CN103414554A - Objectification secret key management system and secret key management method based on system - Google Patents
Objectification secret key management system and secret key management method based on system Download PDFInfo
- Publication number
- CN103414554A CN103414554A CN2013103507009A CN201310350700A CN103414554A CN 103414554 A CN103414554 A CN 103414554A CN 2013103507009 A CN2013103507009 A CN 2013103507009A CN 201310350700 A CN201310350700 A CN 201310350700A CN 103414554 A CN103414554 A CN 103414554A
- Authority
- CN
- China
- Prior art keywords
- key
- secret key
- template
- management
- strategy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
- Lock And Its Accessories (AREA)
Abstract
The invention provides an objectification secret key management system and secret key management method based on the system. The system mainly comprises an asymmetric secret key management service module, a symmetric secret key management service module, an integrated management platform and a cipher machine. A secrete key template is defined by the system according to a secret key attribute and a secret key strategy is established according to the characteristics of a secret key needed by a service and the attribute of the template. The secret key management service modules receive, analyze, process and transmit the secret key strategy defined by the system to the cipher machine. The cipher machine carries out corresponding operation according to an order of the secret key strategy, and produced secret key data are sent back to the secret key management service modules. The secret key management service modules process and store the secret key data in a database. The integrated management platform can manage and maintain the secret key product life-cycle in a unified mode by utilizing the secret key strategy. The secret key management method meets the gradually strict requirement for the secret key security management at present, the problem of repetition of a secret key index cannot occur easily, extension is easy, and diversified and integrated secret key management requirements are facilitated.
Description
Technical field
The present invention relates to a kind of key management system of objectification based on the key attribute and reach the key management method based on this system, particularly relate to a kind of key management system of the objectification based on the key attribute that is applicable to information security cryptographic technique field and reach the key management method based on this system.
Background technology
Cryptographic technique is the basic technology of information security, and key is the basis of cryptographic technique Secure Application and the core element of informatization security.High speed development in an all-round way along with the information-based industry of China, key management system based on unsymmetrical key system and symmetric key system also enters the comprehensive construction period, and key base attribute, the information related in system is faced with more and more stricter security management requirement.
Traditional key management system all adopts the cipher key index mode to complete key management and maintenance, in the key essential information, only have cipher key index to run through whole key lifecycle management process, lack important attribute and information that key is relevant, can not meet current more and more stricter key safety management expectancy.Simultaneously, in cipher key management procedures, need self-defined cipher key index and index range.In self-defined cipher key index process, easily go out the cipher key index replication problem, as: the corresponding a plurality of cipher key index of key, or the corresponding a plurality of keys of cipher key index, cause key normally to use, increased difficulty and cost that key management is safeguarded.In addition, the cipher key index way to manage is relatively single, be difficult for expansion, more is unfavorable for diversification, comprehensive key management requirement.
The present invention introduces key template, key tactical management pattern, and cryptographic properties is managed according to the objectification mode, and cryptographic properties is carried out to the abstract definition, has avoided the traditional secrete key management system to adopt original cipher key index mode to realize key management and maintenance.
Summary of the invention
The technical problem to be solved in the present invention is to provide a kind of key management system of objectification based on the key attribute and reaches the key management method based on this system.This system mainly comprises unsymmetrical key management services module, symmetric key management services module, comprehensive management platform and cipher machine, at first system defines the key template according to the key attribute, then according to the characteristics of the required key of business, according to the template attribute, create all kinds of applicable key strategies, defined key strategy is sent to cipher key management services module (asymmetric, symmetry); The cipher key management services module receives, dissection process key strategy, and is transmitted to cipher machine; Cipher machine is carried out corresponding operating (as: key generation) according to the key policy instructions, and the key data of generation is returned to the cipher key management services module; The cipher key management services module is carried out safe handling and is stored in database key data; Comprehensive management platform utilizes the key strategy to realize key lifecycle management and unified the maintenance.The method can not only meet current more and more stricter key safety management expectancy, and, in self-defined cipher key index process, is not easy out the cipher key index replication problem, and easily expansion is more conducive to diversification, comprehensive key management requirement.
The cipher object attribute can configure flexibly and expand according to actual cipher key application situation, is convenient to keeper's administering and maintaining the cipher object attribute.
The technical solution used in the present invention is as follows:
A kind of objectification key management system, is characterized in that comprising unsymmetrical key management services module, symmetric key management services module, comprehensive management platform, cipher machine and database; The unsymmetrical key management services module is connected with comprehensive management platform, cipher machine and database respectively; The symmetric key management services module is connected with comprehensive management platform, cipher machine and database respectively.
As preferably, also comprise the USBKey module of differentiating, operating signature and control of authority function be used to completing identity.
Based on the key management method of objectification key management system, its concrete grammar is: one, key management system is by comprehensive management platform, according to key attribute definition key template; Two, key management system is by comprehensive management platform, according to the policy definition policy template; Three, defined key template and policy template are carried out to combination, form final key strategy; Four, according to different key strategy execution, complete corresponding cipher key management operation.
As preferably, described key template comprises key template name, template state, template descriptor and key attribute.
As preferably, the key template state of acquiescence is forbidding, the security official to the audit of key template after, the template state is changed into and enabling.
As preferably, described policy template comprises policy template title, the key term of validity, producing method, producible maximum quantity and key storage carrier.
As preferably, described key strategy comprises key policy name, defined key template, defined policy template, key policy attribute and key strategy descriptor.
As preferably, described key policy attribute comprises the time that automatic generation condition, key holding time and strategy start to produce key.
As preferably, the concrete grammar step of carrying out the key strategy is: A, key management system, by comprehensive management platform, are selected defined key strategy; B, comprehensive management platform send to the cipher key management services module by the key strategy of having selected; C, cipher key management services module receive and resolve the key strategy, are transmitted to cipher machine by the safe packet instruction; D, cipher machine are carried out corresponding operating according to the safe packet instruction process, and according to safe packet command format " return " key" data; E, cipher key management services module receive key data, safe handling and are stored in database.
Compared with prior art, the invention has the beneficial effects as follows: adopt method of the present invention, not only can when practical application, thoroughly avoid the key management security risk of bringing because of cipher key index, and strengthened the safety of cipher key management procedures, be easy to self-defined expansion and the configuration of key attribute, improved the general safety of key attributes object management.Simultaneously, key management system adopts the objectification key management technology based on the key attribute, avoid causing key normally to use because of the cipher key index mismanagement, reduced the specification requirement the when user is actual to be used, facilitate the user to manage and safeguard the key attribute, promoted the efficiency of key attributes object management.
Its further beneficial effect is:
1, can, according to the characteristics of the required key of business, can create all kinds of applicable key templates according to key attribute (algorithm types, key strength, Key Tpe and key generator);
2, can be according to the cipher key application requirement, according to the key term of validity, producing method, can produce maximum quantity, the key storage carrier creates applicable policy template;
3,, according to objectification key management mode, can easily key template and policy template be converted to the key strategy;
4, according to different key template definitions, go out different key strategies, be applied to different cipher key application scenes, realize the key management demand of diversification;
5, according to actual cipher key application situation, can configure flexibly and expand the key attribute, be convenient to system manager's administering and maintaining the key object attribute;
6, this Techniques For Reducing key management risk and complexity, promoted the system key efficiency of management;
7, this technology has been removed the operation that runs through whole cipher key management procedures by cipher key index from, avoids the key that repeats to cause because of cipher key index not readable, unavailable, has stopped the potential safety hazard of key attributes object management.
The accompanying drawing explanation
Fig. 1 is current traditional cipher key index way to manage schematic diagram.
Fig. 2 is objectification management method principle schematic of the present invention.
Fig. 3 is the wherein key strategy format chart of an embodiment of the present invention.
Embodiment
In order to make purpose of the present invention, technical scheme and advantage clearer, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein, only in order to explain the present invention, is not intended to limit the present invention.
Disclosed all features in this specification, except the feature of mutual eliminating, all can combine by any way.
Disclosed arbitrary feature in this specification (comprising any accessory claim, summary and accompanying drawing), unless special narration all can be replaced by other equivalences or the alternative features with similar purpose.That is, unless special narration, each feature is an example in a series of equivalences or similar characteristics.
As shown in Figure 1, be current traditional cipher key index way to manage, the self-defined cipher key index of key management system and cipher key index scope (as: 1-1000), the key data (as: 1-1000) that cipher key index is corresponding.Key management system manages key data according to the cipher key index mode, this process does not have the definition of key attributes object, there is no key template, key policy definition, can not carry out flexible configuration and expansion to the key attribute, be unfavorable for large-scale key safety management expectancy.
A kind of objectification key management system, comprise unsymmetrical key management services module, symmetric key management services module, comprehensive management platform, cipher machine and database; The unsymmetrical key management services module is connected with comprehensive management platform, cipher machine and database respectively; The symmetric key management services module is connected with comprehensive management platform, cipher machine and database respectively.
Also comprise the USBKey module of differentiating, operating signature and control of authority function be used to completing identity.
The unsymmetrical key management services module is responsible for providing management service to the Life cycle of unsymmetrical key.The unsymmetrical key management service comprises key generation, key distribution, key storage, key revocation, key recovery, key filing, key inquiry and cipher key store management.Cipher key store comprises ,Zai Yong storehouse, standby storehouse and history library.Unsymmetrical key management main services object is based on the cipher application system (as, digital certificate center CA) of unsymmetrical key system, for user and equipment provide unsymmetrical key to service.
The symmetric key management services module is responsible for providing management service to the Life cycle of symmetric key.The symmetric key management service comprises key generation, key distribution, key storage, key updating, cipher key destruction, key recovery, key filing, key inquiry and cipher key store management.Cipher key store comprises ,Zai Yong storehouse, standby storehouse and history library.Symmetric key management main services object is based on the encryption device of symmetric key system, for it provides relevant symmetric key service.
Comprehensive management platform is responsible for all integrated service management of key management system, is the unified management entrance of key management system.Comprehensive management platform comprises centre management, organization and administration, unsymmetrical key management, symmetric key management, equipment control, monitoring in real time, statistical analysis, log management, server admin and assembly management.
Key management system adopts the key generator of cipher machine as system, is responsible for key management system and produces at random unsymmetrical key and symmetric key, can be simultaneously key management system the crypto-operation service is provided.Key management system adopts the data storage carrier of database as system.The system manager utilizes the functions such as the identity that USBKey completes is differentiated, operation signature, control of authority.
As shown in Figure 2, a kind of key management method based on the objectification key management system, its concrete grammar is: one, key management system is by comprehensive management platform, according to key attribute definition key template; Two, key management system is by comprehensive management platform, according to the policy definition policy template; Three, defined key template and policy template are carried out to combination, form final key strategy; Four, according to different key strategy execution, complete corresponding cipher key management operation.
Key management system defines the key template according to the key attribute, and the key attribute is the set of key self basic element, comprises algorithm types (asymmetric, symmetry), key strength, Key Tpe, key generator.Wherein, algorithm types refers to asymmetric arithmetic or symmetry algorithm; Key strength refers to that concrete length or the mould of key is long; Key Tpe refers to the concrete application type of key; Key generator refers to which kind of encryption device key management system adopts produce key.The key attribute can configure flexibly and expand according to actual cipher key application situation, is convenient to keeper's administering and maintaining the key object attribute.
System provides the objectification management function to key management, is the key strategy by the key template switch.According to different key template definitions, go out different key strategies, be applied to different cipher key application scenes.Policy template and key template change into the key strategy jointly.
The key attribute is carried out to the abstract definition according to the objectification mode, form key template and policy template.
Described key template comprises key template name, template state, template descriptor and key attribute.In key template definition process, need the input template title, the template state is set (enable, forbid), input template descriptor, select key attribute (algorithm types (asymmetric, symmetry), Key Tpe, key strength, key generator), complete the definition of key template.
Key management system adopts policy management method, can, according to the characteristics of the required key of business, create all kinds of applicable key strategies according to template attributes such as algorithm types, key strength, Key Tpe and key generators.
Template name can be according to the actual conditions self-defining, and template name is exactly the sign of key template.The template descriptor is the extend information of key template.The keeper completes the key template definition, and the key template state of acquiescence, for forbidding, can not normally be used, and the security official changes the template state into and enables after the key template is examined, and the key template can normally be used.
The key attribute is carried out to abstract and changes into the key template, realize the unified management to the key template, reduce follow-up maintenance work to the key attribute.
Described policy template comprises policy template title, the key term of validity, producing method, producible maximum quantity and key storage carrier, and manages with the policy template form.
Strategy carried out to abstract and changes into policy template, realize the unified management to policy template, reducing follow-up to tactful maintenance work.
In the policy template definition procedure, need policy template title, the input key term of validity (day, month, year), select producing method (random generation, keyboard inject), input producible maximum quantity, selection key storage carrier (database, encryption device), complete the definition of policy template.
Wherein, the policy template title can be according to the actual conditions self-defining, and the policy template title is exactly the sign of policy template.The key term of validity is the time range that key is effectively used.Producing method can adopt random generation or manual keyboard to inject and produce.The maximum number of keys that can produce when producible maximum quantity is strategy execution.The key storage carrier is the medium that key can be stored, and comprises database or encryption device.
Described key strategy comprises key policy name, defined key template, defined policy template, key policy attribute and key strategy descriptor.
Key template and policy template are carried out to the abstract definition, and form key object, system completes unified management and the maintenance of key strategy according to key object.Key template and policy template change into the key strategy jointly, and the key strategy comprises all information of key template and policy template.Key management system can carry out the whole lifecycle management of key according to the key strategy, realizes key attribute flexible configuration and expansion, is convenient to the system manager to the administering and maintaining of key object attribute, and has promoted the efficiency of key attributes object management.
As shown in Figure 3, in key policy definition process, need input key policy name, the defined key template of selection, select defined policy template, input key policy attribute, input key strategy descriptor, complete the key policy definition.
Described key policy attribute comprises the time that automatic generation condition, key holding time, strategy start to produce key.
Wherein, the key policy name can be according to the actual conditions self-defining, and the key policy name is exactly the sign of policy template.Automatically the generation condition be the number of keys of storing in pool of keys lower than the X bar, system produces Y bar (as: number of keys of storing in pool of keys lower than 100 time, system produces 500 or 1000 automatically, arranges according to the actual requirements) automatically.The key holding time is the time limit of key storage at database.The time that strategy starts to produce key is the time of key strategy execution, can carry out immediately, also can carry out according to the fixed time.Key strategy descriptor is the extend information of key strategy.
System realizes the lifecycle management to different keys according to different key strategies.
The concrete grammar step of carrying out the key strategy is: A, key management system, by comprehensive management platform, are selected defined key strategy; B, comprehensive management platform send to cipher key management services module (asymmetric, symmetry) by the key strategy of having selected; C, cipher key management services module receive and resolve the key strategy, are transmitted to cipher machine by the safe packet instruction; D, cipher machine are carried out corresponding operating (as: key generation) according to the safe packet instruction process, and according to safe packet command format " return " key" data; E, cipher key management services module receive key data, safe handling and are stored in database.Comprehensive management platform utilizes the key strategy to realize key lifecycle management and unified the maintenance.
The unified management of key strategy, system utilize the key strategy to realize key lifecycle management (produce, distribute, upgrade, cancel, destroy, recover, file, inquire about) and unified attended operation.
Key management system, by comprehensive management platform, manages cryptographic properties according to the object mode, cryptographic properties is carried out to the abstract definition.Key attribute after definition manages and uses with strategy, template form, is easy to the self-defined expansion of key attribute, facilitates administrative staff to manage and safeguard the key attribute, has promoted the efficiency of key attributes object management.In addition, the technology of the present invention has been removed the operation that runs through whole cipher key management procedures by cipher key index from, avoids, because cipher key index repeats to cause key not readable, unavailable, having stopped the potential safety hazard of key attributes object management.
Claims (9)
1. an objectification key management system, is characterized in that: comprise unsymmetrical key management services module, symmetric key management services module, comprehensive management platform, cipher machine and database; The unsymmetrical key management services module is connected with comprehensive management platform, cipher machine and database respectively; The symmetric key management services module is connected with comprehensive management platform, cipher machine and database respectively.
2. system according to claim 1, is characterized in that: also comprise the USBKey module of differentiating, operating signature and control of authority function be used to completing identity.
3. based on the key management method of the described system of claim 2, its concrete grammar is: one, key management system is by comprehensive management platform, according to key attribute definition key template; Two, key management system is by comprehensive management platform, according to the policy definition policy template; Three, defined key template and policy template are carried out to combination, form final key strategy; Four, according to different key strategy execution, complete corresponding cipher key management operation.
4. method according to claim 3, described key template comprises key template name, template state, template descriptor and key attribute.
5. method according to claim 4, the key template state of acquiescence is forbidding, the security official to the audit of key template after, the template state is changed into and enabling.
6. method according to claim 3, described policy template comprises policy template title, the key term of validity, producing method, producible maximum quantity and key storage carrier.
7. method according to claim 3, described key strategy comprises key policy name, defined key template, defined policy template, key policy attribute and key strategy descriptor.
8. method according to claim 7, described key policy attribute comprise the time that automatic generation condition, key holding time and strategy start to produce key.
9. according to the described method of one of claim 3 to 8, the concrete grammar step of carrying out the key strategy is: A, key management system, by comprehensive management platform, are selected defined key strategy; B, comprehensive management platform send to the cipher key management services module by the key strategy of having selected; C, cipher key management services module receive and resolve the key strategy, are transmitted to cipher machine by the safe packet instruction; D, cipher machine are carried out corresponding operating according to the safe packet instruction process, and according to safe packet command format " return " key" data; E, cipher key management services module receive key data, safe handling and are stored in database.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310350700.9A CN103414554B (en) | 2013-08-13 | 2013-08-13 | A kind of key management method of objectification key management system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310350700.9A CN103414554B (en) | 2013-08-13 | 2013-08-13 | A kind of key management method of objectification key management system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103414554A true CN103414554A (en) | 2013-11-27 |
| CN103414554B CN103414554B (en) | 2016-06-22 |
Family
ID=49607540
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310350700.9A Active CN103414554B (en) | 2013-08-13 | 2013-08-13 | A kind of key management method of objectification key management system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103414554B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103795549A (en) * | 2014-02-28 | 2014-05-14 | 成都卫士通信息产业股份有限公司 | Communication content encryption and decryption method and encryption management method based on CS mode |
| CN104301332A (en) * | 2014-10-31 | 2015-01-21 | 成都卫士通信息产业股份有限公司 | Secret key distribution system based on wireless cascading |
| CN104868991A (en) * | 2015-05-07 | 2015-08-26 | 杭州华三通信技术有限公司 | Security parameter index (SPI) conflict processing method and group key server (KS) |
| CN113541937A (en) * | 2021-06-25 | 2021-10-22 | 华东师范大学 | Cipher key management method based on cipher strategy |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101515319A (en) * | 2008-02-19 | 2009-08-26 | 联想(北京)有限公司 | Cipher key processing method, cipher key cryptography service system and cipher key consultation method |
-
2013
- 2013-08-13 CN CN201310350700.9A patent/CN103414554B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101515319A (en) * | 2008-02-19 | 2009-08-26 | 联想(北京)有限公司 | Cipher key processing method, cipher key cryptography service system and cipher key consultation method |
Non-Patent Citations (3)
| Title |
|---|
| 汤建忠等: "CA安全认证系统的研究与实现", 《计算机工程与科学》 * |
| 罗建超: "基于PKCS#11规范的公共安全平台的研究与实现", 《电子科技大学硕士论文》 * |
| 陆沁刚: "PKI技术在国税绿色通道中的应用和实践", 《上海交通大学工程硕士学位论文》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103795549A (en) * | 2014-02-28 | 2014-05-14 | 成都卫士通信息产业股份有限公司 | Communication content encryption and decryption method and encryption management method based on CS mode |
| CN104301332A (en) * | 2014-10-31 | 2015-01-21 | 成都卫士通信息产业股份有限公司 | Secret key distribution system based on wireless cascading |
| CN104301332B (en) * | 2014-10-31 | 2017-10-27 | 成都卫士通信息产业股份有限公司 | A kind of key distribution system based on wireless cascade |
| CN104868991A (en) * | 2015-05-07 | 2015-08-26 | 杭州华三通信技术有限公司 | Security parameter index (SPI) conflict processing method and group key server (KS) |
| CN104868991B (en) * | 2015-05-07 | 2018-09-04 | 新华三技术有限公司 | A kind of Security Parameter Index conflict processing method and group key server KS |
| CN113541937A (en) * | 2021-06-25 | 2021-10-22 | 华东师范大学 | Cipher key management method based on cipher strategy |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103414554B (en) | 2016-06-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20220051240A1 (en) | Transferring cryptocurrency from a remote limited access wallet | |
| CN110287186B (en) | Smart power grid data management system and method based on master block chaining technology | |
| CN105678179B (en) | A kind of IC card internet terminal distributing method and management system | |
| CN105243535B (en) | Innovate creative data processing method and terminal device | |
| CN108650328A (en) | The block catenary system of data information record and storage in a kind of cloud service platform | |
| CN104376237A (en) | Safety control method and safety control system for information in production procedures | |
| CN105761090B (en) | A kind of signaling of two dimensional code, Activiation method and system | |
| CN105184144A (en) | Multi-system privilege management method | |
| CN103414554A (en) | Objectification secret key management system and secret key management method based on system | |
| CN110324180A (en) | Automation of transformation substations equipment wide area O&M Security Design Methods | |
| CN103927612A (en) | Mobile law-enforcing system and method for environment monitoring | |
| CN106878084A (en) | A kind of authority control method and device | |
| CN102402733A (en) | Diversified electronic accounting file management system and method | |
| CN105357197A (en) | Identity authentication and authority management system and method for cloud computing platform | |
| CN103093154A (en) | Secret-level setting information management system and secret-level setting information management method | |
| CN111783128A (en) | Verifiable distributed database access control method | |
| CN105488655A (en) | Free flow-based official document flow method | |
| CN102111264A (en) | Asymmetric key management system | |
| CN106920023A (en) | A kind of chip production issues management method and system | |
| CN109544765A (en) | A kind of electric power lock management method and system | |
| CN109903046A (en) | User data management and device based on block chain | |
| CN102567372A (en) | Student information management system | |
| CN102868521B (en) | Method for enhancing secret key transmission of symmetrical secret key system | |
| CN104852898A (en) | Program file safety control method and apparatus for production and broadcasting system | |
| CN103580850B (en) | The data of a kind of task based access control mechanism prepare management method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: No. 333, Yunhua Road, Chengdu hi tech Zone, China (Sichuan) pilot Free Trade Zone, Chengdu, Sichuan 610041 Patentee after: China Electronics Technology Network Security Technology Co.,Ltd. Address before: No. 333, Yunhua Road, high tech Zone, Chengdu, Sichuan 610041 Patentee before: CHENGDU WESTONE INFORMATION INDUSTRY Inc. |
|
| CP03 | Change of name, title or address |