CN105591738A - Key update method and device - Google Patents
Key update method and device Download PDFInfo
- Publication number
- CN105591738A CN105591738A CN201510980172.4A CN201510980172A CN105591738A CN 105591738 A CN105591738 A CN 105591738A CN 201510980172 A CN201510980172 A CN 201510980172A CN 105591738 A CN105591738 A CN 105591738A
- Authority
- CN
- China
- Prior art keywords
- data volume
- key
- threshold value
- current key
- encrypt
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/068—Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Telephonic Communication Services (AREA)
Abstract
The application provides a key update method and device, applied to a key server. The method comprises: obtaining the encryption data size of each member device in a set using a current key; running statistics on the encryption data size sum of all member devices in a set using the current key; and issuing a new key to each member device in a set when the encryption data size sum is greater than or equal to a preset first data size threshold. The key update method and device can effectively reduce the key leakage risk under a bulk flow background, and improve system security.
Description
Technical field
The application relates to network communications technology field, relates in particular to a kind of key updating method and device.
Background technology
GDVPN (GroupDomainVirtualPrivateNetwork, group territory virtual private networks)It is a kind of solution that realizes key and security strategy centralized management. GDVPN network is mainly by KS(KeyServer, key server) and GM (GroupMember, group membership) composition, wherein,KS is responsible for creating and maintenance key, and issues key and security strategy to GM; GM for use key andThe routing forwarding equipment of security strategy.
In order to improve the security of service traffics, the key that GM uses needs timing to upgrade. Close at presentKey update mode mainly issues new key by KS to the GM cycle. This key updating mode is in large businessIn the situation of flow, same key may be used to encrypt too much data, thereby has increased Key ExposureRisk.
Summary of the invention
In view of this, the application provides a kind of key updating method and device.
Particularly, the application is achieved by the following technical solution:
The application provides a kind of key updating method, is applied to key server, and the method comprises:
Obtain the data volume that in group, each member device uses current key to encrypt;
In statistics group, all member devices use the data volume summation that described current key is encrypted;
In the time that described enciphered data amount summation is more than or equal to the first default data volume threshold value, to every in groupA member device issues new key.
The application also provides a kind of key update device, is applied to key server, and this device comprises:
Acquiring unit, for obtaining the data volume that in group, each member device uses current key to encrypt;
Statistic unit, for adding up the data volume that in group, all member devices use described current key to encryptSummation;
Issue unit, for being more than or equal to the first default data volume threshold when described enciphered data amount summationWhen value, issue new key to each member device in group.
Can be found out by above description, the application is by the enciphered data amount of statistics group member equipment, rightThe data volume of same secret key encryption limits, thereby reduces the risk of Key Exposure under large flow background,Improve security of system.
Brief description of the drawings
Fig. 1 is GDVPN networking schematic diagram;
Fig. 2 is a kind of key updating method flow chart shown in the application's one exemplary embodiment;
Fig. 3 is the basis of a kind of key update device place equipment shown in the application's one exemplary embodimentHardware configuration schematic diagram;
Fig. 4 is the structural representation of a kind of key update device shown in the application's one exemplary embodiment.
Detailed description of the invention
Here will at length describe exemplary embodiment, its sample table shows in the accompanying drawings. BelowWhen description relates to accompanying drawing, unless separately there is expression, the same numbers in different accompanying drawings represents same or analogousKey element. Embodiment described in following exemplary embodiment does not represent the institute consistent with the applicationThere is embodiment. On the contrary, they be only with as in appended claims, described in detail, the application oneThe example of the consistent apparatus and method in a little aspects.
Be only for describing the object of specific embodiment at term used in this application, but not be intended to restrictionThe application. " one ", " institute of the singulative using in the application and appended claimsState " and " being somebody's turn to do " be also intended to comprise most forms, unless context clearly represents other implications. Also shouldWork as understanding, term "and/or" used herein refer to and comprise one or more be associated list itemAny or all may combine object.
Although should be appreciated that may to adopt term first, second, third, etc. to describe in the application variousInformation, but these information should not be limited to these terms. These terms be only used for by the information of same type thatThis distinguishes. For example, in the situation that not departing from the application's scope, the first information also can be called asTwo information, similarly, the second information also can be called as the first information. Depend on linguistic context, as in this instituteUse word " if " can be construed as into " ... time " or " when ... time " or " responseIn determining ".
GDVPN is a kind of solution that realizes key and security strategy centralized management, is that a kind of point arrivesThe non-tunnel of multiple spot connects. GDVPN provides a kind of IPsec (InternetProtocol based on groupSecurity, procotol security) security model, all members in same group share identical peaceFull strategy and key.
Figure 1 shows that GDVPN networking schematic diagram, this network is mainly by key server KS and memberEquipment GM (GM1~GM3) composition, wherein, KS is responsible for creating and maintenance key, and under GMSend out key and security strategy; GM is the routing forwarding equipment that uses key and security strategy.
In order to improve the security of GM service traffics, the key that GM uses needs timing to upgrade. At presentKey updating mode mainly issues new key by KS to the GM cycle. This key updating mode is in great causeIn the situation of business flow, same key may be used to encrypt too much data, thereby has increased Key ExposureRisk.
For the problems referred to above, the embodiment of the present application proposes a kind of key updating method, in the method statistics groupThe enciphered data amount of member device, and based on this enciphered data amount, member device is carried out to key updating.
Referring to Fig. 2, be an embodiment flow chart of the application's key updating method, this embodiment is to closeKey renewal process is described.
Step 201, obtains the data volume that in group, each member device uses current key to encrypt.
In the embodiment of the present application, key server at least can obtain member device by following two kinds of modesEnciphered data amount:
Mode one, member device is initiatively noticed
Be specially, receive member device and often reach the second data volume in the data volume that uses current key to encryptThe flow notification packet for example, sending when threshold value (, N byte). Wherein, the second data volume threshold value canDetermine in the following way: first, on key server, pre-configured the second data volume threshold value, treats asWhen member's equipment is registered to key server, by key server, the second data volume threshold value is pushed to member and establishesStandby.
In one embodiment, key server can be by newly-increased load type (TrafficAnnouncementPayload, is called for short TA load), in TA load corresponding field, add the second numberAccording to amount threshold value, and send the GROUPKEY-PUSH exchange message that carries TA load to member device,To realize the object that pushes the second data volume threshold value to member device. Wherein, GROUPKEY-PUSHExchange message is GDOI (GroupDomainofInterpretation, the group domain of interpretation) protocol massages.
The second data volume threshold value that member device can use key server to push is logical as transmitted trafficThe foundation of accusing message, also can configure the second data volume threshold value voluntarily according to network environment, replaces cipher key serviceThe second data volume threshold value that device issues.
For example, suppose that the second data volume threshold value of the upper configuration of key server KS is 1000 bytes, becomeMember's equipment GM1~GM3 is respectively to KS registration, and in registration process, GM1~GM3 all receives KSThe the second data volume threshold value (1000 bytes) pushing. Member device can push key serverThe second data volume threshold value is worth by default, uses this second data volume threshold value transmitted traffic notification packet,1000 bytes of every encryption send a flow notification packet to key server. Due to this second data volumeThreshold value is configured by key server, and therefore, member device is to key server transmitted traffic notification packetTime can not carry the second data volume threshold value. If network manager intends amendment according to network operation situationThe second data volume threshold value of GM1 is 2000 bytes, can on GM1, configure separately, and after configuration,2000 bytes of the every encryption of GM1 send a flow notification packet to key server, and make currentWith the second data volume threshold value be carried in flow notification packet so that KS is according in flow notification packetThe second data volume threshold value of carrying
In one embodiment, member device also can be current by adding in TA load corresponding fieldThe second data volume threshold value adopting, sends and carries this TA load to key serverGROUPKEY-PULL exchanges message as flow notification packet, wherein, and this GROUPKEY-PULLExchange message is GDOI protocol massages.
The quantity of the flow notification packet receiving under key server statistics current key, then according to secondThe quantity of data volume threshold value and flow notification packet is calculated the data that member device uses current key to encryptAmount, for example, the second data volume threshold value is 1000 bytes, the flow notification packet quantity of reception is 5Individual, the enciphered data amount of this member device under current key is 1000*5=5000 byte.
Mode two, key server active inquiry
Be specially, key server is periodically to group member's equipment transmitted traffic query message, in oneIn embodiment, the key server of the embodiment of the present application can be by newly-increased load type (EnquireTrafficPayload, be called for short ET load), send and carry ET load to member deviceGROUPKEY-PUSH exchange message is as flow query message.
Member device is added up the data volume that uses current key to encrypt voluntarily, and according to the flow inquiry receivingMessage is responded flow response message to key server, carries member device system in this flow response messageThe data volume that the current key of meter is encrypted. In one embodiment, member device can be by carrying at ETIn lotus corresponding field, add the data volume that uses current key to encrypt, send and carry this ET to key serverThe GROUPKEY-PULL exchange message of load is as flow response message.
Key server receives after flow response message, directly obtains member and establish from this flow response messageThe current key enciphered data amount of standby statistics.
Step 202, the enciphered data amount summation of all member devices under current key in statistics group.
Step 203, in the time that described enciphered data amount summation is more than or equal to default data volume threshold value, toIn group, each member device issues new key.
The enciphered data amount that key server is total according to group member's equipment, judges whether more new key.By preset data amount threshold value, control the data volume that adopts same key to be encrypted, thereby reduce keyThe risk of revealing.
Can be found out by foregoing description, under large service traffics, the application can effectively reduce same key and addClose data volume, the in the situation that of particularly length in the key updating cycle, can effectively improve security of system.
Corresponding with the embodiment of aforementioned key updating method, the application also provides key update deviceEmbodiment.
The embodiment of the application's key update device can be applied on encryption server or member device. DressPutting embodiment can realize by software, also can realize by the mode of hardware or software and hardware combining.Being embodied as example with software, as the device on a logical meaning, is by the processor of its place equipmentIn run memory, corresponding computer program instructions forms. Say from hardware view, as shown in Figure 3,For a kind of hardware structure diagram of the application's key update device place equipment, except the processor shown in Fig. 3,Outside network interface and memory, in embodiment, install the equipment at place conventionally according to the reality of this equipmentBorder function, can also comprise other hardware, and this is repeated no more.
Please refer to Fig. 4, is the structural representation of the key update device in embodiment of the application. ShouldKey update device comprises acquiring unit 401, statistic unit 402 and issues unit 403, wherein:
Acquiring unit 401, for obtaining the data that in group, each member device uses current key to encryptAmount;
Statistic unit 402, for adding up the number that in group, all member devices use described current key to encryptAccording to amount summation;
Issue unit 403, for being more than or equal to the first default data when described enciphered data amount summationAmount is when threshold value, issues new key to each member device in group.
Further,
Described acquiring unit 401, is being used described current key to add specifically for receiving described member deviceThe flow notification packet that close data volume sends while often reaching the second data volume threshold value, described flow is noticed reportIn literary composition, carry described the second data volume threshold value; The described flow notification packet receiving under statistics current keyQuantity; Described in calculating according to the quantity of the flow notification packet of described the second data volume threshold value and statisticsThe data volume that member device uses current key to encrypt.
Further, described device also comprises:
Dispensing unit, uses current for obtain each member device in group in described acquiring unit 401Before the data volume of secret key encryption, configuration the second data volume threshold value; Push described to described member deviceTwo data volume threshold values;
Described acquiring unit 401, is being used described current key to add specifically for receiving described member deviceThe flow notification packet that close data volume sends while often reaching described the second data volume threshold value; Add up current closeThe quantity of the described flow notification packet receiving under key; According to described the second data volume threshold value and statisticsThe quantity of flow notification packet calculate the data volume that described member device uses current key to encrypt.
Further,
Described acquiring unit 401, specifically for to described member device transmitted traffic query message; ReceiveThe flow response message that described member device is responded according to described flow process query message, described flow response reportIn literary composition, carry the data volume that described member device uses current key to encrypt.
In said apparatus, the implementation procedure of the function and efficacy of unit specifically refers in said method correspondingThe implementation procedure of step, does not repeat them here.
For device embodiment, because it corresponds essentially to embodiment of the method, so relevant part ginsengSee the part explanation of embodiment of the method. Device embodiment described above is only schematically,The wherein said unit as separating component explanation can or can not be also physically to separate, and doesThe parts that show for unit can be or can not be also physical locations, can be positioned at a place,Or also can be distributed on multiple NEs. Can select according to the actual needs part wherein orThe whole modules of person realize the object of the application's scheme. Those of ordinary skill in the art are not paying creativenessIn the situation of work, be appreciated that and implement.
The foregoing is only the application's preferred embodiment, not in order to limit the application, all at thisWithin the spirit and principle of application, any amendment of making, be equal to replacement, improvement etc., all should be included inWithin the scope of the application's protection.
Claims (8)
1. a key updating method, is applied to key server, it is characterized in that, the method comprises:
Obtain the data volume that in group, each member device uses current key to encrypt;
In statistics group, all member devices use the data volume summation that described current key is encrypted;
In the time that described enciphered data amount summation is more than or equal to the first default data volume threshold value, to every in groupA member device issues new key.
2. the method for claim 1, is characterized in that, described in obtain group in each member establishThe standby data volume that uses current key to encrypt, comprising:
Receive described member device and often reach the second data volume in the data volume that uses described current key to encryptThe flow notification packet sending when threshold value, carries described the second data volume threshold value in described flow notification packet;
The quantity of the described flow notification packet receiving under statistics current key;
Calculate described member according to the quantity of the flow notification packet of described the second data volume threshold value and statisticsThe data volume that equipment uses current key to encrypt.
3. the method for claim 1, is characterized in that, described in obtain group in each member establishBefore the standby data volume that uses current key encryption, also comprise:
Configure the second data volume threshold value;
Push described the second data volume threshold value to described member device;
The described data volume of obtaining each member device use current key encryption in group, comprising:
Receive described member device and often reach described the second number in the data volume that uses described current key to encryptThe flow notification packet sending during according to amount threshold value;
The quantity of the described flow notification packet receiving under statistics current key;
Calculate described member according to the quantity of the flow notification packet of described the second data volume threshold value and statisticsThe data volume that equipment uses current key to encrypt.
4. the method for claim 1, is characterized in that, described in obtain group in each member establishThe standby data volume that uses current key to encrypt, comprising:
To described member device transmitted traffic query message;
Receive the flow response message that described member device is responded according to described flow process query message, described streamIn amount response message, carry the data volume that described member device uses current key to encrypt.
5. a key update device, is applied to key server, it is characterized in that, this device comprises:
Acquiring unit, for obtaining the data volume that in group, each member device uses current key to encrypt;
Statistic unit, for adding up the data volume that in group, all member devices use described current key to encryptSummation;
Issue unit, for being more than or equal to the first default data volume threshold when described enciphered data amount summationWhen value, issue new key to each member device in group.
6. device as claimed in claim 5, is characterized in that:
Described acquiring unit, is being used described current key to encrypt specifically for receiving described member deviceThe flow notification packet that data volume sends while often reaching the second data volume threshold value, in described flow notification packetCarry described the second data volume threshold value; The number of the described flow notification packet receiving under statistics current keyAmount; Calculate described member according to the quantity of the flow notification packet of described the second data volume threshold value and statisticsThe data volume that equipment uses current key to encrypt.
7. device as claimed in claim 5, is characterized in that, described device also comprises:
Dispensing unit, uses current key for obtain each member device in group in described acquiring unitBefore the data volume of encrypting, configuration the second data volume threshold value; Push described the second number to described member deviceAccording to amount threshold value;
Described acquiring unit, is being used described current key to encrypt specifically for receiving described member deviceThe flow notification packet that data volume sends while often reaching described the second data volume threshold value; Under statistics current keyThe quantity of the described flow notification packet receiving; According to the stream of described the second data volume threshold value and statisticsThe quantity of amount notification packet is calculated the data volume that described member device uses current key to encrypt.
8. device as claimed in claim 5, is characterized in that:
Described acquiring unit, specifically for to described member device transmitted traffic query message; Described in receptionThe flow response message that member device is responded according to described flow process query message, in described flow response messageCarry the data volume that described member device uses current key to encrypt.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510980172.4A CN105591738B (en) | 2015-12-22 | 2015-12-22 | A kind of key updating method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510980172.4A CN105591738B (en) | 2015-12-22 | 2015-12-22 | A kind of key updating method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105591738A true CN105591738A (en) | 2016-05-18 |
| CN105591738B CN105591738B (en) | 2018-12-25 |
Family
ID=55931014
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510980172.4A Active CN105591738B (en) | 2015-12-22 | 2015-12-22 | A kind of key updating method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105591738B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108494722A (en) * | 2018-01-23 | 2018-09-04 | 国网浙江省电力有限公司电力科学研究院 | Intelligent substation communication message completeness protection method |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102281535A (en) * | 2010-06-10 | 2011-12-14 | 华为技术有限公司 | Key updating method and apparatus thereof |
| CN102694647A (en) * | 2011-03-25 | 2012-09-26 | 株式会社东芝 | Node and group key updating method |
| CN103209072A (en) * | 2013-04-27 | 2013-07-17 | 杭州华三通信技术有限公司 | MACsec (Multi-Access Computer security) key updating method and equipment |
| CN103326853A (en) * | 2012-03-22 | 2013-09-25 | 中兴通讯股份有限公司 | Method and device for upgrading secret key |
| CN104394123A (en) * | 2014-11-06 | 2015-03-04 | 成都卫士通信息产业股份有限公司 | A data encryption transmission system and method based on an HTTP |
| CN104935593A (en) * | 2015-06-16 | 2015-09-23 | 杭州华三通信技术有限公司 | Data message transmitting method and device |
-
2015
- 2015-12-22 CN CN201510980172.4A patent/CN105591738B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102281535A (en) * | 2010-06-10 | 2011-12-14 | 华为技术有限公司 | Key updating method and apparatus thereof |
| CN102694647A (en) * | 2011-03-25 | 2012-09-26 | 株式会社东芝 | Node and group key updating method |
| CN103326853A (en) * | 2012-03-22 | 2013-09-25 | 中兴通讯股份有限公司 | Method and device for upgrading secret key |
| CN103209072A (en) * | 2013-04-27 | 2013-07-17 | 杭州华三通信技术有限公司 | MACsec (Multi-Access Computer security) key updating method and equipment |
| CN104394123A (en) * | 2014-11-06 | 2015-03-04 | 成都卫士通信息产业股份有限公司 | A data encryption transmission system and method based on an HTTP |
| CN104935593A (en) * | 2015-06-16 | 2015-09-23 | 杭州华三通信技术有限公司 | Data message transmitting method and device |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108494722A (en) * | 2018-01-23 | 2018-09-04 | 国网浙江省电力有限公司电力科学研究院 | Intelligent substation communication message completeness protection method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105591738B (en) | 2018-12-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8732462B2 (en) | Methods and apparatus for secure data sharing | |
| CN105634998B (en) | Method and system for unified monitoring of physical machine and virtual machine in multi-tenant environment | |
| US7890760B2 (en) | Secure method of termination of service notification | |
| JP2023154044A (en) | Flow control for probabilistic relay in blockchain network | |
| PH12020550861A1 (en) | Data control method and terminal device | |
| US9756047B1 (en) | Embedding security posture in network traffic | |
| KR20160018431A (en) | System and method of counter managementand security key update for device-to-device(d2d) group communication | |
| CN109104273B (en) | Message processing method and receiving end server | |
| US20210182347A1 (en) | Policy-based trusted peer-to-peer connections | |
| US20130166677A1 (en) | Role-based access control method and apparatus in distribution system | |
| WO2022126972A1 (en) | Data communication method, key management system, device, and storage medium | |
| EP3288235B1 (en) | System and apparatus for enforcing a service level agreement (sla) in a cloud environment using digital signatures | |
| CN103858389A (en) | Session transmission method, client and Push server | |
| CN113472634B (en) | Instant messaging method, device and system, storage medium and electronic device | |
| CN103209107A (en) | Method for realizing user access control | |
| CN105591738A (en) | Key update method and device | |
| CN114598724B (en) | Security protection method, device, equipment and storage medium for electric power Internet of things | |
| US20160054949A1 (en) | Method for storing data in a computer system performing data deduplication | |
| Kamoun-Abid et al. | Distributed and Cooperative firewall/controller in cloud environments | |
| CN103581034A (en) | Message mirroring and encrypted transmitting method | |
| CN113259347A (en) | Equipment safety system and equipment behavior management method in industrial Internet | |
| KR101888952B1 (en) | Client and operation method of client | |
| CN102299942A (en) | Method and system for managing agent network device | |
| CN101009597A (en) | Subdivision method of the user network access style and network system | |
| US10742480B2 (en) | Network management as a service (MaaS) using reverse session-origination (RSO) tunnel |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: Huasan Communication Technology Co., Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |