CN105681031B - A kind of storage encryption gateway key management system and method - Google Patents
A kind of storage encryption gateway key management system and method Download PDFInfo
- Publication number
- CN105681031B CN105681031B CN201610008401.0A CN201610008401A CN105681031B CN 105681031 B CN105681031 B CN 105681031B CN 201610008401 A CN201610008401 A CN 201610008401A CN 105681031 B CN105681031 B CN 105681031B
- Authority
- CN
- China
- Prior art keywords
- key
- data
- storage
- encryption
- gateway
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of storage encryption gateway key management system and methods, are related to technical field of network security.The system includes: Key Management Center, storage encryption gateway;Wherein Key Management Center is for being managed the whole life cycle of the key in whole system, generation, distribution, update, destruction, recovery management including key;Storage encryption gateway is used to that data to be encrypted and decrypted, and the data communication between connection front end application server and storage equipment.The system and method disadvantages such as, encrypted data incomplete to Key life cycle management are easily cracked for currently stored encryption gateway management system, safety is low, it proposes a kind of improved system and method, effectively enhances the function and safety of storage encryption gateway management system.
Description
Technical field
The present invention relates to technical field of network security, in particular to a kind of storage encryption gateway key management system and side
Method.
Background technique
Gateway (Gateway), also known as gateway, protocol converter.Gateway is mutual in network layer implementation above network
Even, it is most complicated network interconnection apparatus, network interconnection, is only used for two different network interconnections of upper-layer protocol.Storing encryption gateway both can be with
It is interconnected for wide area network, can be used for local area network interconnection.Gateway is a kind of computer system or equipment for serving as conversion important task.
Using between two kinds of entirely different systems of different communication protocol, data format or language or even architecture, gateway is
One translater.Only simply convey information different from bridge, gateway will repack the information received, with adaptation to end
The demand of system.
Key management is mainly responsible for and is managed to the key in entire encryption system, from the generation of key to key
The various aspects of destruction.Mainly find expression in generation, distribution, replacement and injection of management system, management agreement and key etc..Specifically
Process generally comprises: key generation, authentication secret, more new key, key storage, backup keys, destroys key at key distribution.
CBC(Cipher-block chaining, cipher block chaining) mode, refer to when being encrypted, each flat text
After block first carries out exclusive or with previous ciphertext blocks, then encrypted.In this approach, each ciphertext blocks all rely on before it
All flat literary blocks.Meanwhile the uniqueness in order to guarantee every message, it needs in first block using initialization vector.
ECB(Electronic Codebook, code book) mode be block cipher the most basic operating mode of one kind.
In this mode, information to be processed is divided into sizeable grouping, and then each grouping is independently encrypted or solved respectively
Close processing.
With the continuous propulsion of informatization, every profession and trade, enterprises and institutions utilize computer system and computer network
The storage and processing that technology carries out key business data are all the more frequent.Various data storage devices focus on data center machine room
Various businesses front end application server provides data storage service, with the popularization of cloud computing and big data business, data center
The data of storage will more increase by geometric progression.It is generation that data storage, which relies primarily on various disk arrays, under current technical conditions
There is great data safety risk in use without safety precautions in the network storage equipment of table, data itself.
And existing key management system, function are simpler, do not carry out complete pipe to the whole life cycle of key
Reason.Cause some cases that can not handle, causes can not decrypting with failed encryption for data etc..In addition to this, existing key pipe
Reason system mostly uses the external algorithm developed to be encrypted and decrypted, and security of system is caused to be under suspicion;Client when encryption
Application program is also required to be participated in, and increases the load of client.In addition, identical block of plaintext data is encrypted when encryption
Ciphertext is the same, so that reversed decode becomes easy, reduces the safety of system.
Summary of the invention
In consideration of it, the present invention provides a kind of storage encryption gateway key management system and method, which adds
It is big, safer that data after close crack difficulty, and has carried out complete management to entire key lifetimes.
The technical solution adopted by the invention is as follows:
A kind of storage encryption gateway key management system, which is characterized in that the system comprises: Key Management Center is deposited
Store up encryption gateway, front end application server, storage equipment;
The key of generation is sent to storage encryption gateway for generating key by the Key Management Center;Detection system
Whether middle key is expired, if key expiration, it is close to storage encryption gateway progress to send key updating instruction and new key
The update of key;The cipher key destruction request from storage encryption gateway is received, key is destroyed, the key storage of destruction is close in history
In key memory block;After the key loss for storing encryption gateway, the recovery key request of storage encryption gateway is received, again by key
It is sent to storage encryption gateway;
The storage encryption gateway for receiving the key of Key Management Center generation, and is answered using the key pair front end
With server transmitting come data be encrypted and decrypted;The instruction of Key Management Center more new key is received, carries out key more
Newly;After deleting key, notice Key Management Center carries out the destruction of key;It connects between front end application server and storage equipment
Data communication;.
The Key Management Center includes central data communications module, key production module, key updating module, key pin
Ruin module, history cipher key storage block and cipher key backup recovery module;
The central data communications module, for receiving data and request from storage encryption gateway, and by key
Storage encryption gateway is sent to instruction;The key production module is used for generating device master key MK, Data protection keys
KEK and data encryption key DEK;The key updating module, for the Data protection keys KEK in detection system whether mistake
Phase sends key updating instruction and new Data protection keys KEK to storing encryption if Data protection keys KEK is expired
Gateway;The cipher key destruction module, for being requested according to the cipher key destruction from storage encryption gateway, the data in destroying system
Key KEK and data encryption key DEK is protected, the Data protection keys KEK of destruction and data encryption key DEK are stored in and are gone through
History cipher key storage block;The history cipher key storage block, for that will generate and send to the key progress of storage encryption gateway
Backup, carries out storage record for the key after destruction;The cipher key backup recovery module, for the key in storage encryption gateway
After loss, according to the recovery key request of storage encryption gateway, the key of backup is obtained from history cipher key storage block, it will be close
Key, which retransmits, gives storage encryption gateway.
The storage encryption gateway includes gateway data communication module, encrypting-decrypting module, key updating module and file
System creation/removing module;
The gateway data communication module is used to connect front end application server and stores the data communication between equipment, connects
It receives the data from front end application server and receives the data in storage equipment;It receives from the close of Key Management Center
Key and instruction, and data and request are sent to Key Management Center;The encrypting-decrypting module, for taking front end applications
The data in storage equipment that the data that business device passes over are encrypted and be will acquire are decrypted;The key updating mould
Block, key updating instruction and new Data protection keys KEK for being sent according to Key Management Center carry out key more
Newly;File system creation/the removing module sends a command to storage equipment for the request according to front end application server and deletes
Except file system, and destroy Data protection keys KEK and data encryption key DEK.
A method of the storage encryption gateway key management system based on one of claims 1 to 3, which is characterized in that
The method specific steps are as follows:
Step 1: system initialization, after starting successfully, storage encryption gateway is registered in Key Management Center, is registered
Key Management Center generating device master key MK after function, and it is sent to storage encryption gateway;
Step 2: storage encryption gateway new files system when, to key management system request for data protection key KEK and
Data encryption key DEK;After Key Management Center is connected to application, generates 1 Data protection keys KEK and 256 data encryptions are close
Key DEK, and it is sent to storage encryption gateway;
Step 3: storage encryption gateway generates the initialization vector of CBC mode encryption;
Step 4: storage encryption gateway receives the data from front end application server, encrypts to data;Use number
Data are encrypted using CBC mode according to encryption key DEK;
Step 5: encrypted encrypted data chunk is transmitted in storage equipment by storage encryption gateway, write storage device
When, generate encryption data block identification;By the used data encryption key DEK of corresponding data block and corresponding encrypted data chunk mark
Know one-to-one relationship to be stored in storage equipment, forms key chain;
Step 6: Hash operation being carried out to encryption data block identification, is virtually numbered, then takes the last bit 1 virtually numbered
A byte is as Bucket Id;Data encryption key DEK and Bucket Id are corresponded;
Step 7: storage encryption gateway obtains storage equipment after the request for receiving front end application server acquisition data
The corresponding data block of upper storage uses when can find encryption according to Bucket Id different in different data block
Which DEK;Storage encryption gateway is first decrypted using equipment master key MK;Then it is carried out using Data protection keys KEK
Decryption is finally decrypted with data encryption key DEK using CBC mode;
Step 8:, can be by key updating after Key Management Center detects that the Data protection keys KEK in system is expired
Request and the new Data protection keys KEK generated are sent to storage encryption gateway;
Step 9: after storage encryption gateway deletes file system, Data protection keys KEK and data encryption key can be destroyed
Then DEK sends a request to Key Management Center;After Key Management Center receives the request, the key storage of destruction is existed
History cipher key storage block;
Step 10: after storage encryption gateway Lost Security Key, key recovery request can be sent to Key Management Center, key pipe
Reason center receives the key for obtaining backup after the request from history cipher key storage block, key is sent to again storage plus
Close gateway.
The Data protection keys KEK, equipment master key MK can be encrypted using CBC mode, can also use ECB
Mode is encrypted, and data encryption key DEK can only be encrypted using CBC mode.
The generation method of the initialization vector of the CBC encryption mode are as follows: storage encryption gateway is set in the storage of initialization
Standby middle reading virtual data block number and logical unit number, logical unit number is connected to behind virtual data block number, is synthesized
The data of 16 bytes;If the data length after synthesis is greater than 16 bytes, remove after logical unit number more than 16 bytes
Part;If inadequate 16 byte of data length after synthesis, defect bit length is added behind and is supplied;As composite signal is long
Degree is 14 bytes, adds 0X1010 behind and supplies 16 bytes;Then the data after the synthesis are encrypted using DEK, after the encryption
Data be CBC encryption mode initialization vector.
Using above technical scheme, present invention produces following the utility model has the advantages that
1, key lifecycle management: whole system completely manages the Life cycle of key
Reason, can cope with calmly various problems encountered in system operation.Perfect cipher key backup mechanism guarantees close
The restorability of key.Key in key management system and storage encryption gateway is lost, and it is extensive that corresponding mechanism/medium all can be used
It is multiple, guarantee the normal operation of system, effectively preventing data can not decrypt, encrypt the problems such as unsuccessful.
2, domestic algorithm: encryption and decryption is carried out to data using domestic algorithm, can be promoted to the full extent
The safety of system, the problem of preventing using back door and loophole intrusion system.
3, the transparent encryption and decryption of data block: client application is not engaged in entire encryption process,
The operating load for effectively reducing client improves the fluency of client.
4, random initial vector: when system initialization largely there is identical data in each LUN data block, add
The encryption that random initial vector carries out CBC mode is entered, it is ensured that close after identical block of plaintext data is encrypted
Text is different.To prevent the reversed decoding in the excessive situation of sample data, the safety of system is effectively improved.
Detailed description of the invention
Fig. 1 is a kind of structural schematic diagram of storage encryption gateway key management system of the invention.
Fig. 2 is a kind of structural schematic diagram for the Key Management Center for storing encryption gateway key management system of the present invention.
Fig. 3 is a kind of structural schematic diagram of the storage encryption gateway of storage encryption gateway key management system of the present invention.
Fig. 4 is a kind of structural schematic diagram for the key chain for storing encryption gateway key management method of the present invention.
Specific embodiment
All features disclosed in this specification or disclosed all methods or in the process the step of, in addition to mutually exclusive
Feature and/or step other than, can combine in any way.
Any feature disclosed in this specification (including any accessory claim, abstract), unless specifically stated,
It is replaced by other equivalent or with similar purpose alternative features.That is, unless specifically stated, each feature is a series of
An example in equivalent or similar characteristics.
A kind of storage encryption gateway key management system and method are provided in the embodiment of the present invention 1, system construction drawing is such as
Shown in Fig. 1, the specific steps are as follows:
Step 1: storage equipment and storage encryption gateway, Key Management Center, front end application server are linked together,
System is completely built.
Step 2: system initialization, after starting successfully, storage encryption gateway is registered in Key Management Center, is registered
Key Management Center generating device master key MK after function, and it is sent to storage encryption gateway.
Step 3: storage encryption gateway new files system when, to key management system request for data protection key KEK and
Data encryption key DEK;After Key Management Center is connected to application, generates 1 Data protection keys KEK and 256 data encryptions are close
Key DEK, and it is sent to storage encryption gateway.
Step 4: storage encryption gateway reads virtual data block number and logical unit number in the storage equipment of initialization,
Logical unit number is connected to behind virtual data block number, the data of 16 bytes are synthesized;If the data length after synthesis
Greater than 16 bytes, then remove the part after logical unit number more than 16 bytes;If inadequate 16 byte of data length after synthesis,
Then addition defect bit length is supplied behind;If composite signal length is 14 bytes, 0X1010 is added behind and supplies 16 words
Section;Then the data after the synthesis, initialization vector of the encrypted result as CBC mode encryption are encrypted using DEK.
Step 5: storage encryption gateway receives the data from front end application server, encrypts to data;Make first
Data are encrypted using CBC mode with data encryption key DEK, are adopted for the different situations of different data block last bit byte
It is encrypted with different DEK, is then encrypted using Data protection keys KEK, finally carried out using equipment master key MK
Encryption;
Step 6: encrypted encrypted data chunk is transmitted in storage equipment by storage encryption gateway, write storage device
When, generate encryption data block identification;By the used data encryption key DEK of corresponding data block and corresponding encrypted data chunk mark
Know one-to-one relationship to be stored in storage equipment, forms key chain.
Step 7: Hash operation being carried out to encryption data block identification, is virtually numbered, then takes the last bit 1 virtually numbered
A byte is as Bucket Id;Data encryption key DEK and Bucket Id are corresponded.
Step 8: storage encryption gateway obtains storage equipment after the request for receiving front end application server acquisition data
The corresponding data block of upper storage uses when can find encryption according to Bucket Id different in different data block
Which DEK;Storage encryption gateway is first decrypted using equipment master key MK;Then it is carried out using Data protection keys KEK
Decryption;It is finally decrypted with data encryption key DEK using CBC mode, the data after being decrypted.
A kind of storage encryption gateway key management system and method are provided in the embodiment of the present invention 2, system construction drawing is such as
Shown in Fig. 1, specific step is as follows, the specific steps are as follows:
Step 1: storage equipment and storage encryption gateway, Key Management Center, front end application server are linked together,
System is completely built.
Step 2: system initialization, after starting successfully, storage encryption gateway is registered in Key Management Center, is registered
Key Management Center generating device master key MK after function, and it is sent to storage encryption gateway.
Step 3: storage encryption gateway new files system when, to key management system request for data protection key KEK and
Data encryption key DEK;After Key Management Center is connected to application, generates 1 Data protection keys KEK and 256 data encryptions are close
Key DEK, and it is sent to storage encryption gateway.
Step 4: storage encryption gateway reads virtual data block number and logical unit number in the storage equipment of initialization,
Logical unit number is connected to behind virtual data block number, the data of 16 bytes are synthesized;If the data length after synthesis
Greater than 16 bytes, then remove the part after logical unit number more than 16 bytes;If inadequate 16 byte of data length after synthesis,
Then addition defect bit length is supplied behind;If composite signal length is 14 bytes, 0X1010 is added behind and supplies 16 words
Section;Then the data after the synthesis, initialization vector of the encrypted result as CBC mode encryption are encrypted using DEK.
Step 5: storage encryption gateway receives the data from front end application server, encrypts to data;Make first
Data are encrypted using CBC mode with data encryption key DEK, are adopted for the different situations of different data block last bit byte
It is encrypted with different DEK, is then encrypted using Data protection keys KEK using CBC mode, then use equipment master
Key MK is encrypted using CBC mode;Encrypted third data encryption block is transmitted in storage equipment.
Step 6: encrypted encrypted data chunk is transmitted in storage equipment by storage encryption gateway, write storage device
When, generate encryption data block identification;By the used data encryption key DEK of corresponding data block and corresponding encrypted data chunk mark
Know one-to-one relationship to be stored in storage equipment, forms key chain.
Step 7: Hash operation being carried out to encryption data block identification, is virtually numbered, then takes the last bit 1 virtually numbered
A byte is as Bucket Id;Data encryption key DEK and Bucket Id are corresponded.
Step 8: storage encryption gateway obtains storage equipment after the request for receiving front end application server acquisition data
The corresponding data block of upper storage uses when can find encryption according to Bucket Id different in different data block
Which DEK;Storage encryption gateway is first decrypted using equipment master key MK using CBC mode;Then data protection is used
Key KEK is decrypted using CBC mode;Finally it is decrypted with data encryption key DEK using CBC mode.
Step 9:, can be by key updating after Key Management Center detects that the Data protection keys KEK in system is expired
Request and the new Data protection keys KEK generated are sent to storage encryption gateway;Storage encryption gateway can be first to using the number
It is decrypted according to protection key KEK using the information that CBC mode is encrypted, then the information after being decrypted uses data
Encryption key DEK is encrypted using CBC mode, is encrypted using new Data protection keys KEK using CBC mode, so
It is encrypted afterwards using equipment master key MK using CBC mode.
A kind of storage encryption gateway key management system and method are provided in the embodiment of the present invention 3, system construction drawing is such as
Shown in Fig. 1, specific step is as follows, the specific steps are as follows:
Step 1: storage equipment and storage encryption gateway, Key Management Center, front end application server are linked together,
System is completely built.
Step 2: system initialization, after starting successfully, storage encryption gateway is registered in Key Management Center, is registered
Key Management Center generating device master key MK after function, and it is sent to storage encryption gateway;
Step 3: storage encryption gateway new files system when, to key management system request for data protection key KEK and
Data encryption key DEK;After Key Management Center is connected to application, generates 1 Data protection keys KEK and 256 data encryptions are close
Key DEK, and it is sent to storage encryption gateway;
Step 4: storage encryption gateway reads virtual data block number and logical unit number in the storage equipment of initialization,
Logical unit number is connected to behind virtual data block number, the data of 16 bytes are synthesized;If the data length after synthesis
Greater than 16 bytes, then remove the part after logical unit number more than 16 bytes;If inadequate 16 byte of data length after synthesis,
Then addition defect bit length is supplied behind;If composite signal length is 14 bytes, 0X1010 is added behind and supplies 16 words
Section;Then the data after the synthesis, initialization vector of the encrypted result as CBC mode encryption are encrypted using DEK;
Step 5: storage encryption gateway receives the data from front end application server, encrypts to data;Make first
Data are encrypted using CBC mode with data encryption key DEK, are adopted for the different situations of different data block last bit byte
It is encrypted with different DEK, is then encrypted using Data protection keys KEK using ecb mode, then use equipment master
Key MK is encrypted using ecb mode.
Step 6: encrypted data block is transmitted in storage equipment by storage encryption gateway, raw when write storage device
At encryption data block identification;By the used data encryption key DEK of corresponding data block and corresponding encryption data block identification one
One-to-one correspondence is stored in storage equipment, forms key chain;
Step 7: Hash operation being carried out to encryption data block identification, is virtually numbered, then takes the last bit 1 virtually numbered
A byte is as Bucket Id;Data encryption key DEK and Bucket Id are corresponded;
Step 8: storage encryption gateway obtains storage equipment after the request for receiving front end application server acquisition data
The corresponding data block of upper storage uses when can find encryption according to Bucket Id different in different data block
Which DEK;Storage encryption gateway is first decrypted using equipment master key MK using ecb mode;Then data protection is used
Key KEK is decrypted using ecb mode;It is finally decrypted, is decrypted using CBC mode with data encryption key DEK
Data afterwards;Data after decryption are sent to front end application server;
Step 9: after storage encryption gateway deletes file system, Data protection keys KEK and data encryption key can be destroyed
Then DEK sends a request to Key Management Center;After Key Management Center receives the request, the key storage of destruction is existed
History cipher key storage block.
A kind of storage encryption gateway key management system and method are provided in the embodiment of the present invention 4, system construction drawing is such as
Shown in Fig. 1, specific step is as follows, the specific steps are as follows:
Step 1: storage equipment and storage encryption gateway, Key Management Center, front end application server are linked together,
System is completely built.
Step 2: system initialization, after starting successfully, storage encryption gateway is registered in Key Management Center, is registered
Key Management Center generating device master key MK after function, and it is sent to storage encryption gateway;
Step 3: storage encryption gateway new files system when, to key management system request for data protection key KEK and
Data encryption key DEK;After Key Management Center is connected to application, generates 1 Data protection keys KEK and 256 data encryptions are close
Key DEK, and it is sent to storage encryption gateway;
Step 4: storage encryption gateway reads virtual data block number and logical unit number in the storage equipment of initialization,
Logical unit number is connected to behind virtual data block number, the data of 16 bytes are synthesized;If the data length after synthesis
Greater than 16 bytes, then remove the part after logical unit number more than 16 bytes;If inadequate 16 byte of data length after synthesis,
Then addition defect bit length is supplied behind;If composite signal length is 14 bytes, 0X1010 is added behind and supplies 16 words
Section;Then the data after the synthesis, initialization vector of the encrypted result as CBC mode encryption are encrypted using DEK.
Step 5: storage encryption gateway receives the data from front end application server, and encrypting module adds data
It is close;Data are encrypted using CBC mode using data encryption key DEK first, for different data block last bit byte
Different situations are encrypted using different DEK, are then encrypted using Data protection keys KEK using ecb mode, then
It is encrypted using equipment master key MK using ecb mode;Encrypted data block is transmitted in storage equipment.
Step 6: encrypted data block is transmitted in storage equipment by storage encryption gateway, raw when write storage device
At encryption data block identification;By the used data encryption key DEK of corresponding data block and corresponding encryption data block identification one
One-to-one correspondence is stored in storage equipment, forms key chain.
Step 7: Hash operation being carried out to encryption data block identification, is virtually numbered, then takes the last bit 1 virtually numbered
A byte is as Bucket Id;Data encryption key DEK and Bucket Id are corresponded.
Step 8: storage encryption gateway obtains storage equipment after the request for receiving front end application server acquisition data
The corresponding data block of upper storage uses when can find encryption according to Bucket Id different in different data block
Which DEK;Storage encryption gateway is first decrypted using equipment master key MK using ecb mode;Then data protection is used
Key KEK is decrypted using ecb mode;It is finally decrypted, is decrypted using CBC mode with data encryption key DEK
Data afterwards.
Step 9: after storage encryption gateway Lost Security Key, key recovery request can be sent to Key Management Center, key pipe
Reason center receives the key for obtaining backup after the request from history cipher key storage block, key is sent to again storage plus
Close gateway.
The invention is not limited to specific embodiments above-mentioned.The present invention, which expands to, any in the present specification to be disclosed
New feature or any new combination, and disclose any new method or process the step of or any new combination.
Claims (5)
1. a kind of method based on storage encryption gateway key management system, the system comprises: Key Management Center, storage add
Close gateway;
The key of generation is sent to storage encryption gateway for generating key by the Key Management Center;It is close in detection system
Whether key is expired, if key expiration, sends key updating instruction and new key to storage encryption gateway and carries out key
It updates;The cipher key destruction request from storage encryption gateway is received, key is destroyed, the key storage of destruction is deposited in history key
In storage area;After the key loss for storing encryption gateway, the recovery key request of storage encryption gateway is received, key is retransmitted
Give storage encryption gateway;
The storage encryption gateway is taken for receiving the key of Key Management Center generation, and using the key pair front end applications
The data that business device transmitting comes are encrypted and decrypted;The instruction of Key Management Center more new key is received, key updating is carried out;It deletes
After key, notice Key Management Center carries out the destruction of key;It connects front end application server and stores the number between equipment
According to communication;
It is characterized in that, the method specific steps are as follows:
Step 1: system initialization, after starting successfully, storage encryption gateway is registered in Key Management Center, after succeeding in registration
Key Management Center generating device master key MK, and it is sent to storage encryption gateway;
Step 2: when storage encryption gateway new files system, protecting key KEK and data to key management system request for data
Encryption key DEK;After Key Management Center is connected to application, 1 Data protection keys KEK and 256 data encryption keys are generated
DEK, and it is sent to storage encryption gateway;
Step 3: storage encryption gateway generates the initialization vector of CBC mode encryption;
Step 4: storage encryption gateway receives the data from front end application server, encrypts to data;Data encryption is close
Key DEK encrypts data using CBC mode;
Step 5: encrypted encrypted data chunk is transmitted in storage equipment by storage encryption gateway, raw when write storage device
At encryption data block identification;By the used data encryption key DEK of corresponding data block and corresponding encryption data block identification one
One-to-one correspondence is stored in storage equipment, forms key chain;
Step 6: Hash operation being carried out to encryption data block identification, is virtually numbered, then takes 1 word of last bit virtually numbered
Section is used as Bucket Id;Data encryption key DEK and Bucket Id are corresponded;
Step 7: storage encryption gateway is obtained and is deposited in storage equipment after the request for receiving front end application server acquisition data
Which the corresponding data block of storage, uses when can find encryption according to Bucket Id different in different data block
A DEK;Storage encryption gateway is first decrypted using equipment master key MK;Then it is decrypted using Data protection keys KEK,
Finally it is decrypted with data encryption key DEK using CBC mode;
Step 8: after Key Management Center detects that the Data protection keys KEK in system is expired, key updating can be requested
Storage encryption gateway is sent to the new Data protection keys KEK of generation;
Step 9: after storage encryption gateway deletes file system, Data protection keys KEK and data encryption key DEK can be destroyed,
Then Key Management Center is sent a request to;After Key Management Center receives the request, by the key storage of destruction in history
Cipher key storage block;
Step 10: after storage encryption gateway Lost Security Key, key recovery request can be sent to Key Management Center, in key management
The heart receives the key for obtaining backup after the request from history cipher key storage block, and key is sent to storage densification network again
It closes.
2. the method as described in claim 1 based on storage encryption gateway key management system, which is characterized in that the data
Protection key KEK, equipment master key MK can be encrypted using CBC mode, can also be encrypted using ecb mode, number
It can only be encrypted using CBC mode according to encryption key DEK.
3. the method as described in claim 1 based on storage encryption gateway key management system, which is characterized in that the CBC
The generation method of the initialization vector of mode are as follows: storage encryption gateway reads dummy data block volume in the storage equipment of initialization
Number and logical unit number, logical unit number is connected to behind virtual data block number, the data of 16 bytes are synthesized;If closed
Data length after is greater than 16 bytes, then removes the part after logical unit number more than 16 bytes;If the data after synthesis
Inadequate 16 byte of length, then addition defect bit length is supplied behind;If composite signal length is 14 bytes, add behind
0X1010 supplies 16 bytes;Then the data after the synthesis are encrypted using DEK, which is CBC encryption mode
Initialization vector.
4. the method as described in claim 1 based on storage encryption gateway key management system, which is characterized in that the key
Administrative center includes central data communications module, key production module, key updating module, cipher key destruction module, history key
Memory module and cipher key backup recovery module;
The central data communications module and by key and refers to for receiving data and request from storage encryption gateway
Order is sent to storage encryption gateway;The key production module, for generating device master key MK, Data protection keys KEK and
Data encryption key DEK;The key updating module, it is whether expired for the Data protection keys KEK in detection system, if
Data protection keys KEK is expired, then sends key updating instruction and new Data protection keys KEK to storing encryption gateway;Institute
Cipher key destruction module is stated, for requesting according to the cipher key destruction from storage encryption gateway, the data protection in destroying system is close
The Data protection keys KEK of destruction and data encryption key DEK are stored in history key by key KEK and data encryption key DEK
Memory module;The history cipher key storage block is backed up for will generate and send to the key of storage encryption gateway, will
Key after destruction carries out storage record;The cipher key backup recovery module, after being lost in the key for storing encryption gateway,
According to the recovery key request of storage encryption gateway, the key of backup is obtained from history cipher key storage block, again by key
It is sent to storage encryption gateway.
5. the method as described in claim 1 based on storage encryption gateway key management system, which is characterized in that the storage
Encryption gateway include gateway data communication module, encrypting-decrypting module, key updating module and file system create/delete mould
Block;
The gateway data communication module is used to connect front end application server and stores the data communication between equipment, receives and
From the data of front end application server and receive the data in storage equipment;Receive key from Key Management Center and
Instruction, and data and request are sent to Key Management Center;The encrypting-decrypting module is used for front end application server
The data in storage equipment that the data passed over are encrypted and be will acquire are decrypted;The key updating module,
Key updating instruction and new Data protection keys KEK for being sent according to Key Management Center carry out the update of key;
File system creation/the removing module sends a command to storage equipment for the request according to front end application server and deletes
File system, and destroy Data protection keys KEK and data encryption key DEK.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610008401.0A CN105681031B (en) | 2016-01-08 | 2016-01-08 | A kind of storage encryption gateway key management system and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610008401.0A CN105681031B (en) | 2016-01-08 | 2016-01-08 | A kind of storage encryption gateway key management system and method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105681031A CN105681031A (en) | 2016-06-15 |
CN105681031B true CN105681031B (en) | 2018-12-21 |
Family
ID=56299237
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610008401.0A Active CN105681031B (en) | 2016-01-08 | 2016-01-08 | A kind of storage encryption gateway key management system and method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105681031B (en) |
Families Citing this family (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106060084A (en) * | 2016-07-18 | 2016-10-26 | 青岛大学 | Transparent file encryption technology |
CN107944255B (en) * | 2016-10-13 | 2020-08-04 | 深圳市图灵奇点智能科技有限公司 | Block chain-oriented key management method |
CN106411715B (en) * | 2016-11-02 | 2019-11-19 | 中国人民公安大学 | A kind of security instant communication method and system based on cloud |
CN108206820B (en) * | 2016-12-20 | 2021-05-11 | 扬智科技股份有限公司 | Network device and decryption method of transport stream packet thereof |
CN106790697A (en) * | 2017-02-20 | 2017-05-31 | 深圳市中博睿存信息技术有限公司 | Safe Realization of Storing and device |
CN108174151A (en) * | 2017-12-27 | 2018-06-15 | 北京计算机技术及应用研究所 | Video monitoring system and control method, the call method of video information |
CN111147430A (en) * | 2018-11-06 | 2020-05-12 | 中移(杭州)信息技术有限公司 | Encryption method and device applied to intelligent home gateway |
CN110351082A (en) * | 2019-07-12 | 2019-10-18 | 上海瀚银信息技术有限公司 | A kind of key management system |
CN111625843A (en) * | 2019-07-23 | 2020-09-04 | 方盈金泰科技(北京)有限公司 | Data transparent encryption and decryption system suitable for big data platform |
CN112800439B (en) * | 2020-12-02 | 2022-02-08 | 中国电子科技集团公司第三十研究所 | Key management protocol design method and system for secure storage |
CN114124373A (en) * | 2021-11-02 | 2022-03-01 | 广东省通信产业服务有限公司 | Video key management method and system for automatic backup and recovery |
CN117221878B (en) * | 2023-09-22 | 2024-05-28 | 深圳市神州共赢信息技术有限公司 | Information security control method and device based on wireless network equipment |
CN117014143B (en) * | 2023-10-07 | 2024-01-05 | 北京数盾信息科技有限公司 | Key distribution method, system and equipment of load encryption gateway equipment |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101635924A (en) * | 2009-08-27 | 2010-01-27 | 成都卫士通信息产业股份有限公司 | CDMA port-to-port encryption communication system and key distribution method thereof |
CN105119719A (en) * | 2015-10-16 | 2015-12-02 | 成都卫士通信息产业股份有限公司 | Key management method of secure storage system |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8135645B2 (en) * | 2005-12-06 | 2012-03-13 | Microsoft Corporation | Key distribution for secure messaging |
-
2016
- 2016-01-08 CN CN201610008401.0A patent/CN105681031B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101635924A (en) * | 2009-08-27 | 2010-01-27 | 成都卫士通信息产业股份有限公司 | CDMA port-to-port encryption communication system and key distribution method thereof |
CN105119719A (en) * | 2015-10-16 | 2015-12-02 | 成都卫士通信息产业股份有限公司 | Key management method of secure storage system |
Non-Patent Citations (1)
Title |
---|
FC加密存储交换机的密钥管理系统的研究与设计;黄容;《中国优秀硕士学位论文全文数据库 信息科技辑》;20111231(第12期);I136-280 * |
Also Published As
Publication number | Publication date |
---|---|
CN105681031A (en) | 2016-06-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105681031B (en) | A kind of storage encryption gateway key management system and method | |
US20190318356A1 (en) | Offline storage system and method of use | |
US10402571B2 (en) | Community-based de-duplication for encrypted data | |
US8401186B2 (en) | Cloud storage data access method, apparatus and system based on OTP | |
KR101588541B1 (en) | System and method for wireless data protection | |
US9852300B2 (en) | Secure audit logging | |
KR20210066867A (en) | An encrypted asset encryption key portion that allows assembly of an asset encryption key using a subset of the encrypted asset encryption key portion. | |
US9256499B2 (en) | Method and apparatus of securely processing data for file backup, de-duplication, and restoration | |
CN106330868A (en) | Encrypted storage key management system and method of high-speed network | |
CN105072107A (en) | System and method for enhancing data transmission and storage security | |
EP2745212A1 (en) | Virtual zeroisation system and method | |
CN109543434B (en) | Block chain information encryption method, decryption method, storage method and device | |
CN111523133A (en) | Block chain and cloud data collaborative sharing method | |
CN112400299B (en) | Data interaction method and related equipment | |
CN111737770A (en) | Key management method and application | |
CN112800462A (en) | Method for storing confidential information in cloud computing environment | |
CN109302400B (en) | Asset password exporting method for operation and maintenance auditing system | |
CN103916237A (en) | Method and system for managing user encrypted-key retrieval | |
CN115412236A (en) | Method for key management and password calculation, encryption method and device | |
CN104283868A (en) | Encryption method for internet of things and cloud computing secure storage distributed file system | |
CN108173880A (en) | A kind of file encryption system based on third party's key management | |
CN114036541A (en) | Application method for compositely encrypting and storing user private content | |
Devaki | Re-encryption model for multi-block data updates in network security | |
CN113691373B (en) | Anti-quantum key escrow system and method based on alliance block chain | |
Jacob et al. | Secured and reliable file sharing system with de-duplication using erasure correction code |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP01 | Change in the name or title of a patent holder |
Address after: No. 333, Yunhua Road, high tech Zone, Chengdu, Sichuan 610041 Patentee after: China Electronics Technology Network Security Technology Co.,Ltd. Address before: No. 333, Yunhua Road, high tech Zone, Chengdu, Sichuan 610041 Patentee before: CHENGDU WESTONE INFORMATION INDUSTRY Inc. |
|
CP01 | Change in the name or title of a patent holder |