CN105591738B - A kind of key updating method and device - Google Patents
A kind of key updating method and device Download PDFInfo
- Publication number
- CN105591738B CN105591738B CN201510980172.4A CN201510980172A CN105591738B CN 105591738 B CN105591738 B CN 105591738B CN 201510980172 A CN201510980172 A CN 201510980172A CN 105591738 B CN105591738 B CN 105591738B
- Authority
- CN
- China
- Prior art keywords
- data volume
- key
- encrypted
- flow
- group
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 25
- 230000004044 response Effects 0.000 claims description 12
- 208000033748 Device issues Diseases 0.000 abstract 1
- 238000010586 diagram Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/068—Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Telephonic Communication Services (AREA)
Abstract
The application provides a kind of key updating method and device, is applied to key server, this method comprises: the data volume that each member device uses current key to encrypt in acquisition group;The data volume summation that all member devices are encrypted using the current key in statistics group;When the encryption data amount summation is greater than or equal to preset first data-quantity threshold, into group, each member device issues new key.It can effectively reduce the risk of Key Exposure under big flow background by the application, improve security of system.
Description
Technical Field
The present application relates to the field of network communication technologies, and in particular, to a method and an apparatus for updating a secret key.
Background
GD VPN (Group Domain Virtual Private Network) is a solution to realize centralized management of keys and security policies. The GD VPN network mainly comprises a KS (Key Server) and a GM (Group Member), wherein the KS is responsible for creating and maintaining a Key and issuing the Key and a security policy to the GM; the GM is a route forwarding device using keys and security policies.
In order to improve the security of the traffic flow, the key used by the GM needs to be updated regularly. At present, a key updating mode mainly comprises that KS issues a new key to GM period. In the key updating mode, under the condition of large service flow, the same key can be used for encrypting excessive data, so that the risk of key leakage is increased.
Disclosure of Invention
In view of the above, the present application provides a method and an apparatus for updating a key.
Specifically, the method is realized through the following technical scheme:
the application provides a secret key updating method, which is applied to a secret key server and comprises the following steps:
acquiring the data volume encrypted by each member device in the group by using the current key;
counting the sum of the data volume encrypted by all member devices in the group by using the current key;
and when the total amount of the encrypted data is greater than or equal to a preset first data amount threshold value, issuing a new key to each member device in the group.
The present application further provides a key update apparatus applied to a key server, the apparatus including:
the acquisition unit is used for acquiring the data volume encrypted by each member device in the group by using the current key;
the statistical unit is used for counting the sum of the data volume encrypted by all the member devices in the group by using the current key;
and the issuing unit is used for issuing a new key to each member device in the group when the total encrypted data volume is greater than or equal to a preset first data volume threshold value.
It can be seen from the above description that the data volume encrypted by the same secret key is limited by counting the encrypted data volume of the member devices in the group, so that the risk of secret key leakage under the background of large flow is reduced, and the system security is improved.
Drawings
FIG. 1 is a GD VPN networking schematic;
FIG. 2 is a flow chart of a rekeying method shown in an exemplary embodiment of the present application;
fig. 3 is a schematic diagram of a basic hardware structure of a device in which a key update apparatus is located according to an exemplary embodiment of the present application;
fig. 4 is a schematic structural diagram of a key update apparatus according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
The GD VPN is a solution for realizing centralized management of keys and security policies, and is a point-to-multipoint tunnel-free connection. GD VPN provides a group-based IPsec (Internet Protocol Security) Security model, where all members in the same group share the same Security policy and key.
FIG. 1 is a schematic diagram of GD VPN networking, the network mainly consists of a key server KS and member devices GM (GM 1-GM 3), wherein KS is responsible for creating and maintaining keys and issuing keys and security policies to GM; the GM is a route forwarding device using keys and security policies.
In order to improve the security of GM traffic, the keys used by the GM need to be updated regularly. At present, a key updating mode mainly comprises that KS issues a new key to GM period. In the key updating mode, under the condition of large service flow, the same key can be used for encrypting excessive data, so that the risk of key leakage is increased.
In view of the foregoing problems, an embodiment of the present application provides a key updating method, where the method counts an amount of encrypted data of member devices in a group, and updates a key for the member devices based on the amount of encrypted data.
Referring to fig. 2, a flowchart of an embodiment of a key update method according to the present application is shown, and the key update process is described in this embodiment.
Step 201, acquiring the data volume encrypted by each member device in the group by using the current key.
In the embodiment of the present application, the key server may obtain the encrypted data volume of the member device in at least the following two ways:
in a first mode, the member device actively announces
Specifically, the traffic notification message sent by the receiving member device every time the amount of data encrypted using the current key reaches the second data amount threshold (e.g., N bytes) is received. Wherein the second data amount threshold may be determined by: first, a second data volume threshold is pre-configured on the key server, and when the member device registers with the key server, the key server pushes the second data volume threshold to the member device.
In an implementation manner, the key server may add a second data size threshold to a field corresponding to a TA load by adding a new payload type (TA load for short), and send a group key-PUSH exchange packet carrying the TA load to the member device, so as to achieve a purpose of pushing the second data size threshold to the member device. Wherein, the Group key-PUSH exchange message is a GDOI (Group Domain of Interpretation) protocol message.
The member device may use the second data volume threshold pushed by the key server as a basis for sending the traffic notification message, or may configure the second data volume threshold according to the network environment, instead of the second data volume threshold sent by the key server.
For example, assuming that the second data volume threshold configured on the key server KS is 1000 bytes, the member devices GM 1-GM 3 register with the KS, respectively, and during the registration process, the GM 1-GM 3 all receive the second data volume threshold (1000 bytes) pushed by the KS. The member device may use the second data volume threshold value pushed by the key server as a default value, and send the traffic notification message using the second data volume threshold value, that is, send the traffic notification message to the key server once every 1000 bytes are encrypted. Since the second data volume threshold is configured by the key server, the member device may not carry the second data volume threshold when sending the traffic advertisement packet to the key server. If the second data volume threshold value of the GM1 to be modified by a network administrator according to the network operation condition is 2000 bytes, the second data volume threshold value can be configured on the GM1 independently, after configuration, the GM1 sends a traffic notification message to the key server once every 2000 bytes of encryption, and the currently used second data volume threshold value is carried in the traffic notification message, so that the KS can carry out the second data volume threshold value carried in the traffic notification message according to the second data volume threshold value
In an implementation manner, the member device may also send a group key-PULL exchange packet carrying the TA load to the key server as a traffic notification packet by adding the currently-used second data volume threshold to the TA load corresponding field, where the group key-PULL exchange packet is a GDOI protocol packet.
The key server counts the number of the traffic advertisement messages received under the current key, and then calculates the data volume encrypted by the member device using the current key according to the second data volume threshold and the number of the traffic advertisement messages, for example, the second data volume threshold is 1000 bytes, the number of the received traffic advertisement messages is 5, and the encrypted data volume of the member device under the current key is 1000 × 5 — 5000 bytes.
Mode two, the key server actively inquires
Specifically, the key server periodically sends a Traffic query message to the group member devices, and in an implementation manner, the key server in the embodiment of the present application may send, to the member devices, a group public key-PUSH exchange message carrying an ET load as the Traffic query message through a new added load type (acquire Traffic Payload, abbreviated as ET load).
The member equipment self-counts the data volume encrypted by using the current key, and responds a flow response message to the key server according to the received flow query message, wherein the flow response message carries the data volume encrypted by the current key counted by the member equipment. In an implementation manner, the member device may send a group key-PULL exchange message carrying the ET payload to the key server as a traffic response message by adding the data volume encrypted by using the current key to the corresponding field of the ET payload.
And after receiving the flow response message, the key server directly acquires the current key encryption data volume counted by the member equipment from the flow response message.
Step 202, sum of the encrypted data amount of all member devices in the group under the current key is counted.
And step 203, when the total amount of the encrypted data is greater than or equal to a preset data amount threshold value, issuing a new key to each member device in the group.
And the key server judges whether the key needs to be updated according to the total encrypted data volume of the member equipment in the group. And controlling the data volume encrypted by the same key by presetting a data volume threshold value, thereby reducing the risk of key leakage.
From the above description, it can be seen that, under a large traffic flow, the method and the device can effectively reduce the data volume encrypted by the same key, and particularly, under the condition of a longer key updating period, can effectively improve the system security.
Corresponding to the embodiment of the key updating method, the application also provides an embodiment of the key updating device.
The embodiment of the key updating device can be applied to an encryption server or member equipment. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. A software implementation is taken as an example, and a logical means is formed by a processor of the device in which it is located running corresponding computer program instructions in a memory. From a hardware aspect, as shown in fig. 3, the present application is a hardware structure diagram of a device in which a key updating apparatus is located, except for the processor, the network interface, and the memory shown in fig. 3, the device in which the apparatus is located in the embodiment may also include other hardware according to an actual function of the device, which is not described again.
Please refer to fig. 4, which is a schematic structural diagram of a key update apparatus according to an embodiment of the present application. The key updating apparatus includes an obtaining unit 401, a counting unit 402, and a sending unit 403, where:
an obtaining unit 401, configured to obtain a data amount encrypted by each member device in the group using the current key;
a counting unit 402, configured to count a sum of data amounts encrypted by all member devices in the group using the current key;
an issuing unit 403, configured to issue a new key to each member device in the group when the total encrypted data amount is greater than or equal to a preset first data amount threshold.
Further, the air conditioner is provided with a fan,
the obtaining unit 401 is specifically configured to receive a traffic notification message sent by the member device when the data volume encrypted by using the current key reaches a second data volume threshold, where the traffic notification message carries the second data volume threshold; counting the number of the flow notification messages received under the current key; and calculating the data volume encrypted by the member equipment by using the current key according to the second data volume threshold and the counted number of the flow notification messages.
Further, the apparatus further comprises:
a configuration unit, configured to configure a second data amount threshold before the obtaining unit 401 obtains the data amount encrypted by each member device in the group using the current key; pushing the second data volume threshold to the member device;
the obtaining unit 401 is specifically configured to receive a traffic notification message sent by the member device when the data volume encrypted by using the current key reaches the second data volume threshold; counting the number of the flow notification messages received under the current key; and calculating the data volume encrypted by the member equipment by using the current key according to the second data volume threshold and the counted number of the flow notification messages.
Further, the air conditioner is provided with a fan,
the obtaining unit 401 is specifically configured to send a traffic query message to the member device; and receiving a flow response message responded by the member equipment according to the flow query message, wherein the flow response message carries the data volume encrypted by the member equipment by using the current key.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (6)
1. A key updating method is applied to a key server, and is characterized by comprising the following steps:
performing the following operations on each member device in the group: receiving a flow notification message sent by member equipment when the data volume encrypted by using the current key reaches a second data volume threshold; counting the number of the flow notification messages received under the current key; calculating the data volume encrypted by the member equipment by using the current key according to the second data volume threshold and the counted number of the flow notification messages;
or,
performing the following operations on each member device in the group: sending a flow query message to member equipment; receiving a flow response message responded by the member equipment according to the flow query message, wherein the flow response message carries the data volume encrypted by the member equipment by using the current key;
counting the sum of the data volume encrypted by all member devices in the group by using the current key;
and when the total amount of the encrypted data is greater than or equal to a preset first data amount threshold value, issuing a new key to each member device in the group.
2. The method of claim 1, wherein:
and the traffic notification message carries the second data volume threshold.
3. The method of claim 1, wherein the receiving member device, prior to the traffic advertisement message sent each time the amount of data encrypted using the current key reaches the second data amount threshold, further comprises:
configuring a second data volume threshold;
pushing the second data volume threshold to the member device.
4. A key update apparatus applied to a key server, the apparatus comprising:
the acquiring unit is used for receiving a flow notification message sent by the member equipment when the data volume encrypted by using the current key reaches a second data volume threshold; counting the number of the flow notification messages received under the current key; calculating the data volume encrypted by the member equipment by using the current key according to the second data volume threshold and the counted number of the flow notification messages; or sending a flow query message to the member equipment; receiving a flow response message responded by the member equipment according to the flow query message, wherein the flow response message carries the data volume encrypted by the member equipment by using the current key;
the statistical unit is used for counting the sum of the data volume encrypted by all the member devices in the group by using the current key;
and the issuing unit is used for issuing a new key to each member device in the group when the total encrypted data volume is greater than or equal to a preset first data volume threshold value.
5. The apparatus of claim 4, wherein:
and the traffic notification message carries the second data volume threshold.
6. The apparatus of claim 4, wherein the apparatus further comprises:
a configuration unit configured to configure a second data amount threshold; pushing the second data volume threshold to the member device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510980172.4A CN105591738B (en) | 2015-12-22 | 2015-12-22 | A kind of key updating method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510980172.4A CN105591738B (en) | 2015-12-22 | 2015-12-22 | A kind of key updating method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105591738A CN105591738A (en) | 2016-05-18 |
| CN105591738B true CN105591738B (en) | 2018-12-25 |
Family
ID=55931014
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510980172.4A Active CN105591738B (en) | 2015-12-22 | 2015-12-22 | A kind of key updating method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105591738B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108494722A (en) * | 2018-01-23 | 2018-09-04 | 国网浙江省电力有限公司电力科学研究院 | Intelligent substation communication message completeness protection method |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102281535A (en) * | 2010-06-10 | 2011-12-14 | 华为技术有限公司 | Key updating method and apparatus thereof |
| CN102694647A (en) * | 2011-03-25 | 2012-09-26 | 株式会社东芝 | Node and group key updating method |
| CN103209072A (en) * | 2013-04-27 | 2013-07-17 | 杭州华三通信技术有限公司 | MACsec (Multi-Access Computer security) key updating method and equipment |
| CN103326853A (en) * | 2012-03-22 | 2013-09-25 | 中兴通讯股份有限公司 | Method and device for upgrading secret key |
| CN104394123A (en) * | 2014-11-06 | 2015-03-04 | 成都卫士通信息产业股份有限公司 | A data encryption transmission system and method based on an HTTP |
| CN104935593A (en) * | 2015-06-16 | 2015-09-23 | 杭州华三通信技术有限公司 | Data message transmitting method and device |
-
2015
- 2015-12-22 CN CN201510980172.4A patent/CN105591738B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102281535A (en) * | 2010-06-10 | 2011-12-14 | 华为技术有限公司 | Key updating method and apparatus thereof |
| CN102694647A (en) * | 2011-03-25 | 2012-09-26 | 株式会社东芝 | Node and group key updating method |
| CN103326853A (en) * | 2012-03-22 | 2013-09-25 | 中兴通讯股份有限公司 | Method and device for upgrading secret key |
| CN103209072A (en) * | 2013-04-27 | 2013-07-17 | 杭州华三通信技术有限公司 | MACsec (Multi-Access Computer security) key updating method and equipment |
| CN104394123A (en) * | 2014-11-06 | 2015-03-04 | 成都卫士通信息产业股份有限公司 | A data encryption transmission system and method based on an HTTP |
| CN104935593A (en) * | 2015-06-16 | 2015-09-23 | 杭州华三通信技术有限公司 | Data message transmitting method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105591738A (en) | 2016-05-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10869192B2 (en) | System and method of counter management and security key update for device-to-device group communication | |
| JP7178365B2 (en) | Method and system for Service Capability Exposure Function (SCEF)-based Internet of Things (IOT) communication | |
| US10601874B2 (en) | System and apparatus for providing network security | |
| EP2779589B1 (en) | Changing dynamic group VPN member reachability information | |
| JP2018502471A5 (en) | ||
| DE102018101812A1 (en) | Secure transfer of user information between applications | |
| US20220256343A1 (en) | Lattice mesh | |
| KR20120126098A (en) | Device management | |
| US10699031B2 (en) | Secure transactions in a memory fabric | |
| US20210182347A1 (en) | Policy-based trusted peer-to-peer connections | |
| JP2016051921A (en) | Communication system | |
| WO2018214701A1 (en) | Data message transmission method, network device, control device, and network system | |
| Dang et al. | Resource-efficient secure data sharing for information centric e-health system using fog computing | |
| WO2020025128A1 (en) | Certificate management | |
| CN105591738B (en) | A kind of key updating method and device | |
| CN105981028A (en) | Network element authentication in communication networks | |
| JP2023524829A (en) | An improved computer-implemented method of anonymous proximity tracking | |
| CN110933050A (en) | Privacy protection position sharing system and method | |
| CN114598724B (en) | Security protection method, device, equipment and storage medium for electric power Internet of things | |
| CN103581034B (en) | Message mirroring and encrypted transmitting method | |
| CN112511994B (en) | Multicast implementation method based on LoRaWan and supporting ACK mechanism | |
| EP3451607B1 (en) | Methods and devices for secure communication between network functions of a communication network | |
| CN113630242A (en) | Facilitating lossless security key flipping using data plane feedback | |
| Wozniak et al. | Geocast into the past: Towards a privacy-preserving spatiotemporal multicast for cellular networks | |
| WO2016118170A1 (en) | Configuration of a virtual local area network in a ring of devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: Huasan Communication Technology Co., Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |