CN105681031A - Storage encryption gateway key management system and method - Google Patents
Storage encryption gateway key management system and method Download PDFInfo
- Publication number
- CN105681031A CN105681031A CN201610008401.0A CN201610008401A CN105681031A CN 105681031 A CN105681031 A CN 105681031A CN 201610008401 A CN201610008401 A CN 201610008401A CN 105681031 A CN105681031 A CN 105681031A
- Authority
- CN
- China
- Prior art keywords
- key
- data
- storage
- encryption
- encryption gateway
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a storage encryption gateway key management system and method, and relates to the technical field of network securities. The system comprises a key management center and a storage encryption gateway; the key management center is used for managing a whole life cycle of keys in a whole system, including generation, allocation, updating, destruction and recovery management of the keys; and the storage encryption gateway is used for encrypting and decrypting data, and connecting data communication between a front-end server and a storage device. Aiming at the disadvantages in the current storage encryption gateway management system that the life cycle management of the keys is incomplete and encrypted data are easily cracked and the security is low and so on, the invention provides an improved system and method, which can effectively enhance the function and security of the storage encryption gateway management system.
Description
Technical field
The present invention relates to technical field of network security, store encryption gateway key management system and method particularly to one.
Background technology
Gateway (Gateway), is also called gateway, protocol converter. Gateway, in Internet implementation above network interconnection, is the most complicated network interconnection apparatus, network interconnection, is only used for the network interconnection that two upper-layer protocols are different. Storage encryption gateway both may be used for wide area network interconnection, it is also possible to for local area network interconnection. Gateway is a kind of computer system serving as conversion important task or equipment. Being used in different communication protocol, data form or language, even between the diverse two kinds of systems of architecture, gateway is a translater. Simply pass on information different simply from bridge, the gateway information to receiving to be repacked, with the demand of adaptation to end system.
Key management, the key in whole encryption system is managed by primary responsibility, from the various aspects of the destruction producing key of key. Main manifestations is in the generation of management system, management agreement and key, distribution, replacing and injection etc. Detailed process generally comprises: key generation, key distribution, authentication secret, more new key, key storage, backup keys, destruction key.
CBC(Cipher-blockchaining, cipher block chaining) pattern, refer to when being encrypted, after each flat literary composition block first carries out XOR with previous ciphertext blocks, then be encrypted. In this approach, each ciphertext blocks all relies on all flat literary composition block before it. Meanwhile, in order to ensure the uniqueness of every message, need to use initialization vector in first block.
ECB(ElectronicCodebook, code book) pattern is a kind of most basic mode of operation of block cipher. In this mode, pending information is divided into sizeable packet, then respectively each packet is independently encrypted or decryption processing.
Along with the continuous propelling of informatization, every profession and trade, enterprises and institutions utilize computer system and computer network technology carry out the storage of key business data and process all the more frequent. Various data storage devices focus on data center machine room and provide data storage service for miscellaneous service front end application server, and along with the popularization of cloud computing and big data service, the data of data center's storage more will increase by geometric progression.Under current technical conditions, data storage relies primarily on the network storage equipment that various disk array is representative, and data itself in use exist great data security risk without safety precautions.
And existing key management system, function is relatively simple, and the whole life cycle of key is not carried out complete management. Cause that certain situation cannot process, cause cannot deciphering and failed encryption etc. of data. In addition, the algorithm that the many employings of existing key management system are abroad developed encrypts and decrypts, and causes that security of system is under suspicion; During encryption, client application is also required to participate in, and adds the load of client. It addition, the ciphertext after clear data block encryption identical during encryption is the same so that reversely decode and become easy, reduce the safety of system.
Summary of the invention
In consideration of it, the invention provides a kind of storage encryption gateway key management system and method, the data after the encryption of this system and method crack difficulty greatly, safer, and whole key lifetimes has been carried out complete management.
The technical solution used in the present invention is as follows:
A kind of storage encryption gateway key management system, it is characterised in that described system includes: KMC, storage encryption gateway, front end application server, storage device;
Described KMC, is used for generating key, and the key of generation is sent to storage encryption gateway; In detection system, whether key is expired, if key expiration, then sends key updating instruction and new key and carries out the renewal of key to storage encryption gateway; Receive the cipher key destruction request from storage encryption gateway, destroy key, by the key storage of destruction in history key storage district; The key of storage encryption gateway receives the recovery key request of storage encryption gateway, key is sent to storage encryption gateway again after losing;
Described storage encryption gateway, for receiving the key that KMC generates, and utilizes the data that the transmission of this double secret key front end application server comes to encrypt and decrypt; Receive the instruction of KMC's more new key, carry out key updating; After deleting key, notice KMC carries out the destruction of key; Connect the data communication between front end application server and storage device; .
Described KMC includes central data communications module, key production module, key updating module, cipher key destruction module, history cipher key storage block and cipher key backup and recovers module;
Described central data communications module, for receiving from the data and the request that store encryption gateway, and is sent to storage encryption gateway by key and instruction; Described key production module, is used for generating equipment master key MK, Data protection keys KEK and data encryption key DEK; Described key updating module, whether expired for the Data protection keys KEK in detection system, if Data protection keys KEK is expired, then send key updating instruction and new Data protection keys KEK to storing encryption gateway; Described cipher key destruction module, for according to the cipher key destruction request from storage encryption gateway, Data protection keys KEK in destroying system and data encryption key DEK, is stored in history cipher key storage block by the Data protection keys KEK of destruction and data encryption key DEK; Described history cipher key storage block, for being backed-up generating and sending the key to storage encryption gateway, carries out storage record by the key after destroying;Described cipher key backup recovers module, for, after the key of storage encryption gateway is lost, according to the recovery key request storing encryption gateway, obtaining the key of backup, key is sent to storage encryption gateway again from history cipher key storage block.
Described storage encryption gateway includes gateway data communication module, encrypting-decrypting module, key updating module and file system establishment/removing module;
Described gateway data communication module, for connecting data communication between front end application server and storage device, receives from the data of front end application server and receives from the data in storage device; Receive the key from KMC and instruction, and send data and ask to KMC; Described encrypting-decrypting module, the data for front end application server being passed over are encrypted and the data in the storage device of acquisition are decrypted; Described key updating module, carries out the renewal of key for the key updating instruction come according to KMC's transmission and new Data protection keys KEK; Described file system establishment/removing module, deletes file system for sending a command to storage device according to the request of front end application server, and destroys Data protection keys KEK and data encryption key DEK.
A kind of method of storage encryption gateway key management system based on one of claims 1 to 3, it is characterised in that described method concretely comprises the following steps:
Step 1: system initialization, starts after successfully, and storage encryption gateway is registered in KMC, and after succeeding in registration, KMC generates equipment master key MK, and is sent to storage encryption gateway;
Step 2: during storage encryption gateway new files system, protect key KEK and data encryption key DEK to key management system request for data; After KMC receives application, generate 1 Data protection keys KEK and 256 data encryption key DEK, and be sent to storage encryption gateway;
Step 3: storage encryption gateway generates the initialization vector of CBC mode encryption;
Step 4: storage encryption gateway receives the data from front end application server, and data are encrypted; Data encryption key DEK is used to adopt CBC pattern that data are encrypted;
Step 5: the encrypted data chunk after encryption is delivered in storage device by storage encryption gateway, during write storage device, generates encrypted data chunk mark; Used for corresponding data block data encryption key DEK is identified relation one to one with corresponding encrypted data chunk and is stored in storage device, form key chain;
Step 6: encrypted data chunk mark is carried out Hash computing, obtains virtual numbering, then take 1, the last position byte of virtual numbering as BucketId; Data encryption key DEK and BucketId one_to_one corresponding;
Which DEK is step 7: storage encryption gateway, after the request receiving front end application server and obtaining data, obtains the corresponding data block of storage in storage device, use when can find encryption according to BucketId different in different pieces of information block; Storage encryption gateway first uses equipment master key MK to be decrypted; Then use Data protection keys KEK to be decrypted, finally adopt CBC pattern to be decrypted with data encryption key DEK;
Step 8: the Data protection keys KEK detected in system when KMC crosses after date, can be sent to storage encryption gateway by key updating request and the new Data protection keys KEK generated;
Step 9: storage encryption gateway can be destroyed Data protection keys KEK and data encryption key DEK, then send a request to KMC after deleting file system; After KMC receives this request, by the key storage of destruction in history cipher key storage block;
Step 10: after storage encryption gateway Lost Security Key, sending key recovery request to KMC, KMC obtains the key of backup from history cipher key storage block after receiving this request, key is sent to storage encryption gateway again.
Described Data protection keys KEK, equipment master key MK can adopt CBC pattern to be encrypted, it would however also be possible to employ ecb mode is encrypted, and data encryption key DEK can only adopt CBC pattern to be encrypted.
The generation method of the initialization vector of described CBC encryption mode is: storage encryption gateway reads virtual data block number and LUN in initialized storage device, LUN is connected to after virtual data block number, the data of 16 bytes of synthesis; If the data length after synthesis is more than 16 bytes, then remove the part more than 16 bytes after LUN; If inadequate 16 bytes of data length after synthesis, then add defect bit length behind and supply; If composite signal length is 14 bytes, add 0X1010 behind and supply 16 bytes; Then the data after adopting DEK to encrypt this synthesis, the data after this encryption are the initialization vector of CBC encryption mode.
Adopt above technical scheme, present invention produces following beneficial effect:
1, key lifecycle management: the Life cycle of key is carried out complete pipe by whole system
Reason, can tackle calmly the various problems run in system operation. Perfect cipher key backup mechanism, it is ensured that the restorability of key. Key in key management system and storage encryption gateway is lost, and all can adopt corresponding mechanism/medium recovery, it is ensured that system properly functioning, effectively prevent data and cannot decipher, encrypt the problems such as unsuccessful.
2, domestic algorithm: adopt domestic algorithm that data are carried out encryption and decryption, can promote to the full extent
The safety of system, stops the problem utilizing back door and leak intrusion system.
3, the transparent encryption and decryption of data block: in whole encryption process, client application is not engaged in,
Effectively reduce the operating load of client, improve the fluency of client.
4, random initial vector: during system initialization, each LUN data block exists identical data in a large number, adds
Enter random initial vector and carried out the encryption of CBC pattern, it is ensured that the ciphertext after identical block of plaintext data is encrypted is different. Thus preventing the reverse decoding in the too much situation of sample data, it is effectively improved the safety of system.
Accompanying drawing explanation
Fig. 1 is a kind of structural representation storing encryption gateway key management system of the present invention.
Fig. 2 is the structural representation of a kind of KMC storing encryption gateway key management system of the present invention.
Fig. 3 is the structural representation of a kind of storage encryption gateway storing encryption gateway key management system of the present invention.
Fig. 4 is the structural representation of a kind of key chain storing encryption gateway key management method of the present invention.
Detailed description of the invention
All features disclosed in this specification, or the step in disclosed all methods or process, except mutually exclusive feature and/or step, all can combine by any way.
This specification (include any accessory claim, summary) disclosed in any feature, unless specifically stated otherwise, all can by other equivalence or there is the alternative features of similar purpose replaced. That is, unless specifically stated otherwise, each feature is an example in a series of equivalence or similar characteristics.
Providing a kind of storage encryption gateway key management system and method in the embodiment of the present invention 1, system construction drawing is as it is shown in figure 1, specifically comprise the following steps that
Step 1: storage device and storage encryption gateway, KMC, front end application server are linked together, completely builds out by system.
Step 2: system initialization, starts after successfully, and storage encryption gateway is registered in KMC, and after succeeding in registration, KMC generates equipment master key MK, and is sent to storage encryption gateway.
Step 3: during storage encryption gateway new files system, protect key KEK and data encryption key DEK to key management system request for data; After KMC receives application, generate 1 Data protection keys KEK and 256 data encryption key DEK, and be sent to storage encryption gateway.
Step 4: storage encryption gateway reads virtual data block number and LUN in initialized storage device, LUN is connected to after virtual data block number, the data of 16 bytes of synthesis; If the data length after synthesis is more than 16 bytes, then remove the part more than 16 bytes after LUN; If inadequate 16 bytes of data length after synthesis, then add defect bit length behind and supply; If composite signal length is 14 bytes, add 0X1010 behind and supply 16 bytes; Then the data after adopting DEK to encrypt this synthesis, encrypted result is as the initialization vector of CBC mode encryption.
Step 5: storage encryption gateway receives the data from front end application server, and data are encrypted; Adopt CBC pattern that data are encrypted first by data encryption key DEK, different situations for different pieces of information block end bit byte adopt different DEK to be encrypted, then use Data protection keys KEK to be encrypted, finally use equipment master key MK to be encrypted;
Step 6: the encrypted data chunk after encryption is delivered in storage device by storage encryption gateway, during write storage device, generates encrypted data chunk mark; Used for corresponding data block data encryption key DEK is identified relation one to one with corresponding encrypted data chunk and is stored in storage device, form key chain.
Step 7: encrypted data chunk mark is carried out Hash computing, obtains virtual numbering, then take 1, the last position byte of virtual numbering as BucketId; Data encryption key DEK and BucketId one_to_one corresponding.
Which DEK is step 8: storage encryption gateway, after the request receiving front end application server and obtaining data, obtains the corresponding data block of storage in storage device, use when can find encryption according to BucketId different in different pieces of information block; Storage encryption gateway first uses equipment master key MK to be decrypted; Then Data protection keys KEK is used to be decrypted; Finally CBC pattern is adopted to be decrypted with data encryption key DEK, the data after being deciphered.
Providing a kind of storage encryption gateway key management system and method in the embodiment of the present invention 2, system construction drawing, as it is shown in figure 1, comprise the following steps that, specifically comprises the following steps that
Step 1: storage device and storage encryption gateway, KMC, front end application server are linked together, completely builds out by system.
Step 2: system initialization, starts after successfully, and storage encryption gateway is registered in KMC, and after succeeding in registration, KMC generates equipment master key MK, and is sent to storage encryption gateway.
Step 3: during storage encryption gateway new files system, protect key KEK and data encryption key DEK to key management system request for data; After KMC receives application, generate 1 Data protection keys KEK and 256 data encryption key DEK, and be sent to storage encryption gateway.
Step 4: storage encryption gateway reads virtual data block number and LUN in initialized storage device, LUN is connected to after virtual data block number, the data of 16 bytes of synthesis; If the data length after synthesis is more than 16 bytes, then remove the part more than 16 bytes after LUN; If inadequate 16 bytes of data length after synthesis, then add defect bit length behind and supply; If composite signal length is 14 bytes, add 0X1010 behind and supply 16 bytes; Then the data after adopting DEK to encrypt this synthesis, encrypted result is as the initialization vector of CBC mode encryption.
Step 5: storage encryption gateway receives the data from front end application server, and data are encrypted; Adopt CBC pattern that data are encrypted first by data encryption key DEK, different situations for different pieces of information block end bit byte adopt different DEK to be encrypted, then use Data protection keys KEK to adopt CBC pattern to be encrypted, then use equipment master key MK to adopt CBC pattern to be encrypted; The 3rd data encryption block after encryption is delivered in storage device.
Step 6: the encrypted data chunk after encryption is delivered in storage device by storage encryption gateway, during write storage device, generates encrypted data chunk mark; Used for corresponding data block data encryption key DEK is identified relation one to one with corresponding encrypted data chunk and is stored in storage device, form key chain.
Step 7: encrypted data chunk mark is carried out Hash computing, obtains virtual numbering, then take 1, the last position byte of virtual numbering as BucketId; Data encryption key DEK and BucketId one_to_one corresponding.
Which DEK is step 8: storage encryption gateway, after the request receiving front end application server and obtaining data, obtains the corresponding data block of storage in storage device, use when can find encryption according to BucketId different in different pieces of information block; Storage encryption gateway first uses equipment master key MK to adopt CBC pattern to be decrypted; Then Data protection keys KEK is used to adopt CBC pattern to be decrypted; Finally CBC pattern is adopted to be decrypted with data encryption key DEK.
Step 9: the Data protection keys KEK detected in system when KMC crosses after date, can be sent to storage encryption gateway by key updating request and the new Data protection keys KEK generated; Storage encryption gateway can first to using this Data protection keys KEK to adopt the information that CBC pattern is encrypted to be decrypted; information after being deciphered; then data encryption key DEK is used to adopt CBC pattern to be encrypted; use new Data protection keys KEK to adopt CBC pattern to be encrypted, then use equipment master key MK to adopt CBC pattern to be encrypted.
Providing a kind of storage encryption gateway key management system and method in the embodiment of the present invention 3, system construction drawing, as it is shown in figure 1, comprise the following steps that, specifically comprises the following steps that
Step 1: storage device and storage encryption gateway, KMC, front end application server are linked together, completely builds out by system.
Step 2: system initialization, starts after successfully, and storage encryption gateway is registered in KMC, and after succeeding in registration, KMC generates equipment master key MK, and is sent to storage encryption gateway;
Step 3: during storage encryption gateway new files system, protect key KEK and data encryption key DEK to key management system request for data; After KMC receives application, generate 1 Data protection keys KEK and 256 data encryption key DEK, and be sent to storage encryption gateway;
Step 4: storage encryption gateway reads virtual data block number and LUN in initialized storage device, LUN is connected to after virtual data block number, the data of 16 bytes of synthesis; If the data length after synthesis is more than 16 bytes, then remove the part more than 16 bytes after LUN; If inadequate 16 bytes of data length after synthesis, then add defect bit length behind and supply; If composite signal length is 14 bytes, add 0X1010 behind and supply 16 bytes; Then the data after adopting DEK to encrypt this synthesis, encrypted result is as the initialization vector of CBC mode encryption;
Step 5: storage encryption gateway receives the data from front end application server, and data are encrypted; Adopt CBC pattern that data are encrypted first by data encryption key DEK; different situations for different pieces of information block end bit byte adopt different DEK to be encrypted; then use Data protection keys KEK to adopt ecb mode to be encrypted, then use equipment master key MK to adopt ecb mode to be encrypted.
Step 6: the data block after encryption is delivered in storage device by storage encryption gateway, during write storage device, generates encrypted data chunk mark; Used for corresponding data block data encryption key DEK is identified relation one to one with corresponding encrypted data chunk and is stored in storage device, form key chain;
Step 7: encrypted data chunk mark is carried out Hash computing, obtains virtual numbering, then take 1, the last position byte of virtual numbering as BucketId; Data encryption key DEK and BucketId one_to_one corresponding;
Which DEK is step 8: storage encryption gateway, after the request receiving front end application server and obtaining data, obtains the corresponding data block of storage in storage device, use when can find encryption according to BucketId different in different pieces of information block; Storage encryption gateway first uses equipment master key MK to adopt ecb mode to be decrypted; Then Data protection keys KEK is used to adopt ecb mode to be decrypted; Finally CBC pattern is adopted to be decrypted with data encryption key DEK, the data after being deciphered; Data after deciphering are sent to front end application server;
Step 9: storage encryption gateway can be destroyed Data protection keys KEK and data encryption key DEK, then send a request to KMC after deleting file system; After KMC receives this request, by the key storage of destruction in history cipher key storage block.
Providing a kind of storage encryption gateway key management system and method in the embodiment of the present invention 4, system construction drawing, as it is shown in figure 1, comprise the following steps that, specifically comprises the following steps that
Step 1: storage device and storage encryption gateway, KMC, front end application server are linked together, completely builds out by system.
Step 2: system initialization, starts after successfully, and storage encryption gateway is registered in KMC, and after succeeding in registration, KMC generates equipment master key MK, and is sent to storage encryption gateway;
Step 3: during storage encryption gateway new files system, protect key KEK and data encryption key DEK to key management system request for data; After KMC receives application, generate 1 Data protection keys KEK and 256 data encryption key DEK, and be sent to storage encryption gateway;
Step 4: storage encryption gateway reads virtual data block number and LUN in initialized storage device, LUN is connected to after virtual data block number, the data of 16 bytes of synthesis; If the data length after synthesis is more than 16 bytes, then remove the part more than 16 bytes after LUN; If inadequate 16 bytes of data length after synthesis, then add defect bit length behind and supply; If composite signal length is 14 bytes, add 0X1010 behind and supply 16 bytes; Then the data after adopting DEK to encrypt this synthesis, encrypted result is as the initialization vector of CBC mode encryption.
Step 5: storage encryption gateway receives the data from front end application server, and data are encrypted by encrypting module; Adopt CBC pattern that data are encrypted first by data encryption key DEK, different situations for different pieces of information block end bit byte adopt different DEK to be encrypted, then use Data protection keys KEK to adopt ecb mode to be encrypted, then use equipment master key MK to adopt ecb mode to be encrypted; Data block after encryption is delivered in storage device.
Step 6: the data block after encryption is delivered in storage device by storage encryption gateway, during write storage device, generates encrypted data chunk mark; Used for corresponding data block data encryption key DEK is identified relation one to one with corresponding encrypted data chunk and is stored in storage device, form key chain.
Step 7: encrypted data chunk mark is carried out Hash computing, obtains virtual numbering, then take 1, the last position byte of virtual numbering as BucketId; Data encryption key DEK and BucketId one_to_one corresponding.
Which DEK is step 8: storage encryption gateway, after the request receiving front end application server and obtaining data, obtains the corresponding data block of storage in storage device, use when can find encryption according to BucketId different in different pieces of information block; Storage encryption gateway first uses equipment master key MK to adopt ecb mode to be decrypted; Then Data protection keys KEK is used to adopt ecb mode to be decrypted; Finally CBC pattern is adopted to be decrypted with data encryption key DEK, the data after being deciphered.
Step 9: after storage encryption gateway Lost Security Key, sending key recovery request to KMC, KMC obtains the key of backup from history cipher key storage block after receiving this request, key is sent to storage encryption gateway again.
The invention is not limited in aforesaid detailed description of the invention. The present invention expands to any new feature disclosed in this manual or any new combination, and the step of the arbitrary new method disclosed or process or any new combination.
Claims (6)
1. a storage encryption gateway key management system, it is characterised in that described system includes: KMC, storage encryption gateway;
Described KMC, is used for generating key, and the key of generation is sent to storage encryption gateway; In detection system, whether key is expired, if key expiration, then sends key updating instruction and new key and carries out the renewal of key to storage encryption gateway; Receive the cipher key destruction request from storage encryption gateway, destroy key, by the key storage of destruction in history key storage district; The key of storage encryption gateway receives the recovery key request of storage encryption gateway, key is sent to storage encryption gateway again after losing;
Described storage encryption gateway, for receiving the key that KMC generates, and utilizes the data that the transmission of this double secret key front end application server comes to encrypt and decrypt;Receive the instruction of KMC's more new key, carry out key updating; After deleting key, notice KMC carries out the destruction of key; Connect the data communication between front end application server and storage device.
2. a kind of storage encryption gateway key management system as claimed in claim 1, it is characterized in that, described KMC includes central data communications module, key production module, key updating module, cipher key destruction module, history cipher key storage block and cipher key backup and recovers module;
Described central data communications module, for receiving from the data and the request that store encryption gateway, and is sent to storage encryption gateway by key and instruction; Described key production module, is used for generating equipment master key MK, Data protection keys KEK and data encryption key DEK; Described key updating module, whether expired for the Data protection keys KEK in detection system, if Data protection keys KEK is expired, then send key updating instruction and new Data protection keys KEK to storing encryption gateway; Described cipher key destruction module, for according to the cipher key destruction request from storage encryption gateway, Data protection keys KEK in destroying system and data encryption key DEK, is stored in history cipher key storage block by the Data protection keys KEK of destruction and data encryption key DEK; Described history cipher key storage block, for being backed-up generating and sending the key to storage encryption gateway, carries out storage record by the key after destroying; Described cipher key backup recovers module, for, after the key of storage encryption gateway is lost, according to the recovery key request storing encryption gateway, obtaining the key of backup, key is sent to storage encryption gateway again from history cipher key storage block.
3. storage encryption gateway key management system as claimed in claim 1, it is characterised in that described storage encryption gateway includes gateway data communication module, encrypting-decrypting module, key updating module and file system establishment/removing module;
Described gateway data communication module, for connecting data communication between front end application server and storage device, receives from the data of front end application server and receives from the data in storage device; Receive the key from KMC and instruction, and send data and ask to KMC; Described encrypting-decrypting module, the data for front end application server being passed over are encrypted and the data in the storage device of acquisition are decrypted; Described key updating module, carries out the renewal of key for the key updating instruction come according to KMC's transmission and new Data protection keys KEK; Described file system establishment/removing module, deletes file system for sending a command to storage device according to the request of front end application server, and destroys Data protection keys KEK and data encryption key DEK.
4. the method based on the described storage encryption gateway key management system of one of claims 1 to 3, it is characterised in that described method concretely comprises the following steps:
Step 1: system initialization, starts after successfully, and storage encryption gateway is registered in KMC, and after succeeding in registration, KMC generates equipment master key MK, and is sent to storage encryption gateway;
Step 2: during storage encryption gateway new files system, protect key KEK and data encryption key DEK to key management system request for data;After KMC receives application, generate 1 Data protection keys KEK and 256 data encryption key DEK, and be sent to storage encryption gateway;
Step 3: storage encryption gateway generates the initialization vector of CBC mode encryption;
Step 4: storage encryption gateway receives the data from front end application server, and data are encrypted; Data encryption key DEK is used to adopt CBC pattern that data are encrypted;
Step 5: the encrypted data chunk after encryption is delivered in storage device by storage encryption gateway, during write storage device, generates encrypted data chunk mark; Used for corresponding data block data encryption key DEK is identified relation one to one with corresponding encrypted data chunk and is stored in storage device, form key chain;
Step 6: encrypted data chunk mark is carried out Hash computing, obtains virtual numbering, then take 1, the last position byte of virtual numbering as BucketId; Data encryption key DEK and BucketId one_to_one corresponding;
Which DEK is step 7: storage encryption gateway, after the request receiving front end application server and obtaining data, obtains the corresponding data block of storage in storage device, use when can find encryption according to BucketId different in different pieces of information block; Storage encryption gateway first uses equipment master key MK to be decrypted; Then use Data protection keys KEK to be decrypted, finally adopt CBC pattern to be decrypted with data encryption key DEK;
Step 8: the Data protection keys KEK detected in system when KMC crosses after date, can be sent to storage encryption gateway by key updating request and the new Data protection keys KEK generated;
Step 9: storage encryption gateway can be destroyed Data protection keys KEK and data encryption key DEK, then send a request to KMC after deleting file system; After KMC receives this request, by the key storage of destruction in history cipher key storage block;
Step 10: after storage encryption gateway Lost Security Key, sending key recovery request to KMC, KMC obtains the key of backup from history cipher key storage block after receiving this request, key is sent to storage encryption gateway again.
5. a kind of method based on the described storage encryption gateway key management system of one of claims 1 to 3 as claimed in claim 4; it is characterized in that; described Data protection keys KEK, equipment master key MK can adopt CBC pattern to be encrypted; ecb mode can also be adopted to be encrypted, and data encryption key DEK can only adopt CBC pattern to be encrypted.
6. a kind of method based on the described storage encryption gateway key management system of one of claims 1 to 3 as claimed in claim 4, it is characterized in that, the generation method of the initialization vector of described CBC encryption mode is: storage encryption gateway reads virtual data block number and LUN in initialized storage device, LUN is connected to after virtual data block number, the data of 16 bytes of synthesis; If the data length after synthesis is more than 16 bytes, then remove the part more than 16 bytes after LUN; If inadequate 16 bytes of data length after synthesis, then add defect bit length behind and supply; If composite signal length is 14 bytes, add 0X1010 behind and supply 16 bytes; Then the data after adopting DEK to encrypt this synthesis, the data after this encryption are the initialization vector of CBC encryption mode.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610008401.0A CN105681031B (en) | 2016-01-08 | 2016-01-08 | A kind of storage encryption gateway key management system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610008401.0A CN105681031B (en) | 2016-01-08 | 2016-01-08 | A kind of storage encryption gateway key management system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105681031A true CN105681031A (en) | 2016-06-15 |
| CN105681031B CN105681031B (en) | 2018-12-21 |
Family
ID=56299237
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610008401.0A Active CN105681031B (en) | 2016-01-08 | 2016-01-08 | A kind of storage encryption gateway key management system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105681031B (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106060084A (en) * | 2016-07-18 | 2016-10-26 | 青岛大学 | Transparent file encryption technology |
| CN106411715A (en) * | 2016-11-02 | 2017-02-15 | 中国人民公安大学 | Cloud-based secure instant messaging method and system |
| CN106790697A (en) * | 2017-02-20 | 2017-05-31 | 深圳市中博睿存信息技术有限公司 | Safe Realization of Storing and device |
| CN107944255A (en) * | 2016-10-13 | 2018-04-20 | 深圳市图灵奇点智能科技有限公司 | A kind of key management method towards block chain |
| CN108174151A (en) * | 2017-12-27 | 2018-06-15 | 北京计算机技术及应用研究所 | Video monitoring system and control method, the call method of video information |
| CN108206820A (en) * | 2016-12-20 | 2018-06-26 | 扬智科技股份有限公司 | The decryption method of the network equipment and its transport stream package |
| CN110351082A (en) * | 2019-07-12 | 2019-10-18 | 上海瀚银信息技术有限公司 | A kind of key management system |
| CN111147430A (en) * | 2018-11-06 | 2020-05-12 | 中移(杭州)信息技术有限公司 | Encryption method and device applied to intelligent home gateway |
| CN111625843A (en) * | 2019-07-23 | 2020-09-04 | 方盈金泰科技(北京)有限公司 | Data transparent encryption and decryption system suitable for big data platform |
| CN112800439A (en) * | 2020-12-02 | 2021-05-14 | 中国电子科技集团公司第三十研究所 | Key management protocol design method and system for secure storage |
| CN114124373A (en) * | 2021-11-02 | 2022-03-01 | 广东省通信产业服务有限公司 | Video key management method and system for automatic backup and recovery |
| CN117014143A (en) * | 2023-10-07 | 2023-11-07 | 北京数盾信息科技有限公司 | Key distribution method, system and equipment of load encryption gateway equipment |
| CN117221878A (en) * | 2023-09-22 | 2023-12-12 | 深圳市神州共赢信息技术有限公司 | Information security control method and device based on wireless network equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070130084A1 (en) * | 2005-12-06 | 2007-06-07 | Microsoft Corporation | Key Distribution For Secure Messaging |
| CN101635924A (en) * | 2009-08-27 | 2010-01-27 | 成都卫士通信息产业股份有限公司 | CDMA port-to-port encryption communication system and key distribution method thereof |
| CN105119719A (en) * | 2015-10-16 | 2015-12-02 | 成都卫士通信息产业股份有限公司 | Key management method of secure storage system |
-
2016
- 2016-01-08 CN CN201610008401.0A patent/CN105681031B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070130084A1 (en) * | 2005-12-06 | 2007-06-07 | Microsoft Corporation | Key Distribution For Secure Messaging |
| CN101635924A (en) * | 2009-08-27 | 2010-01-27 | 成都卫士通信息产业股份有限公司 | CDMA port-to-port encryption communication system and key distribution method thereof |
| CN105119719A (en) * | 2015-10-16 | 2015-12-02 | 成都卫士通信息产业股份有限公司 | Key management method of secure storage system |
Non-Patent Citations (1)
| Title |
|---|
| 黄容: "FC加密存储交换机的密钥管理系统的研究与设计", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106060084A (en) * | 2016-07-18 | 2016-10-26 | 青岛大学 | Transparent file encryption technology |
| CN107944255B (en) * | 2016-10-13 | 2020-08-04 | 深圳市图灵奇点智能科技有限公司 | Block chain-oriented key management method |
| CN107944255A (en) * | 2016-10-13 | 2018-04-20 | 深圳市图灵奇点智能科技有限公司 | A kind of key management method towards block chain |
| CN106411715A (en) * | 2016-11-02 | 2017-02-15 | 中国人民公安大学 | Cloud-based secure instant messaging method and system |
| CN108206820A (en) * | 2016-12-20 | 2018-06-26 | 扬智科技股份有限公司 | The decryption method of the network equipment and its transport stream package |
| CN106790697A (en) * | 2017-02-20 | 2017-05-31 | 深圳市中博睿存信息技术有限公司 | Safe Realization of Storing and device |
| CN108174151A (en) * | 2017-12-27 | 2018-06-15 | 北京计算机技术及应用研究所 | Video monitoring system and control method, the call method of video information |
| CN111147430A (en) * | 2018-11-06 | 2020-05-12 | 中移(杭州)信息技术有限公司 | Encryption method and device applied to intelligent home gateway |
| CN110351082A (en) * | 2019-07-12 | 2019-10-18 | 上海瀚银信息技术有限公司 | A kind of key management system |
| CN111625843A (en) * | 2019-07-23 | 2020-09-04 | 方盈金泰科技(北京)有限公司 | Data transparent encryption and decryption system suitable for big data platform |
| CN112800439A (en) * | 2020-12-02 | 2021-05-14 | 中国电子科技集团公司第三十研究所 | Key management protocol design method and system for secure storage |
| CN114124373A (en) * | 2021-11-02 | 2022-03-01 | 广东省通信产业服务有限公司 | Video key management method and system for automatic backup and recovery |
| CN117221878A (en) * | 2023-09-22 | 2023-12-12 | 深圳市神州共赢信息技术有限公司 | Information security control method and device based on wireless network equipment |
| CN117221878B (en) * | 2023-09-22 | 2024-05-28 | 深圳市神州共赢信息技术有限公司 | Information security control method and device based on wireless network equipment |
| CN117014143A (en) * | 2023-10-07 | 2023-11-07 | 北京数盾信息科技有限公司 | Key distribution method, system and equipment of load encryption gateway equipment |
| CN117014143B (en) * | 2023-10-07 | 2024-01-05 | 北京数盾信息科技有限公司 | Key distribution method, system and equipment of load encryption gateway equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105681031B (en) | 2018-12-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105681031B (en) | A kind of storage encryption gateway key management system and method | |
| US10686598B2 (en) | One-to-many symmetric cryptographic system and method | |
| US9698979B2 (en) | QKD key management system | |
| US8401186B2 (en) | Cloud storage data access method, apparatus and system based on OTP | |
| CN108418796B (en) | Cloud data multi-copy integrity verification and association deletion method and cloud storage system | |
| WO2020192285A1 (en) | Key management method, security chip, service server and information system | |
| US20120254125A1 (en) | Method and apparatus of securely processing data for file backup, de-duplication, and restoration | |
| JP2020510353A (en) | Key encryption method, apparatus, and system | |
| CN105072107A (en) | System and method for enhancing data transmission and storage security | |
| CN111737770A (en) | Key management method and application | |
| CN104660590A (en) | Cloud storage scheme for file encryption security | |
| CN110166458B (en) | Three-level key encryption method | |
| CN103607273A (en) | Data file encryption and decryption method based on time limit control | |
| CN103117850A (en) | Cryptosystem based on random sequence database | |
| JPH10171717A (en) | Ic card and cipher communication system using the same | |
| CN112865965B (en) | Train service data processing method and system based on quantum key | |
| CN105871858A (en) | Method and system for ensuring high data safety | |
| CN112800462A (en) | Method for storing confidential information in cloud computing environment | |
| CN103916237A (en) | Method and system for managing user encrypted-key retrieval | |
| CN109726584B (en) | Cloud database key management system | |
| CN105656866B (en) | Data ciphering method and system | |
| WO2016078382A1 (en) | Hsm enciphered message synchronization implementation method, apparatus and system | |
| CN115412236A (en) | Method for key management and password calculation, encryption method and device | |
| Gong | [Retracted] Application Research of Data Encryption Algorithm in Computer Security Management | |
| CN104283868A (en) | Encryption method for internet of things and cloud computing secure storage distributed file system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: No. 333, Yunhua Road, high tech Zone, Chengdu, Sichuan 610041 Patentee after: China Electronics Technology Network Security Technology Co.,Ltd. Address before: No. 333, Yunhua Road, high tech Zone, Chengdu, Sichuan 610041 Patentee before: CHENGDU WESTONE INFORMATION INDUSTRY Inc. |
|
| CP01 | Change in the name or title of a patent holder |