise withdraw from cipher key management operation; Wherein, described next group combination building mode is removed from current combination for numbering minimum key person, maximum key person in the current combination is numbered corresponding next one numbering key person is added to current combination, comprise numbering M key person be combined as last need MIC ' computing and with compare the one by one combination of operation of each MIC of storage.Wherein, the described next one is numbered in the described current combination maximum key person numbering and increases progressively and add 1.
When above-mentioned some key persons carried out the optional cipher key management operation of key person, described cipher key management operation was key person's password when upgrading operation, and M position key person is Attended Operation simultaneously, this moment described step 2) specific implementation be:
2.2.2.1) choose first and make up to N position key person, make up Key ' with first key person's password;
2.2.2.2) utilize except that step 2.2.2.1) and all the other N-1 position key person's passwords structure data;
2.2.2.3) adopt block encryption algorithm to utilize step 2.2.2.1) constructed Key ' is to step 2.2.2.2) constructed data carry out MIC ' computing; Wherein, the building mode of described Key ' and step 1.2.2) in the building mode of Key consistent; Building mode and the input order and step 1.2.4 of input data in the computing MIC ' process) import data in the computing MIC process building mode and input order consistent;
2.2.2.4) with MIC ' operation result and step 1.2.4) and in resulting each MIC compare one by one, if compare successfully, carry out next group combination MIC ' computing and with each MIC of storage operation of comparing one by one, otherwise withdraw from cipher key management operation; Wherein, described next group combination building mode is removed from current combination for numbering minimum key person, maximum key person in the current combination is numbered corresponding next one numbering key person is added to current combination, comprise numbering M key person be combined as last need MIC ' computing and with compare the one by one combination of operation of each MIC of storage.Wherein, the described next one is numbered in the described current combination maximum key person numbering and increases progressively and add 1.
When above-mentioned some key persons carry out the optional cipher key management operation of key person, described cipher key management operation is that key generates and renewal operation, key recovery operation or cipher key destruction operation, at this moment, choose N position key person among the key person of M position arbitrarily and operate described step 2) specific implementation be:
2.2.3.1) utilize key person's password of numbering minimum among the key person of N position to make up Key ';
2.2.3.2) utilize except that step 2.2.3.1) and all the other N-1 position key person's passwords structure data;
2.2.3.3) adopt block encryption algorithm to utilize step 2.2.3.1) constructed Key ' is to step 2.2.3.2) constructed data carry out MIC ' computing to key person's password, obtain MIC ' operation result; Wherein, the building mode of described Key ' and step 1.2.2) in the building mode of Key consistent; Building mode and the input order and step 1.2.4 of input data in the computing MIC ' process) import data in the computing MIC process building mode and input order consistent;
2.2.3.4) with this MIC ' and step 1.2.4) and in resulting each MIC compare one by one, if exist a MIC identical, then compare successfully with MIC ', then allow to implement key generate upgrade operation, key recovery is operated or cipher key destruction is operated; Otherwise withdraw from cipher key management operation.
A kind of key management system, its special character is: described key management system comprises key person's password input module of being used to obtain some key person's passwords, be used for adopting block encryption algorithms to carry out the MIC computing of information integrity check code some key person's passwords and with this as key person's password verification module that each key person's identity is differentiated and be used for cipher key management operation enforcement module that cipher key management operation is issued; Described cipher key management operation is that key generates with renewal operation, key person's password renewal operation, key recovery operation, cipher key backup is operated and the cipher key destruction operation.
Advantage of the present invention is:
The invention provides a kind of key management method and system, this method has been carried out method innovation in key person's password check part, makes the key management reliability be improved, and its advantage is as follows:
1, key person's password is not directly compared, but the MIC value of key person's password is compared, need not storage key person's password like this, but the MIC value of storage key person's password, because the MIC computing is irreversible, even the MIC value is acquired, also can't obtain key person's password expressly by backstepping by the MIC value, therefore reduced the risk that key person's password leaks;
2, adopt this method some key person's password information hash can be unified to judge together, reduced key person's password verification complexity;
3, because MIC need be stored in the equipment, be used for the later stage relatively, and the MIC value is the data of one section regular length, the length because of key person's password does not change, the increase because of key person's quantity does not change, store M IC value length is fixed like this, reduces the requirement to device memory, and is also relatively convenient simultaneously.
The present invention adopts block encryption algorithm to carry out information integrity check code (MIC) computing some key management person's passwords, then with the MIC check value as the foundation that each key management person's identity is differentiated, finishing the authority of cipher key management operation judges, the method has substituted the conventional method of expressly directly comparing with password, reduce the risk that password is revealed, promoted the reliability of key management.
Description of drawings
Fig. 1 is existing key management system schematic flow sheet.
Fig. 2 is a key management method schematic flow sheet provided by the present invention.
Embodiment
Referring to Fig. 2, the invention provides a kind of key management method, its difference with the prior art is: the present invention adopts block encryption algorithm to carry out information integrity check code (MIC) computing some key person's passwords, then with the MIC check value as the foundation that each key person's identity is differentiated, finishing the authority of cipher key management operation judges, the method has substituted the conventional method of expressly directly comparing with password, has reduced the risk that password is revealed, and has promoted the reliability of key management.
Referring to Fig. 2, method and system provided by the present invention are specifically described:
As first kind of embodiment of the present invention, method provided by the present invention participates in cipher key management operation simultaneously by some (M position) key person fully, when promptly carrying out key generation and renewal, the renewal of key person's password, key recovery, cipher key backup and cipher key destruction operations, M position key person is on the scene and Attended Operation simultaneously, and its concrete grammar may further comprise the steps:
When key management system is created (key person's number is at least 2, M 〉=2):
(1) chooses key person's password arbitrarily and make up Key (key), other key person's passwords make up data, adopt block encryption algorithm to utilize described Key that described data are carried out the MIC computing, obtain MIC operation result (it is relevant with data input requirement with method that makes up described The data and selected block encryption algorithm key to make up described Key, and wherein selected block encryption algorithm can be known algorithm);
(2) MIC that calculates in the storing step (1);
When key management system uses:
(3) key person's password is carried out same operation with step (1), promptly choose key person's password and make up Key ' (key), other key person's passwords make up data, adopt block encryption algorithm to utilize described Key ' that described data are carried out MIC ' computing, obtain MIC ' operation result.Wherein, the key person that the key person who is used for making up Key ' and step (1) are used to make up Key is same key person, and Key ' is consistent with the building mode of Key; The building mode and the input order that are used for MIC ' computing input data are consistent with building mode and input order that step (1) is used for MIC computing input data; Then the MIC ' and the MIC of the middle storage of step (2) are compared;
(4) compare successfully, then allow to implement ensuing cipher key management operation (key generation and renewal, the renewal of key person's password, key recovery, cipher key backup and cipher key destruction), otherwise withdraw from.
As second kind of embodiment of the present invention, method provided by the present invention participates in the renewal of key person's password, cipher key backup operation simultaneously by M position key person fully, when promptly carrying out the renewal of key person's password, cipher key backup operations, M position key person is on the scene and Attended Operation simultaneously; Or, N position key person participates in the key generation simultaneously and renewal, key recovery, cipher key destruction are operated by choosing arbitrarily among the key person of M position, when promptly carrying out key generation and renewal, key recovery, cipher key destruction operation, have at least the N position must be simultaneously on the scene and N position Attended Operation wherein among the key person of M position, all the other M-N position key persons are Attended Operation not, its concrete grammar may further comprise the steps: when key management system is created (key person's number is at least 2, M>N 〉=2):
(1) M position key person according to 1,2,3......M-1, M nature preface is numbered, key management system is created each key person's numbering of back and is remained unchanged;
(2) in the key person of M position, choose N position key person arbitrarily and constitute a combination, co-exist in C M NIndividual combination, in combination in any, choose the minimum key person's password structure Key of numbering among the key person of N position, all the other N-1 position key person's passwords make up data, adopt block encryption algorithm that key person's password is carried out the MIC computing, obtain the MIC operation result, the MIC operation result is stored (it is relevant with data input requirement with method that makes up described The data and selected block encryption algorithm key to make up described Key, and wherein selected block encryption algorithm can be known algorithm);
(3) choose and choose N position key person among the key person of M position arbitrarily and constitute described C M NNext combination in the individual combination, same compute mode is carried out the MIC computing to N position key person's password in this combination in the employing step (2), obtains MIC operation result and storage;
(4) repeating step (3) is until covering described C M NIndividual combination, and the corresponding MIC value of each combination of storage.
When key management system uses:
(5) when cipher key management operation be that key generates and upgrades, key recovery, during the cipher key destruction operation, choosing N position key person among the key person of M position arbitrarily operates, utilize the minimum key person's password structure Key ' of numbering among the key person of N position this moment, all the other N-1 position key person's passwords make up data, adopt block encryption algorithm that key person's password is carried out MIC ' computing, obtain MIC ' operation result, wherein, the building mode of Key ' is consistent with the building mode of Key in the step (2), and the building mode and the input order that are used for MIC ' computing input data are consistent with building mode and input order that step (2) is used for MIC computing input data; This MIC ' and each MIC of storage are compared one by one,, then compare successfully, then allow to implement ensuing key and generate renewal, key recovery, cipher key destruction operation, otherwise withdraw from if exist a MIC identical with MIC '.
When key person's password upgrades operation, M position key person needs Attended Operation simultaneously, at first choosing first this moment makes up to N position key person, make up Key ' with first key person's password then, all the other N-1 position key person's passwords make up data, adopt block encryption algorithm that key person's password is carried out MIC ' computing, obtain MIC ' operation result, wherein, the building mode of Key ' is consistent with the building mode of Key in the step (2), and the building mode and the input order that are used for MIC ' computing input data are consistent with building mode and input order that step (2) is used for MIC computing input data; Each MIC of MIC ' operation result and storage is compared one by one, if compare successfully, carry out next group combination MIC ' computing and with each MIC of storage operation of comparing one by one, otherwise withdraw from.Wherein next group combination building mode is removed from current combination for numbering minimum key person, maximum key person in the current combination is numbered corresponding next one numbering (increase progressively and add 1) key person be added to current combination.In each combination, all make up Key with lowest number key person password, all the other N-1 position key person's passwords make up data and carry out MIC ' computing, then each MIC with storage compares one by one, and the key person of maximum numbering participates in computing in the key person of M position, and comparison is finished.If all compare successfully, then carry out step (2), (3), (4) operation, be key person's new password and participate in key person's password of computing this moment.
When cipher key backup is operated, M position key person needs Attended Operation simultaneously, at first choosing first this moment makes up to N position key person, make up Key ' with first key person's password then, all the other N-1 position key person's passwords make up data, adopt block encryption algorithm that key person's password is carried out MIC ' computing, obtain MIC ' operation result, wherein, the building mode of Key ' is consistent with the building mode of Key in the step (2), and the building mode and the input order that are used for MIC ' computing input data are consistent with building mode and input order that step (2) is used for MIC computing input data; Each MIC of MIC ' operation result and storage is compared one by one, if compare successfully, carry out next group combination MIC ' computing and with each MIC of storage operation of comparing one by one, otherwise withdraw from.Wherein next group combination building mode is removed from current combination for numbering minimum key person, maximum key person in the current combination is numbered corresponding next one numbering (increase progressively and add 1) key person be added to current combination.In each combination, all make up Key with lowest number key person password, all the other N-1 position key person's passwords make up data and carry out MIC ' computing, then each MIC with storage compares one by one, and the key person of maximum numbering participates in computing in the key person of M position, and comparison is finished.If all compare successfully, then allow to implement ensuing cipher key backup operation.
In addition, the present invention is when providing a kind of key management method, a kind of key management system also is provided, this system comprises key person's password input module of being used to obtain some key person's passwords, be used for adopting block encryption algorithms to carry out the MIC computing of information integrity check code some key person's passwords and with this as key person's password verification module that each key person's identity is differentiated and be used for cipher key management operation enforcement module that cipher key management operation is issued; Described cipher key management operation is that key generates with renewal operation, key person's password renewal operation, key recovery operation, cipher key backup is operated and the cipher key destruction operation.

Claims (10)

1. key management method is characterized in that: said method comprising the steps of:
1) adopt block encryption algorithm to carry out information integrity check code MIC computing key person's password, obtain the MIC check value:
1.1) establish described key person and add up to M, M 〉=2 wherein;
1.2) from the key person of M position, choose N position key person arbitrarily and constitute a combination, M 〉=N 〉=2 wherein, then there is C in key person's the result that may choose M NPlant combination;
1.3) when determining to adopt block encryption algorithm to carry out information integrity check code MIC computing, Key chooses and building mode, and the building mode of data; Wherein, Key is made up by a password that key person held among the selected N position key person and forms, and key person's password that data are held separately by all the other selected N-1 position key persons makes up and forms;
1.4) according to step 1.3) the choosing and building mode of the Key that determines, and the building mode of data, adopt block encryption algorithm to carry out information integrity check code MIC computing, concrete operations are: according to step 1.3) in the Key that determines choose and building mode generates Key, according to step 1.3) middle established data building mode generation data, adopt block encryption algorithm to carry out information integrity check code MIC computing, with the foundation that the MIC value of computing generation is differentiated as key person's identity, store;
1.5) from step 1.2) described C M NChoose another combination, repeating step 1.4 in kind of the combination) operation, until covering described C M NPlant combination and generate and store C M NIndividual MIC;
2) the resulting MIC check value of step 1) is finished cipher key management operation as the foundation that each key person's identity is differentiated, wherein:
When the cipher key management operation of being carried out needs whole key persons all to participate in:
2.1) from the key person of M position, choose N position key person, wherein M 〉=N 〉=2 arbitrarily;
2.2) adopt with step 1) in the choosing and building mode of the Key that determines, and the on all four mode of the building mode of data, carry out MIC ' computing, concrete operations are: select for use with step 1) in the choosing and the on all four mode of building mode of the Key that determines, in the key person of N position, choose a password that key person held and make up Key, select for use with step 1) in the on all four mode of building mode of established data, the password that all the other N-1 position key persons are held separately is built into data, adopts block encryption algorithm to carry out information integrity check code MIC ' computing;
2.3) with the described C that is stored in the MIC ' that generates and the step 1) M NIndividual MIC compares one by one, if exist a MIC and MIC ' to compare successfully, then execution in step 2.4); Otherwise key person's identity is differentiated failure, withdraws from cipher key management operation;
2.4) from selected N position key person, remove any one and participated in step 2.2) and step 2.3) key person, add one and had neither part nor lot in step 2.2) and step 2.3) key person, carry out step 2.2) and step 2.3) described identical operations;
2.5) repeating step 2.4), all participated in step 2.2 until described M position key person) and step 2.3) the operation described; When each time MIC ' verification is all successful, allows to carry out cipher key management operation, otherwise withdraw from cipher key management operation;
When the cipher key management operation of being carried out need not whole key persons and all participates in:
2.6) from the key person of M position, choose N position key person, wherein M 〉=N 〉=2 arbitrarily;
2.7) adopt with step 1) in the choosing and building mode of the Key that determines, and the on all four mode of the building mode of data, carry out MIC ' computing, concrete operations are: select for use with step 1) in the choosing and the on all four mode of building mode of the Key that determines, in the key person of N position, choose a password that key person held and make up Key, select for use with step 1) in the on all four mode of building mode of established data, the password that all the other N-1 position key persons are held separately is built into data, adopts block encryption algorithm to carry out information integrity check code MIC ' computing;
2.8) with the described C that is stored in the MIC ' that generates and the step 1) M NIndividual check code MIC compares one by one, if exist a MIC and MIC ' to compare successfully, then selected key person's identity is differentiated and passed through, allows to carry out cipher key management operation; Otherwise withdraw from cipher key management operation.
2. key management method according to claim 1 is characterized in that: described cipher key management operation comprises that carrying out key generates with renewal operation, key person's password renewal operation, key recovery operation, cipher key backup is operated and the cipher key destruction operation.
3. key management method according to claim 2 is characterized in that: described some key persons carry out the cipher key management operation that whole key persons participate in, and this moment, selected key person's quantity N satisfied N=M; Or the optional cipher key management operation of key person, this moment, selected key person's quantity N satisfied M〉N 〉=2.
4. key management method according to claim 3, it is characterized in that: when described some key persons carry out the cipher key management operation of whole key persons' participations, described some key persons are on the scene and Attended Operation simultaneously, at this moment, selected key person's quantity N equals M, and the specific implementation of described step 1) is:
1.1.1) key person's password choosing arbitrarily in the key person's password of selected N position makes up Key;
1.1.2) utilize except that step 1.1.1) and all key person's passwords structure data;
1.1.3) adopt block encryption algorithm to utilize step 1.1.1) constructed Key is to step 1.1.2) constructed data carry out the MIC computing, obtain the MIC operation result, described MIC operation result is the MIC check value.
5. key management method according to claim 4 is characterized in that: described key management method be whole key persons participate in cipher key management operation the time, selected key person's quantity N equals M, described step 2) specific implementation be:
2.1.1) key person's password choosing in the key person's password of selected N position makes up Key ', wherein, making up selected key person of Key ' and step 1.1.1) the selected key person of the middle Key of structure is same key person, and the building mode of Key ' is consistent with the building mode of Key;
2.1.2) utilize except that step 2.1.1) and all key person's passwords structure data;
2.1.3) adopt block encryption algorithm to utilize step 2.1.1) constructed Key ' is to step 2.1.2) constructed data carry out the MIC computing, obtain the MIC operation result, described MIC operation result is a MIC ' check value, wherein building mode and the input order and step 1.1.3 of input data in the computing MIC ' process) building mode and the input order of importing data in the computing MIC process be consistent;
2.1.4) with step 2.1.3) resulting MIC ' check value and step 1.1.3) resulting MIC check value compares, if compare successfully, then allows key person to implement cipher key management operation; If comparison is unsuccessful, then withdraw from cipher key management operation.
6. key management method according to claim 3, it is characterized in that: when described some key persons carry out the optional cipher key management operation of key person, described some key persons' number is M, and it is N that the key person of the optional cipher key management operation of described key person participates in quantity, described M〉N 〉=2; At this moment, the specific implementation of described step 1) is:
1.2.1) to M position key person according to 1,2,3 ... M-1, M nature preface is numbered;
1.2.2) in the key person of M position, choose N position key person arbitrarily and constitute a combination, co-exist in C M NIndividual combination in combination in any, is chosen the minimum key person's password structure Key of numbering among the key person of N position;
1.2.3) utilize except that step 1.2.2) and all the other N-1 position key person's passwords structure data;
1.2.4) adopt block encryption algorithm to utilize step 1.2.2) constructed Key is to step 1.2.3) constructed data carry out the MIC computing, obtain the MIC operation result, described MIC operation result is the MIC check value;
1.2.5) choose and choose N position key person among the key person of M position arbitrarily and constitute described C M NStep 1.2.2 is adopted in next combination in the individual combination)~step 1.2.4) in same compute mode N position key person's password in this combination is carried out the MIC computing, obtain the MIC operation result;
1.2.6) repeating step 1.2.5), until covering described C M NThe MIC operation result of individual combination.
7. key management method according to claim 6, it is characterized in that: when described some key persons carry out the optional cipher key management operation of key person, when described cipher key management operation is the cipher key backup operation, M position key person is Attended Operation simultaneously, this moment described step 2) specific implementation be:
2.2.1.1) choose first and make up to N position key person, make up Key ' with first key person's password;
2.2.1.2) utilize except that step 2.2.1.1) and all the other N-1 position key person's passwords structure data;
2.2.1.3) adopt block encryption algorithm to utilize step 2.2.1.1) constructed Key ' is to step 2.2.1.2) constructed data carry out MIC ' computing; Wherein, the building mode of described Key ' and step 1.2.2) in the building mode of Key consistent; Building mode and the input order and step 1.2.4 of input data in the computing MIC ' process) import data in the computing MIC process building mode and input order consistent;
2.2.1.4) with MIC ' operation result and step 1.2.4) and in resulting each MIC compare one by one, if compare successfully, carry out next group combination MIC ' computing and with each MIC of storage operation of comparing one by one, otherwise withdraw from cipher key management operation; Wherein, described next group combination building mode is removed from current combination for numbering minimum key person, maximum key person in the current combination is numbered corresponding next one numbering key person is added to current combination, comprise numbering M key person be combined as last need MIC ' computing and with compare the one by one combination of operation of each MIC of storage.Wherein, the described next one is numbered in the described current combination maximum key person numbering and increases progressively and add 1.
8. key management method according to claim 6, it is characterized in that: when described some key persons carry out the optional cipher key management operation of key person, described cipher key management operation is that key person's password upgrades when operating, M position key person is Attended Operation simultaneously, this moment described step 2) specific implementation be:
2.2.2.1) choose first and make up to N position key person, make up Key ' with first key person's password;
2.2.2.2) utilize except that step 2.2.2.1) and all the other N-1 position key person's passwords structure data;
2.2.2.3) adopt block encryption algorithm to utilize step 2.2.2.1) constructed Key ' is to step 2.2.2.2) constructed data carry out MIC ' computing; Wherein, the building mode of described Key ' and step 1.2.2) in the building mode of Key consistent; Building mode and the input order and step 1.2.4 of input data in the computing MIC ' process) import data in the computing MIC process building mode and input order consistent;
2.2.2.4) with MIC ' operation result and step 1.2.4) and in resulting each MIC compare one by one, if compare successfully, carry out next group combination MIC ' computing and with each MIC of storage operation of comparing one by one, otherwise withdraw from cipher key management operation; Wherein, described next group combination building mode is removed from current combination for numbering minimum key person, maximum key person in the current combination is numbered corresponding next one numbering key person is added to current combination, comprise numbering M key person be combined as last need MIC ' computing and with compare the one by one combination of operation of each MIC of storage.Wherein, the described next one is numbered in the described current combination maximum key person numbering and increases progressively and add 1.
9. key management method according to claim 6, it is characterized in that: when described some key persons carry out the optional cipher key management operation of key person, described cipher key management operation is that key generates and renewal operation, key recovery operation or cipher key destruction operation, at this moment, choose N position key person among the key person of M position arbitrarily and operate described step 2) specific implementation be:
2.2.3.1) utilize key person's password of numbering minimum among the key person of N position to make up Key ';
2.2.3.2) utilize except that step 2.2.3.1) and all the other N-1 position key person's passwords structure data;
2.2.3.3) adopt block encryption algorithm to utilize step 2.2.3.1) constructed Key ' is to step 2.2.3.2) constructed data carry out MIC ' computing to key person's password, obtain MIC ' operation result; Wherein, the building mode of described Key ' and step 1.2.2) in the building mode of Key consistent; Building mode and the input order and step 1.2.4 of input data in the computing MIC ' process) import data in the computing MIC process building mode and input order consistent;
2.2.3.4) with this MIC ' and step 1.2.4) and in resulting each MIC compare one by one, if exist a MIC identical, then compare successfully with MIC ', then allow to implement key generate upgrade operation, key recovery is operated or cipher key destruction is operated; Otherwise withdraw from cipher key management operation.
10. key management system is characterized in that: described key management system comprises key person's password input module of being used to obtain some key person's passwords, be used for adopting block encryption algorithms to carry out the MIC computing of information integrity check code some key person's passwords and with this as key person's password verification module that each key person's identity is differentiated and be used for cipher key management operation enforcement module that cipher key management operation is issued; Described cipher key management operation is that key generates with renewal operation, key person's password renewal operation, key recovery operation, cipher key backup is operated and the cipher key destruction operation; Described key person's password verification module is carried out the MIC computing of information integrity check code and with this as the concrete mode that each key person's identity is differentiated is: 1) adopt block encryption algorithm to carry out information integrity check code MIC computing key person's password, obtain the MIC check value:
1.1) establish described key person and add up to M, M 〉=2 wherein;
1.2) from the key person of M position, choose N position key person arbitrarily and constitute a combination, M 〉=N 〉=2 wherein, then there is C in key person's the result that may choose M NPlant combination;
1.3) when determining to adopt block encryption algorithm to carry out information integrity check code MIC computing, Key chooses and building mode, and the building mode of data; Wherein, Key is made up by a password that key person held among the selected N position key person and forms, and key person's password that data are held separately by all the other selected N-1 position key persons makes up and forms;
1.4) according to step 1.3) the choosing and building mode of the Key that determines, and the building mode of data, adopt block encryption algorithm to carry out information integrity check code MIC computing, concrete operations are: according to step 1.3) in the Key that determines choose and building mode generates Key, according to step 1.3) middle established data building mode generation data, adopt block encryption algorithm to carry out information integrity check code MIC computing, with the foundation that the MIC value of computing generation is differentiated as key person's identity, store;
1.5) from step 1.2) described C M NChoose another combination, repeating step 1.4 in kind of the combination) operation, until covering described C M NPlant combination and generate and store C M NIndividual MIC;
Cipher key management operation is implemented module cipher key management operation is issued, wherein: when the cipher key management operation of being carried out needs whole key persons all to participate in:
2.1) from the key person of M position, choose N position key person, wherein M 〉=N 〉=2 arbitrarily;
2.2) adopt with step 1) in the choosing and building mode of the Key that determines, and the on all four mode of the building mode of data, carry out MIC ' computing, concrete operations are: select for use with step 1) in the choosing and the on all four mode of building mode of the Key that determines, in the key person of N position, choose a password that key person held and make up Key, select for use with step 1) in the on all four mode of building mode of established data, the password that all the other N-1 position key persons are held separately is built into data, adopts block encryption algorithm to carry out information integrity check code MIC ' computing;
2.3) with the described C that is stored in the MIC ' that generates and the step 1) M NIndividual MIC compares one by one, if exist a MIC and MIC ' to compare successfully, then execution in step 2.4); Otherwise key person's identity is differentiated failure, withdraws from cipher key management operation;
2.4) from selected N position key person, remove any one and participated in step 2.2) and step 2.3) key person, add one and had neither part nor lot in step 2.2) and step 2.3) key person, carry out step 2.2) and step 2.3) described identical operations;
2.5) repeating step 2.4), all participated in step 2.2 until described M position key person) and step 2.3) the operation described; When each time MIC ' verification is all successful, allows to carry out cipher key management operation, otherwise withdraw from cipher key management operation;
When the cipher key management operation of being carried out need not whole key persons and all participates in:
2.6) from the key person of M position, choose N position key person, wherein M 〉=N 〉=2 arbitrarily;
2.7) adopt with step 1) in the choosing and building mode of the Key that determines, and the on all four mode of the building mode of data, carry out MIC ' computing, concrete operations are: select for use with step 1) in the choosing and the on all four mode of building mode of the Key that determines, in the key person of N position, choose a password that key person held and make up Key, select for use with step 1) in the on all four mode of building mode of established data, the password that all the other N-1 position key persons are held separately is built into data, adopts block encryption algorithm to carry out information integrity check code MIC ' computing;
2.8) with the described C that is stored in the MIC ' that generates and the step 1) M NIndividual check code MIC compares one by one, if exist a MIC and MIC ' to compare successfully, then selected key person's identity is differentiated and passed through, allows to carry out cipher key management operation; Otherwise withdraw from cipher key management operation.
CN201010597643.0A 2010-12-20 2010-12-20 Key management method and system Active CN102013976B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201010597643.0A CN102013976B (en) 2010-12-20 2010-12-20 Key management method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201010597643.0A CN102013976B (en) 2010-12-20 2010-12-20 Key management method and system

Publications (2)

Publication Number Publication Date
CN102013976A CN102013976A (en) 2011-04-13
CN102013976B true CN102013976B (en) 2013-07-31

Family

ID=43844007

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201010597643.0A Active CN102013976B (en) 2010-12-20 2010-12-20 Key management method and system

Country Status (1)

Country Link
CN (1) CN102013976B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103312494A (en) * 2012-03-14 2013-09-18 中国人民银行印制科学技术研究所 Data scatter storage method, data recovery method and data card
CN105162772B (en) * 2015-08-04 2019-03-15 三星电子(中国)研发中心 A kind of internet of things equipment certifiede-mail protocol method and apparatus
CN111416788B (en) * 2019-01-04 2023-08-08 北京京东尚科信息技术有限公司 Method and device for preventing transmission data from being tampered

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1249589A (en) * 1999-09-08 2000-04-05 北京龙安计算机技术开发有限公司 Signature/verification method for nonshared key algorithm
CN101616412A (en) * 2009-08-07 2009-12-30 杭州华三通信技术有限公司 The method of calibration of management frames in wireless local area and equipment
CN101719908A (en) * 2009-11-26 2010-06-02 大连大学 Image encryption method based on chaos theory and DNA splice model

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1249589A (en) * 1999-09-08 2000-04-05 北京龙安计算机技术开发有限公司 Signature/verification method for nonshared key algorithm
CN101616412A (en) * 2009-08-07 2009-12-30 杭州华三通信技术有限公司 The method of calibration of management frames in wireless local area and equipment
CN101719908A (en) * 2009-11-26 2010-06-02 大连大学 Image encryption method based on chaos theory and DNA splice model

Also Published As

Publication number Publication date
CN102013976A (en) 2011-04-13

Similar Documents

Publication Publication Date Title
CN104081409B (en) Method for protecting computing device
CN102546155B (en) On-demand safe key generates method and system
CN102932540B (en) Mobile terminal and stealing prevention method thereof
CN107220820A (en) Resource transfers method, device and storage medium
CN108632362B (en) Method for electing private block chain building block node
CN107274532A (en) The temporary password gate control system that encryption parameter dynamically updates
CN105610837B (en) For identity authentication method and system between SCADA system main website and slave station
CN101753304B (en) Method for binding biological specificity and key
CN109190384B (en) Multi-center block chain fusing protection system and method
CN109347625B (en) Password operation method, work key creation method, password service platform and equipment
CN113343286B (en) Data encryption and decryption method, data uploading end, data receiving end and system
CN102263787B (en) Dynamic distributed certification authority (CA) configuration method
US11496285B2 (en) Cryptographic side channel resistance using permutation networks
CN101621790A (en) Lock-card locking method and device for wireless communication
CN102013976B (en) Key management method and system
CN106850232B (en) Authorization management method and system for state maintenance
US10091204B1 (en) Controlling user access to protected resource based on outcome of one-time passcode authentication token and predefined access policy
CN113591103B (en) Identity authentication method and system between intelligent terminals of electric power Internet of things
CN112102524A (en) Unlocking method and unlocking system
CN116684202B (en) Internet of things information security transmission method
CN110391912B (en) Distributed evaluation decision method and system based on secret sharing mechanism
CN102983969A (en) Security login system and security login method for operating system
CN113676446B (en) Communication network safety error-proof control method, system, electronic equipment and medium
CN111709751B (en) Expanding method for anchor node in block chain
Yang et al. Formal analysis and systematic construction of two-factor authentication scheme (short paper)

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant