CN103067158B

CN103067158B - Encrypting and decrypting method, encrypting and decrypting device and key management system

Info

Publication number: CN103067158B
Application number: CN201210579409.4A
Authority: CN
Inventors: 商海波; 朱建
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2012-12-27
Filing date: 2012-12-27
Publication date: 2015-12-02
Anticipated expiration: 2032-12-27
Also published as: CN103067158A

Abstract

The invention discloses a kind of encrypting and decrypting method, encrypting and decrypting device and key management system, described encrypting and decrypting method comprises: terminal sends key seed to gateway and obtains request, and described key seed obtains in request and at least carries the user ID of described terminal and the mark of described terminal; Described terminal receives gateway and obtains the key seed asking to return according to described key seed; Described terminal generates key according to described key seed, and uses described double secret key file to be encrypted to be encrypted operation, or uses described double secret key file to be decrypted to be decrypted operation.In the embodiment of the present invention, by key seed is stored on gateway, and file to be encrypted or file to be decrypted are stored in terminal, achieve key seed to store with file to be encrypted or separating of file to be decrypted, ensure the fail safe of key seed, thus improve the fail safe of file encryption or deciphering.

Description

Encrypting and decrypting method, encrypting and decrypting device and key management system

Technical field

The present invention relates to computer and communication technical field, particularly relate to a kind of encrypting and decrypting method, encrypting and decrypting device and key management system.

Background technology

At present, along with the development of the communication technology, the application of data encrypting and deciphering technology is more and more extensive.

Such as, in mobile office application, mobile office user needs to access corporate intranet by mobile intelligent terminal usually, carry out receiving and dispatching mail, download official document, browse the operations such as enterprise web site, these operations are inevitably stored in mobile intelligent terminal many data, file, as Email attachment, local mail, enterprises data, browsing history etc., is wherein no lack of corporate secret even confidential information.In order to avoid the leakage of these information, the data deposited at mobile intelligent terminal these and file is needed to be encrypted.

Comparatively popular intelligent mobile terminal operating system has iOS system and android system at present.IOS system utilizes AES (AdvancedEncryptionStandard, Advanced Encryption Standard)-256 cryptographic algorithm to carry out data encryption usually.In this encryption method; key seed is stored in mobile intelligent terminal this locality; and with PIN (PersonalIdentificationNumber; the PIN of SIM card) code or screen locking cryptoguard key seed; but PIN code or screen locking password are users oneself to be arranged; complexity is usually inadequate, is easily cracked, thus can causes the leakage of key seed.Such as, iOS system acquiescence use 4 bit digital is as PIN code, then can the method for exhaustion be utilized relatively easily to crack PIN code and extract the key seed of AES-256 algorithm, thus the key that can generate according to key seed obtains all clear datas in terminal, also ciphertext, key all can be transferred on other equipment.Can find out, this encryption method fail safe is not high.And android system utilizes AES-128 cryptographic algorithm enciphered data usually; and the cryptoguard encryption key using user oneself to arrange; the password complexity arranged due to user oneself is usually inadequate, and be easily cracked, therefore its encryption method exists the not high defect of fail safe equally.

Summary of the invention

The embodiment of the present invention provides encrypting and decrypting method and device, to solve the not high problem of prior art file encrypting and decrypting fail safe.

In order to solve the problems of the technologies described above, the embodiment of the invention discloses following technical scheme:

First aspect, provides a kind of encrypting and decrypting method, and described method comprises:

Terminal sends key seed to gateway and obtains request, and described key seed obtains in request and at least carries the user ID of described terminal and the mark of described terminal;

Described terminal receives gateway and obtains the key seed asking to return according to described key seed;

Described terminal generates key according to described key seed, and uses described double secret key file to be encrypted to be encrypted operation, or uses described double secret key file to be decrypted to be decrypted operation.

In the first possible implementation of first aspect, if described file to be decrypted comprises cipher key index, then described key seed obtains request and also carries described cipher key index.

In the implementation that the second of first aspect is possible, described terminal generates key according to described key seed, and uses described double secret key file to be encrypted to be encrypted operation, comprising:

Described terminal generates key according to the mark of described key seed, user ID and terminal, use described double secret key file to be encrypted to be encrypted operation, and end of file adds the cipher key index that described key seed is corresponding after encryption;

Described terminal generates key according to described key seed, and uses described double secret key file to be decrypted to be decrypted operation, comprising:

Described terminal generates key according to the mark of described key seed, user ID and terminal, uses described double secret key file to be decrypted to be decrypted operation, then removes the cipher key index of the rear end of file of deciphering.

In the third possible implementation of first aspect, described terminal every predetermined period, to the key seed that described gateway requests is new, to generate new key.

In any one possible implementation above-mentioned of first aspect or first aspect, additionally provide the 4th kind of possible implementation of first aspect, described terminal generates key according to described key seed, is specially:

Described terminal performs AES-256 algorithm to described key seed, generates described key.

Second aspect, provides another kind of encrypting and decrypting method, and described method comprises:

Gateway receives key seed and obtains request, and described key seed to obtain in request at least user ID of carried terminal and the mark of described terminal, and described key seed obtains the described terminal of request or another gateway sends;

Described gateway obtains request according to described key seed and obtains the transmit leg " return " key" seed of asking to described key seed, key is generated according to described key seed to make described terminal, and use described double secret key file to be encrypted to be encrypted operation, or described double secret key file to be decrypted is used to be decrypted operation.

In the first possible implementation of second aspect, described gateway obtains request according to described key seed and obtains the transmit leg " return " key" seed of asking to described key seed, comprising:

Whether described gateway confirms self is cipher key center node, and wherein, described cipher key center node is the node that can provide key seed;

If it self is cipher key center node that described gateway confirms, then described gateway judges described key seed obtains in request whether carry cipher key index; If described key seed obtains in request carry cipher key index, then described gateway obtains request from described key seed and extracts user ID, the mark of terminal and cipher key index; And the corresponding relation of the mark of the user ID stored from described gateway, terminal, cipher key index and key seed, inquire about described user ID, the mark of terminal and the key seed corresponding with extracted cipher key index extracted;

If inquire corresponding key seed, then the key seed found is returned to the transmit leg that described key seed obtains request;

If described key seed obtains in request and does not carry cipher key index, or do not inquire corresponding key seed, then described gateway is according to the mark of user ID, terminal and generating random number key seed, and the key seed of generation is returned to the transmit leg that described key seed obtains request.

In the first possible implementation of second aspect, additionally provide the implementation that the second of second aspect is possible, described gateway, according to after the mark of user ID, terminal and generating random number key seed, also comprises:

Described gateway is that described key seed distributes cipher key index, and preserves the corresponding relation of described user ID, the mark of terminal, described key seed and described cipher key index;

The described key seed by generation returns to the transmit leg that described key seed obtains request, also comprises:

The described cipher key index of distributing for described key seed is returned to the transmit leg that described key seed obtains request.

In the first possible implementation of second aspect or the possible implementation of the second of second aspect, additionally provide the third possible implementation of second aspect, if it self is not cipher key center node that described gateway confirms, then send described key seed to cipher key center node and obtain request, receive described cipher key center node and obtain the key seed asking to return according to described key seed, and the key seed received sent to described key seed to obtain the transmit leg of request.

In the third possible implementation of second aspect, additionally provide the 4th kind of possible implementation of second aspect, described cipher key center node comprises master key Centroid and standby cipher key center node, if it self is not cipher key center node that described gateway confirms, then send described key seed to cipher key center node and obtain request, comprising:

Described gateway sends key seed to master key Centroid and obtains request, if do not receive the key seed that described master key Centroid returns or receive the fault notification message that described master key Centroid returns within the time period of setting, then confirm that described master key Centroid occurs abnormal;

If described master key Centroid occurs abnormal, then described gateway sends key seed to described standby cipher key center node and obtains request.

In the implementation that the second of second aspect is possible, additionally provide the 5th kind of possible implementation of second aspect, described cipher key center node comprises master key Centroid and standby cipher key center node, if it self is cipher key center node that described gateway confirms, then described gateway is according to after the mark of user ID, terminal and generating random number key seed, also comprises:

If described gateway is master key Centroid, then the corresponding relation of the mark of described user ID, terminal, described key seed and described cipher key index is synchronized in standby cipher key center node by described gateway;

If described gateway is standby cipher key center node, then the corresponding relation of the mark of described user ID, terminal, described key seed and described cipher key index is synchronized in master key Centroid by described gateway.

In implementation possible in the 4th of the third possible implementation of second aspect or second aspect the, additionally provide the 6th kind of possible implementation of second aspect, described to cipher key center node send described key seed obtain request, receive described cipher key center node and obtain the key seed asking to return according to described key seed, specifically comprise:

Described gateway sends described key seed by the Internet protocol safety IPSEC tunnel between cipher key center node to cipher key center node and obtains request; And

Receive described cipher key center node by described IPSEC tunnel and obtain the key seed asking to return according to described key seed.

The third aspect, provides a kind of terminal equipment, comprising:

Transmitting element, obtain request for sending key seed to gateway, described key seed obtains in request and at least carries the user ID of described terminal and the mark of described terminal;

Receiving element, obtains for receiving gateway the key seed asking to return according to the described key seed that described transmitting element sends;

Key generating unit, generates key for the key seed received according to described receiving element;

Encrypting and decrypting unit, the described double secret key file to be encrypted generated for using described Key generating unit is encrypted operation, or uses described double secret key file to be decrypted to be decrypted operation.

In the first possible implementation of the third aspect, described Key generating unit generates key specifically for the key seed received according to mark and the described receiving element of described user ID and described terminal;

Described encrypting and decrypting unit comprises:

Encryption sub-unit operable, the described double secret key file to be encrypted generated for using described Key generating unit is encrypted operation, and end of file adds the cipher key index that described key seed is corresponding after encryption;

Deciphering subelement, the described double secret key file to be decrypted generated for using described Key generating unit is decrypted operation, then removes the cipher key index of the rear end of file of deciphering.

Fourth aspect, provides a kind of gateway device, comprising:

Receiver module, obtains request for receiving key seed, and described key seed to obtain in request at least user ID of carried terminal and the mark of described terminal, and described key seed obtains the described terminal of request or another gateway sends;

Module is provided, key seed for receiving according to described receiver module obtains request obtains transmit leg " return " key" seed from request to described key seed, key is generated according to described key seed to make described terminal, and use described double secret key file to be encrypted to be encrypted operation, or described double secret key file to be decrypted is used to be decrypted operation.

In the first possible implementation of fourth aspect, described in provide module to comprise:

Confirmation unit, for confirming whether described gateway device self is cipher key center node, wherein, described cipher key center node is the node that can provide key seed;

First judging unit, for when described confirmation unit confirms that described gateway device self is cipher key center node, judges described key seed obtains in request whether carry cipher key index;

Query unit, for judge at described first judging unit described key seed obtain carry cipher key index in request time, obtain request from described key seed and extract user ID, the mark of terminal and cipher key index; And the corresponding relation of the mark of the user ID stored from described gateway device, terminal, cipher key index and key seed, inquire about described user ID, the mark of terminal and the key seed corresponding with extracted cipher key index extracted;

Key seed generation unit, for judge at described first judging unit described key seed obtain in request do not carry cipher key index or described query unit do not inquire corresponding key seed time, according to mark and the generating random number key seed of user ID, terminal;

Transmitting element, the key seed generated for the key seed that described query unit inquired or described key seed generation unit returns to the transmit leg that described key seed obtains request.

In the implementation that the second of fourth aspect is possible, described in provide module also to comprise:

Allocation units, for after described key seed generation unit is according to the mark of user ID, terminal and generating random number key seed, for described key seed distributes cipher key index;

Storage unit, after at described allocation units being described key seed distribution cipher key index, preserves the corresponding relation of described user ID, the mark of terminal, described key seed and described cipher key index;

When the key seed that described key seed generation unit generates is returned to the transmit leg of described key seed acquisition request by described transmitting element, be also that the described cipher key index that described key seed is distributed returns to the transmit leg that described key seed obtains request by described allocation units.

In the first possible implementation of fourth aspect or the possible implementation of the second of fourth aspect, additionally provide the third possible implementation of fourth aspect, described in provide module also to comprise:

Request unit, during for confirming that described gateway device self is not cipher key center node at described confirmation unit, send described key seed to cipher key center node and obtain request, receive described cipher key center node and obtain the key seed asking to return according to described key seed, and the key seed received sent to described key seed to obtain the transmit leg of request.

In the third possible implementation of fourth aspect, additionally provide the 4th kind of possible implementation of fourth aspect, described cipher key center node comprises master key Centroid and standby cipher key center node, and described request unit comprises:

First sends subelement, during for confirming that described gateway device self is not cipher key center node at described confirmation unit, sending key seed obtain request to master key Centroid;

Confirming subelement, for not receiving the key seed that described master key Centroid returns within the time period of setting, or when receiving fault notification message that described master key Centroid returns, confirming that described master key Centroid occurs abnormal;

Second sends subelement, during for confirming that at described confirmation subelement described master key Centroid occurs abnormal, sending key seed obtain request to described standby cipher key center node.

In the implementation that the second of fourth aspect is possible, additionally provide the 5th kind of possible implementation of fourth aspect, described cipher key center node comprises master key Centroid and standby cipher key center node, described in provide module also to comprise:

Second judging unit, for confirming that at described confirmation unit described gateway device self is cipher key center node, and described key seed generation unit is according to after the mark of user ID, terminal and generating random number key seed, judge that described gateway device is master key Centroid or standby cipher key center node;

Lock unit, for when described second judging unit judges that described gateway device is master key Centroid, the corresponding relation of the mark of described user ID, terminal, described key seed and described cipher key index is synchronized in standby cipher key center node, and when described second judging unit judges described gateway device as standby cipher key center node, the corresponding relation of the mark of described user ID, terminal, described key seed and described cipher key index is synchronized in master key Centroid.

In the third possible implementation of fourth aspect, additionally provide the 6th kind of possible implementation of fourth aspect, when described request unit is specifically for confirming that described gateway device self is not cipher key center node at described confirmation unit, sends described key seed by the Internet protocol safety IPSEC tunnel between cipher key center node to cipher key center node and obtaining request; Receive described cipher key center node by described IPSEC tunnel and obtain the key seed asking to return according to described key seed.

5th aspect, provides a kind of terminal equipment, comprising:

Network interface, obtain request for sending key seed to gateway, described key seed obtains the mark of at least carrying user ID and described terminal in request;

Described network interface, also for receiving the key seed that gateway returns according to key seed request;

Processor, generates key for the key seed received according to described network interface, and uses described double secret key file to be encrypted to be encrypted operation, or use described double secret key file to be decrypted to be decrypted operation.

In the first possible implementation in the 5th, described processor generates key specifically for the key seed received according to mark and the described receiving element of described user ID and described terminal; And the described double secret key file to be encrypted using described Key generating unit to generate is encrypted operation, and end of file adds the cipher key index that described key seed is corresponding after encryption; Or the described double secret key file to be decrypted using described Key generating unit to generate is decrypted operation, then remove the cipher key index of the rear end of file of deciphering.

In the 6th, provide a kind of gateway device, comprising:

Network interface, obtain request for receiving key seed, described key seed obtains the mark of at least carrying user ID and described terminal in request, and described key seed obtains the described terminal of request or another gateway sends;

Processor, key seed for receiving according to described network interface obtains request obtains transmit leg " return " key" seed from request to described key seed, key is generated according to described key seed to make described terminal, and use described double secret key file to be encrypted to be encrypted operation, or described double secret key file to be decrypted is used to be decrypted operation.

7th aspect, additionally provides a kind of key management system, comprises the terminal equipment that the third aspect or any one possible implementation of the third aspect provide, or the gateway device that fourth aspect or any one possible implementation of fourth aspect provide.

In the embodiment of the present invention, by key seed is stored on gateway, and file to be encrypted or file to be decrypted are stored in terminal, achieve key seed to store with file to be encrypted or separating of file to be decrypted, ensure the fail safe of key seed, thus improve the fail safe of file encryption or deciphering.

Accompanying drawing explanation

In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.

Fig. 1 is the network architecture schematic diagram that the embodiment of the present invention is applied;

Fig. 2 is an embodiment flow chart of encrypting and decrypting method of the present invention;

Fig. 3 is another embodiment flow chart of encrypting and decrypting method of the present invention;

Fig. 4 is that in the step 320 of embodiment of the present invention Fig. 3, gateway obtains the embodiment flow chart of request to the transmit leg " return " key" seed of key seed acquisition request according to key seed;

Fig. 5 is the mutual time diagram in the embodiment of the present invention between each network element device;

Fig. 6 is the structural representation of an embodiment of terminal equipment of the present invention;

Fig. 7 is the structural representation of an embodiment of gateway device of the present invention;

Fig. 8 is the schematic diagram of key management system embodiment of the present invention;

Fig. 9 is the structural representation of another embodiment of terminal equipment of the present invention;

Figure 10 is the structural representation of another embodiment of gateway device of the present invention.

Embodiment

The following embodiment of the present invention provides encrypting and decrypting method, terminal equipment, gateway device and key management system, to improve the fail safe of file encryption or deciphering.

Technical scheme in the embodiment of the present invention is understood better in order to make those skilled in the art person, and enable the above-mentioned purpose of the embodiment of the present invention, feature and advantage become apparent more, below in conjunction with accompanying drawing, technical scheme in the embodiment of the present invention is described in further detail.

Mobile office is progressively popularized, mobile office user accesses corporate intranet by mobile intelligent terminal, carry out receiving and dispatching mail, download official document, browse the operations such as enterprise web site, these operations are inevitably many data, file is stored in terminal, as Email attachment, local mail, enterprises data, browsing history etc., wherein is no lack of corporate secret even confidential information, in order to avoid the leakage of these information, the data deposited at mobile intelligent terminal these and file is needed to be encrypted, correspondingly, also need to be decrypted the data of mobile intelligent terminal and file.The following embodiment of the present invention can be applied in above-mentioned mobile office scene, as shown in Figure 1, the network architecture of this composition mobile office scene comprises mobile intelligent terminal UE (such as smart mobile phone), gateway GW and server SV, wherein, the entrance of the corporate intranet that gateway GW encloses for wire frame, corporate intranet can also comprise the data transfer equipments such as multiple stage terminal and switch SW such as PC, mobile intelligent terminal UE is connected with gateway GW, and accesses the data of corporate intranet by gateway GW.The key management system that the embodiment of the present invention provides comprises gateway GW and at least one terminal, and terminal here both can be the mobile intelligent terminal UE in accompanying drawing 1, also can be the other-ends such as PC.

See Fig. 2, be an embodiment flow chart of encrypting and decrypting method of the present invention, this embodiment describes the process of encrypting and decrypting from the angle of terminal:

Step 210, terminal send key seed to corporate intranet entry gateway and obtain request, and described key seed to obtain in request at least user ID of carried terminal and the mark of described terminal;

If pending file does not comprise cipher key index, specification document does not have encrypted clear text file, needs are encrypted, now this file is file to be encrypted, therefore described key seed obtains and asks to comprise the user ID of terminal and the mark (can be hardware information, the International Mobile Equipment Identity code of such as terminal) of terminal; And if pending file comprises cipher key index, supporting paper is encrypted, needs to be decrypted, then this file is file to be decrypted, and now described key seed obtains and asks also to comprise cipher key index.Namely described key seed to obtain in request at least user ID of carried terminal and the mark of described terminal.

Terminal can be mobile intelligent terminal in embodiments of the present invention, also can be the terminal of the other types such as PC, here not limit.

Before this step performs, suppose that terminal have passed through the authentication of the gateway of corporate intranet entrance by input user ID (such as user name) and password, and establish HTTPS (SecureHypertextTransferProtocol between terminal and gateway, Secure Hypertext Transfer Protocol) connect, the HTTP connected mode setting up this encryption can ensure the fail safe transmitting data.

Every predetermined period, described terminal to the new key seed of gateway requests, to generate new key.Therefore, the key that each terminal uses is periodically variable, for example, the current use key A of certain terminal, when terminal finds that the life cycle of key A expires (such as, every 10 days cipher key change once), when terminal can carry out the cryptographic operation of new file within the new cycle, to the new key seed of cipher key center application to generate new key B (the last cycle still deciphers by key A with the file that key A is encrypted).

Step 220, terminal receive gateway and obtain the key seed asking to return according to described key seed;

Step 230, described terminal generate key according to described key seed, and use described double secret key file to be encrypted to be encrypted operation, or use described double secret key file to be decrypted to be decrypted operation.

In this step, described terminal generates key according to described key seed, and uses described double secret key file to be encrypted to be encrypted operation, comprising:

Described terminal generates key according to the mark of described key seed, user ID and terminal, use described double secret key file to be encrypted to be encrypted operation, and end of file adds the cipher key index that described key seed is corresponding after encryption; Wherein, the cipher key index that described key seed is corresponding is that described gateway is sent.

Described terminal generates key according to the mark of described key seed, user ID and terminal, described double secret key file to be decrypted is used to be decrypted operation, then remove the cipher key index of end of file after deciphering, wherein, cipher key index corresponding to described key seed is that described gateway is sent.

In this step, terminal performs AES-256 algorithm according to the mark of described key seed, user ID and terminal, thus generates key, and fail safe is high.

As seen from the above-described embodiment, by key seed is stored on gateway, and file to be encrypted or file to be decrypted are stored in terminal, achieve the Separate Storage of key seed and file to be encrypted or file to be decrypted, ensure the fail safe of key seed, thus improve the fail safe of file encryption or deciphering.

See Fig. 3, be another embodiment flow chart of encrypting and decrypting method of the present invention, this embodiment describes the process of encrypting and decrypting from the angle of gateway:

Step 310, gateway receive key seed and obtain request, and described key seed to obtain in request at least user ID of carried terminal and the mark of described terminal;

Gateway can be virtual private network gateway in embodiments of the present invention, also can be the gateway device of other types, here not limit.

It can be that the terminal initiating described key seed acquisition request is directly sent that described key seed obtains request, also can be that after another gateway receives the described key seed acquisition request of described terminal transmission, forwarding is next, another gateway described can be the IAD of described terminal.That is described key seed obtains the transmit leg of request can be initiate terminal or another gateway that described key seed obtains request.

Before this step performs, suppose that terminal have passed through the authentication of the gateway (IAD) of corporate intranet entrance by input user ID (such as user name) and password, and established HTTPS between terminal with IAD to be connected, the HTTP connected mode setting up this encryption can ensure the fail safe transmitting data.

Step 320, described gateway obtain request according to described key seed and obtain the transmit leg " return " key" seed of asking to described key seed, key is generated according to described key seed to make described terminal, and use described double secret key file to be encrypted to be encrypted operation, or described double secret key file to be decrypted is used to be decrypted operation.

Alternatively, at the encrypting and decrypting method shown in accompanying drawing 3, contain different implementations: the first scheme can be upgraded to existing gateway device, make it to possess storage user ID, the mark of terminal, the corresponding relation of cipher key index and key seed, and obtain according to the key seed that terminal sends the key seed that correspondence is searched in request, and the function of the key seed found is returned to terminal, in this scheme, whole key management system comprises terminal and gateway device two class network element, the function of all gateway devices is similar, there is the advantage that inquiry velocity is fast, but need to carry out function upgrading to a large amount of existing gateway equipment, implementation cost is higher, first scheme is, from existing gateway device, select part gateway equipment to serve as cipher key center node, only have cipher key center node to serve as to store the corresponding relation of user ID, the mark of terminal, cipher key index and key seed and obtain the function of asking to search corresponding key seed according to the key seed that terminal sends, and other gateway device is to serving as simple forwarding capability, implementation cost can be saved like this.To be described in detail first scheme below.

In order to without the need to upgrading existing all gateway devices, the embodiment of the present invention gives a kind of gateway and obtains according to described key seed request to obtain concrete mode from the transmit leg " return " key" seed of request to described key seed, please refer to shown in accompanying drawing 4:

Step 401, whether gateway confirms self is cipher key center node, and wherein, cipher key center node is the node that can provide key seed; If cipher key center node, then perform step 402; If not cipher key center node, then perform step 403.

Step 402, gateway judges described key seed obtains in request whether carry cipher key index further, if carry cipher key index, then performs step 404; If do not carry cipher key index, perform step 407.

Particularly, according to multiple method, gateway can judge described key seed obtains in request whether carry cipher key index, such as gateway and terminal make an appointment key seed obtain request specific fields in carry cipher key index, if terminal needs to obtain in request in key seed to carry cipher key index, then cipher key index is carried in above-mentioned specific fields, otherwise the content of above-mentioned specific fields is set to one and is used for identifying the characteristic value of not carrying non-key index, such as, be set to complete zero; Gateway reads the content that key seed obtains predetermined field in request, if the content read is not above-mentioned characteristic value, then confirms that key seed obtains in request and carries cipher key index, otherwise do not carry cipher key index.Other determination methods here will not enumerate.

Step 403, gateway sends described key seed to cipher key center node and obtains request, receive described cipher key center node and obtain the key seed asking to return according to described key seed, and the key seed received sent to described key seed to obtain the transmit leg of request, so far, the flow process that gateway obtains according to described key seed the transmit leg " return " key" seed that request is asked to described key seed acquisition terminates.

Step 404, gateway obtains request from described key seed and extracts user ID, the mark of terminal and cipher key index; Perform step 405.

Step 405, the corresponding relation of the user ID that gateway stores from described gateway, the mark of terminal, cipher key index and key seed, the described user ID that inquiry is extracted, the mark of terminal and the key seed corresponding with extracted cipher key index; If can key seed be inquired, then perform step 406, otherwise perform step 407.

Step 406, the key seed found is returned to the transmit leg that described key seed obtains request by gateway, and so far, gateway obtains the flow process of asking to obtain to described key seed the transmit leg " return " key" seed of request according to described key seed to be terminated.

Step 407, gateway, according to the mark of user ID, terminal and generating random number key seed, performs step 408.

Step 408, gateway is that described key seed distributes cipher key index, and preserves the corresponding relation of described user ID, the mark of terminal, described key seed and described cipher key index.

Step 409, gateway obtains the transmit leg of asking by the key seed of generation and for the described cipher key index of described key seed distribution returns to described key seed.

Random number in step 407 uses the RAND_bytes function in OpenSSL to generate.Wherein, OpenSSL is the standard ssl protocol storehouse that a kind of general code is increased income, a whole set of solution is also provided for the generation of random number and management and supports api function, OpenSSL gives different reliable generating random number approach for dissimilar operating system platform: for the system of unix type, and it uses randomizer/dev/urandom or/dev/random to generate; For windows system, then mouse is moved, the interaction data of the user such as on-screen data and system generates.

Can find out that cipher key center node assumes storage user ID from embodiment above, the mark of terminal, the corresponding relation of cipher key index and key seed, and obtain to key seed the function that the transmit leg of asking provides key seed, once cipher key center one malfunctions, then can cause great amount of terminals cannot encrypt file or declassified document, in order to improve the reliability of whole key management system work further, more than two gateways can be set within the system as cipher key center node, wherein at least one gateway is as master key Centroid, all the other gateways are as standby cipher key center node.When cipher key center node comprises master key Centroid and standby cipher key center node, from the angle of gateway, the encrypting and decrypting method that accompanying drawing 4 provides also comprises:

After step 408, if described gateway is master key Centroid, then the corresponding relation of the mark of described user ID, terminal, described key seed and described cipher key index is synchronized in standby cipher key center node by described gateway; If described gateway is standby cipher key center node, then the corresponding relation of the mark of described user ID, terminal, described key seed and described cipher key index is synchronized in master key Centroid by described gateway.

Accordingly, step 403 specifically comprises:

Gateway sends key seed to master key Centroid and obtains request, if do not receive the key seed that described master key Centroid returns or receive the fault notification message that described master key Centroid returns within the time period of setting, then confirm that described master key Centroid occurs abnormal; If described master key Centroid occurs abnormal, then described gateway sends key seed to described standby cipher key center node and obtains request.If described standby cipher key center node also exception occurs, then " return " key" seed obtains failed message to described gateway.

As seen from the above-described embodiment, by key seed is stored on gateway, and file to be encrypted or file to be decrypted are stored in terminal, achieve key seed to store with file to be encrypted or separating of file to be decrypted, ensure the fail safe of key seed, thus improve the fail safe of file encryption or deciphering.

In order to clearly be described the encrypting and decrypting method that the embodiment of the present invention provides, figure 5 provides the mutual sequential chart between terminal and gateway.Wherein, VPN_GW1 is the IAD of terminal but is not cipher key center node, VPN_GW2 and VPN_GW3 is cipher key center node, can be active and standby each other, according to the strategy change role preset, such as VPN_GW2 serves as master key Centroid in annual in odd number month, serves as standby cipher key center node even number month, on the contrary VPN_GW3; Assuming that VPN_GW2 is standby cipher key center node in the present embodiment, VPN_GW3 is master key Centroid.

Step 510, terminal send key seed to corporate intranet entry gateway VPN_GW1 and obtain request, and described key seed to obtain in request at least user ID of carried terminal and the mark of described terminal;

Before this step performs, suppose that terminal have passed through the authentication of the gateway VPN_GW1 of corporate intranet entrance by input user ID and password, and established HTTPS between terminal with gateway VPN_GW1 to be connected, the HTTP connected mode setting up this encryption can ensure the fail safe transmitting data.

In the present embodiment, be decrypted assuming that terminal needs to treat declassified document, obtain the user ID of carried terminal, the mark of described terminal and the cipher key index that obtains from file to be decrypted in request in key seed.

Every predetermined period, described terminal to the new key seed of gateway requests, to generate new key.Therefore, the key that each terminal uses is periodically variable.

Step 520, gateway VPN_GW1 confirm it self is not cipher key center node, then key seed is obtained request forward to the cipher key center node VPN_GW2 preset.

Gateway VPN_GW1 can be previously stored with cipher key center node listing, wherein comprises at least one cipher key center node and this cipher key center address of node in cipher key center node listing.After gateway VPN_GW1 receives key seed acquisition request, according to the selection strategy preset, the selection strategy that such as hop count is the shortest, a cipher key center node is selected from cipher key center node listing, key seed be obtained request forward to the cipher key center node selected, in the present embodiment, assuming that gateway VPN_GW1 has selected VPN_GW2.

Step 530, cipher key center node VPN_GW2 confirms it self is cipher key center node, performs step 540.

Step 540, cipher key center node VPN_GW2 confirms that described key seed obtains in request and carries cipher key index, and obtains request from key seed and extract the user ID of carrying, the mark of described terminal and cipher key index.

Step 550, the corresponding relation of the user ID that cipher key center node VPN_GW2 stores from self, the mark of terminal, cipher key index and key seed, the described user ID that inquiry is extracted, the mark of terminal and the key seed corresponding with extracted cipher key index.Suppose that VPN_GW2 does not inquire corresponding key seed in the present embodiment, enters step 560.

Cipher key center node fails to obtain user ID, the mark of described terminal and the cipher key index of carrying in request according to key seed, may be many-sided from the user ID self stored, the mark of terminal, cipher key index with the reason inquiring corresponding key seed the corresponding relation of key seed, example synchronizing process as in the previous unsuccessfully etc.

Step 560, cipher key center node VPN_GW2 is according to the mark of user ID, terminal and generating random number key seed.

Alternatively, random number can use the RAND_bytes function in OpenSSL to generate.Because OpenSSL gives different reliable generating random number approach for dissimilar operating system platform, the applicability of the embodiment of the present invention therefore can be improved.

Step 570, cipher key center node VPN_GW2 is generated key seed distribution cipher key index, and preserves the corresponding relation of described user ID, the mark of terminal, described key seed and described cipher key index.

The corresponding relation of the mark of user ID, terminal, described key seed and described cipher key index stores in the database of cipher key center node VPN_GW2.

Step 580, the corresponding relation of the mark of described user ID, terminal, described key seed and described cipher key index is synchronized to master key Centroid VPN_GW3 by cipher key center node VPN_GW2.

When obtaining the more new data of corresponding relation etc. of user ID, the mark of terminal, described key seed and described cipher key index, need synchronous in real time between active and standby cipher key center node, could one or more cipher key center node wherein when occurring abnormal, the cipher key center node making other working properly continues to play a role, thus improves reliability.Cipher key center node VPN_GW2 is standby cipher key center node, and therefore cipher key center node VPN_GW2 also needs the corresponding relation of the mark of described user ID, terminal, described key seed and described cipher key index to be synchronized to master key Centroid VPN_GW3.

This step 580 and the restriction of step 590 without sequencing, in fact, this step 580 can perform any time after cipher key center node VPN_GW2 preserves the corresponding relation of described user ID, the mark of terminal, described key seed and described cipher key index.

Step 590, the key seed of generation and the described cipher key index of distributing for described key seed are returned to gateway VPN_GW1 by cipher key center node VPN_GW2.

Suppose that this period of time of cipher key center node VPN_GW2 execution above-mentioned steps 530 ~ 590 in the present embodiment does not exceed the default time period, therefore, the described cipher key index that gateway VPN_GW1 can receive key seed that cipher key center node VPN_GW2 sends and distribute for described key seed, and continue to perform following step.

Step 5100, key seed and cipher key index are returned to terminal by gateway VPN_GW1.

Step 5110, terminal generates key according to described key seed, and uses described double secret key file to be decrypted to be decrypted operation.

In the present embodiment, described terminal performs AES-256 algorithm according to the mark of described key seed, user ID and terminal and generates key, uses described double secret key file to be decrypted to be decrypted operation, then removes the cipher key index of the rear end of file of deciphering.Use AES-256 algorithm to generate key and there is higher fail safe.

As seen from the above-described embodiment, the embodiment of the present invention is by being stored on gateway by key seed, and file to be encrypted or file to be decrypted are stored in terminal, achieve key seed to store with file to be encrypted or separating of file to be decrypted, ensure the fail safe of key seed, thus improve the fail safe of file encryption or deciphering.

Corresponding with the embodiment of encrypting and decrypting method of the present invention, present invention also offers the embodiment of terminal equipment, gateway device and key management system.

See Fig. 6, the block diagram for an embodiment of terminal equipment of the present invention:

This terminal equipment comprises: transmitting element 610, receiving element 620, Key generating unit 630 and encrypting and decrypting unit 640.

Wherein, transmitting element 610, obtain request for sending key seed to gateway, described key seed obtains in request and at least carries the user ID of described terminal and the mark of described terminal;

Receiving element 620, obtains for receiving gateway the key seed asking to return according to the described key seed that described transmitting element 610 sends;

Key generating unit 630, generates key for the key seed received according to described receiving element 620;

Encrypting and decrypting unit 640, the described double secret key file to be encrypted generated for using described Key generating unit 630 is encrypted operation, or uses described double secret key file to be decrypted to be decrypted operation.

Wherein, described Key generating unit 630 generates key specifically for the key seed received according to mark and the described receiving element of described user ID and described terminal;

Described encrypting and decrypting unit 640 comprises:

The encrypting and decrypting method embodiment that the above-mentioned angle from terminal of concrete function detail with reference of described transmitting element 610, receiving element 620, Key generating unit 630 and encrypting and decrypting unit 640 describes, is not described in detail in this.

See Fig. 7, the block diagram for an embodiment of gateway device of the present invention:

This gateway device comprises: receiver module 710 and provide module 720.

Wherein, receiver module 710, obtains request for receiving key seed, and described key seed to obtain in request at least user ID of carried terminal and the mark of described terminal, and described key seed obtains the described terminal of request or another gateway sends;

Module 720 is provided, key seed for receiving according to described receiver module 710 obtains request obtains transmit leg " return " key" seed from request to described key seed, key is generated according to described key seed to make described terminal, and use described double secret key file to be encrypted to be encrypted operation, or described double secret key file to be decrypted is used to be decrypted operation.

The described module 720 that provides comprises:

Confirmation unit, for confirming whether described gateway device self is cipher key center node, wherein, described cipher key center node is the node that can provide key seed, comprises master key Centroid and standby cipher key center node;

Key seed generation unit, for judge at described judging unit described key seed obtain in request do not carry cipher key index or described query unit do not inquire corresponding key seed time, according to mark and the generating random number key seed of user ID, terminal;

Transmitting element, the key seed generated for the key seed that described query unit inquired or described key seed generation unit returns to the transmit leg that described key seed obtains request; When the key seed that described key seed generation unit generates being returned to the transmit leg of described key seed acquisition request, be also that the described cipher key index that described key seed is distributed returns to the transmit leg that described key seed obtains request by described allocation units.

Alternatively, in order to the same user that can be reduced in same equipment generates the number of times of key seed, index can be set up, the follow-up key seed generated according to index search for the key seed generated, in this case, module 720 is provided also to comprise:

Alternatively, in order to improve the reliability of whole key management system work, can arrange more than two gateways within the system as cipher key center node, wherein at least one gateway is as master key Centroid, and all the other gateways are as standby cipher key center node.In this case, module 720 is provided also to comprise:

Lock unit, for when described second judging unit judges that described gateway device is master key Centroid, the corresponding relation of the mark of described user ID, terminal, described key seed and described cipher key index is synchronized in standby cipher key center node, and when described judgment sub-unit judges described gateway device as standby cipher key center node, the corresponding relation of the mark of described user ID, terminal, described key seed and described cipher key index is synchronized in master key Centroid

When comprising master key Centroid and standby cipher key center node in described key management system, described request unit comprises:

First sends subelement, during for confirming that described gateway device self is not cipher key center node at described confirmation unit, sending key seed obtain request to master key Centroid; When described first transmission subelement is specifically for confirming that described gateway device self is not cipher key center node at described confirmation unit, sends key seed by the Internet protocol safety IPSEC tunnel between cipher key center node to master key Centroid and obtaining request; And described reception subelement obtains specifically for being received described cipher key center node by described IPSEC tunnel the key seed asking to return according to described key seed;

Second sends subelement, for when described master key Centroid occurs abnormal, sends key seed obtain request to described standby cipher key center node.

Described receiver module 710 and provide the concrete function detail with reference of the module 720 encrypting and decrypting method embodiment that the above-mentioned angle from gateway describes, is not described in detail in this.

See Fig. 8, be the schematic diagram of key management system embodiment provided by the invention, described key management system comprises terminal equipment 810 or the gateway device 820 of any one execution mode above-mentioned.

Described terminal equipment is used for sending key seed to gateway and obtains request, and described key seed obtains in request and at least carries the user ID of described terminal and the mark of described terminal; Receive gateway and obtain the key seed asking to return according to the described key seed that described transmitting element sends; Key is generated according to the key seed that described receiving element receives; The described double secret key file to be encrypted using described Key generating unit to generate is encrypted operation, or uses described double secret key file to be decrypted to be decrypted operation.

Described gateway device 820 obtains request for receiving key seed, and described key seed to obtain in request at least user ID of carried terminal and the mark of described terminal, and described key seed obtains the described terminal of request or another gateway sends; The transmit leg " return " key" seed of request to described key seed acquisition request is obtained according to the key seed that described receiver module receives, key is generated according to described key seed to make described terminal, and use described double secret key file to be encrypted to be encrypted operation, or described double secret key file to be decrypted is used to be decrypted operation.

Described key management system also can comprise terminal equipment 810 and the gateway device 820 of any one execution mode above-mentioned simultaneously, can also comprise other network equipment, such as the data storage device such as the data transfer equipment such as switch, router and server.

Wherein, the specific works flow process of terminal equipment and gateway device please refer to the description in previous methods embodiment, and the structure of terminal equipment and gateway device please refer to the description in previous one embodiment, here no longer repeats.

See Fig. 9, the block diagram for an embodiment of hardware terminal entity corresponding to terminal equipment provided by the invention and above-mentioned:

Described terminal equipment comprises:

Network interface 910, obtain request for sending key seed to gateway, described key seed obtains the mark of at least carrying user ID and described terminal in request;

Described network interface 910, also for receiving the key seed that gateway returns according to key seed request;

Processor 920, generates key for the key seed received according to described network interface 910, and uses described double secret key file to be encrypted to be encrypted operation, or use described double secret key file to be decrypted to be decrypted operation.

Described processor 920 generates key specifically for the key seed received according to mark and the described receiving element of described user ID and described terminal; And the described double secret key file to be encrypted using described Key generating unit to generate is encrypted operation, and end of file adds the cipher key index that described key seed is corresponding after encryption; Or the described double secret key file to be decrypted using described Key generating unit to generate is decrypted operation, then remove the cipher key index of the rear end of file of deciphering.

The encrypting and decrypting method embodiment that the above-mentioned angle from terminal of concrete function detail with reference of described network interface 910, processor 920 describes, is not described in detail in this.

See Figure 10, be the block diagram of an embodiment of the present invention's hardware gateway entity corresponding with above-mentioned gateway device, described gateway device comprises:

Network interface 1010, obtain request for receiving key seed, described key seed obtains the mark of at least carrying user ID and described terminal in request, and described key seed obtains the described terminal of request or another gateway sends;

Processor 1020, key seed for receiving according to described network interface 1010 obtains request obtains transmit leg " return " key" seed from request to described key seed, key is generated according to described key seed to make described terminal, and use described double secret key file to be encrypted to be encrypted operation, or described double secret key file to be decrypted is used to be decrypted operation.

The encrypting and decrypting method embodiment that the above-mentioned angle from terminal of concrete function detail with reference of described network interface 1010, processor 1020 describes, is not described in detail in this.

Can finding out, in embodiments of the present invention, by key seed being stored on gateway, and being stored in terminal by declassified document to be encrypted, achieving key seed with separating of file stores, and has ensured the fail safe of key seed.And during encryption and decryption, in terminal, there is key seed, key in short-term, do not have the situation that ciphertext, key appear at terminal simultaneously At All Other Times, and key seed periodically can change, unauthorized person cannot extract key seed or key from terminal.Because the information between terminal and gateway, information between gateway and gateway are transmitted respectively by HTTPS and ipsec tunnel, thus ensure confidentiality and the data integrity of information transmission, improve the fail safe of enciphering/deciphering.Key seed can be subject to the encipherment protection of high strength encrypting algorithm at cipher key center node; and key and do not rely on terminal any information (as user oneself arrange screen locking password etc.); therefore enough complexities can be had; can not cross weak because terminal screen locking password etc. arranges intensity and be broken through from screen locking password by people, improve the fail safe of enciphering/deciphering.Key seed and terminal hardware feature, user name are bound, and like this, even if user account leaks, as long as key request is not initiate from the terminal of validated user, all cannot obtains key, improve the fail safe of enciphering/deciphering.In addition, owing to deploying two cipher key center nodes, both are by ipsec tunnel mutually standby key seed data, can the reliability of safeguards system, also can carry out load balancing to the key request carrying out self terminal, also meet the demand of distributed deployment scene.As seen from the above-described embodiment, by key seed is stored on gateway, and file to be encrypted or file to be decrypted are stored in terminal, achieve key seed to store with file to be encrypted or separating of file to be decrypted, ensure the fail safe of key seed, thus improve the fail safe of file encryption or deciphering.

One of ordinary skill in the art will appreciate that the possible implementation of various aspects of the present invention or various aspects can be embodied as system, method or computer program.Therefore, the possible implementation of each aspect of the present invention or various aspects can adopt complete hardware embodiment, completely software implementation (comprising firmware, resident software etc.), or the form of the embodiment of integration software and hardware aspect, is all referred to as " circuit ", " module " or " system " here.In addition, the possible implementation of each aspect of the present invention or various aspects can adopt the form of computer program, and computer program refers to the computer readable program code be stored in computer-readable medium.

Computer-readable medium can be computer-readable signal media or computer-readable recording medium.Computer-readable recording medium is including but not limited to electronics, magnetic, optics, electromagnetism, infrared or semiconductor system, equipment or device, or aforesaid appropriately combined arbitrarily, as random access memory (RAM), read-only memory (ROM), Erasable Programmable Read Only Memory EPROM (EPROM or flash memory), optical fiber, portable read-only memory (CD-ROM).

Processor in computer reads the computer readable program code be stored in computer-readable medium, makes processor can perform the function action specified in the combination of each step or each step in flow charts; Generate the device implementing the function action specified in the combination of each block of block diagram or each piece.

Computer readable program code can perform completely on the computer of user, part performs on the computer of user, as independent software kit, part on the computer of user and part on the remote computer, or to perform on remote computer or server completely.Also it should be noted that in some alternate embodiment, in flow charts in each step or block diagram each piece the function that indicates may not according to occurring in sequence of indicating in figure.Such as, depend on involved function, in fact two steps illustrated in succession or two blocks may be executed substantially concurrently, or these blocks sometimes may be performed by with reverse order.

Obviously, those skilled in the art can carry out various change and modification to the present invention and not depart from the spirit and scope of the present invention.Like this, if these amendments of the present invention and modification belong within the scope of the claims in the present invention and equivalent technologies thereof, then the present invention is also intended to comprise these change and modification.

Claims

1. an encrypting and decrypting method, is characterized in that, comprising:

Terminal sends key seed acquisition request to the gateway of corporate intranet entrance, and described key seed obtains in request and at least carries the user ID of described terminal and the mark of described terminal;

Described terminal receives described gateway and obtains the key seed asking to return according to described key seed;

2. the method for claim 1, is characterized in that, if described file to be decrypted comprises cipher key index, then described key seed obtains request and also carries described cipher key index.

3. the method for claim 1, is characterized in that, described terminal generates key according to described key seed, and uses described double secret key file to be encrypted to be encrypted operation, comprising:

4. the method for claim 1, is characterized in that, described terminal every predetermined period, to the key seed that described gateway requests is new, to generate new key.

5. the method according to any one of Claims 1 to 4, is characterized in that, described terminal generates key according to described key seed, is specially:

6. an encrypting and decrypting method, is characterized in that, comprising:

7. method as claimed in claim 6, is characterized in that, described gateway obtains request according to described key seed and obtains the transmit leg " return " key" seed of asking to described key seed, comprising:

8. method as claimed in claim 7, it is characterized in that, described gateway, according to after the mark of user ID, terminal and generating random number key seed, also comprises:

9. method as claimed in claim 7, is characterized in that, also comprise:

If it self is not cipher key center node that described gateway confirms, then send described key seed to cipher key center node and obtain request, receive described cipher key center node and obtain the key seed asking to return according to described key seed, and the key seed received sent to described key seed to obtain the transmit leg of request.

10. method as claimed in claim 9, it is characterized in that, described cipher key center node comprises master key Centroid and standby cipher key center node, if described gateway confirms it self is not cipher key center node, then send described key seed to cipher key center node and obtain request, comprising:

11. methods as claimed in claim 8, it is characterized in that, described cipher key center node comprises master key Centroid and standby cipher key center node, if it self is cipher key center node that described gateway confirms, then described gateway is according to after the mark of user ID, terminal and generating random number key seed, also comprises:

12. methods as described in claim 9 or 10, is characterized in that, describedly send described key seed to cipher key center node and obtain request, receive described cipher key center node and obtain the key seed asking to return according to described key seed, specifically comprise:

13. 1 kinds of encrypting and decrypting devices, is characterized in that, comprising:

Transmitting element, obtains request for sending key seed to the gateway of corporate intranet entrance, and described key seed to obtain in request at least user ID of carried terminal and the mark of described terminal;

Receiving element, obtains for receiving described gateway the key seed asking to return according to the described key seed that described transmitting element sends;

14. encrypting and decrypting devices as claimed in claim 13, is characterized in that,

Described Key generating unit generates key specifically for the key seed received according to mark and the described receiving element of described user ID and described terminal;

Described encrypting and decrypting unit comprises:

15. 1 kinds of encrypting and decrypting devices, is characterized in that, comprising:

16. encrypting and decrypting devices as claimed in claim 15, is characterized in that, described in provide module to comprise:

17. encrypting and decrypting devices as claimed in claim 16, is characterized in that, described in provide module also to comprise:

18. encrypting and decrypting devices as described in claim 16 or 17, is characterized in that, described in provide module also to comprise:

19. encrypting and decrypting devices as claimed in claim 18, is characterized in that, described cipher key center node comprises master key Centroid and standby cipher key center node, and described request unit comprises:

20. encrypting and decrypting devices as claimed in claim 17, is characterized in that, described cipher key center node comprises master key Centroid and standby cipher key center node, described in provide module also to comprise:

21. encrypting and decrypting devices as claimed in claim 18, it is characterized in that, when described request unit is specifically for confirming that described gateway device self is not cipher key center node at described confirmation unit, sends described key seed by the Internet protocol safety IPSEC tunnel between cipher key center node to cipher key center node and obtaining request; Receive described cipher key center node by described IPSEC tunnel and obtain the key seed asking to return according to described key seed.

22. 1 kinds of key management systems, is characterized in that, comprise the encrypting and decrypting device according to any one of claim 13 to 14, or the encrypting and decrypting device according to any one of claim 15 to 21.