CN105681031B - A kind of storage encryption gateway key management system and method - Google Patents

A kind of storage encryption gateway key management system and method Download PDF

Info

Publication number
CN105681031B
CN105681031B CN201610008401.0A CN201610008401A CN105681031B CN 105681031 B CN105681031 B CN 105681031B CN 201610008401 A CN201610008401 A CN 201610008401A CN 105681031 B CN105681031 B CN 105681031B
Authority
CN
China
Prior art keywords
key
data
storage
encryption
gateway
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610008401.0A
Other languages
Chinese (zh)
Other versions
CN105681031A (en
Inventor
肖程
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Electronics Technology Network Security Technology Co ltd
Original Assignee
Chengdu Westone Information Industry Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Westone Information Industry Inc filed Critical Chengdu Westone Information Industry Inc
Priority to CN201610008401.0A priority Critical patent/CN105681031B/en
Publication of CN105681031A publication Critical patent/CN105681031A/en
Application granted granted Critical
Publication of CN105681031B publication Critical patent/CN105681031B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of storage encryption gateway key management system and methods, are related to technical field of network security.The system includes: Key Management Center, storage encryption gateway;Wherein Key Management Center is for being managed the whole life cycle of the key in whole system, generation, distribution, update, destruction, recovery management including key;Storage encryption gateway is used to that data to be encrypted and decrypted, and the data communication between connection front end application server and storage equipment.The system and method disadvantages such as, encrypted data incomplete to Key life cycle management are easily cracked for currently stored encryption gateway management system, safety is low, it proposes a kind of improved system and method, effectively enhances the function and safety of storage encryption gateway management system.

Description

A kind of storage encryption gateway key management system and method
Technical field
The present invention relates to technical field of network security, in particular to a kind of storage encryption gateway key management system and side Method.
Background technique
Gateway (Gateway), also known as gateway, protocol converter.Gateway is mutual in network layer implementation above network Even, it is most complicated network interconnection apparatus, network interconnection, is only used for two different network interconnections of upper-layer protocol.Storing encryption gateway both can be with It is interconnected for wide area network, can be used for local area network interconnection.Gateway is a kind of computer system or equipment for serving as conversion important task. Using between two kinds of entirely different systems of different communication protocol, data format or language or even architecture, gateway is One translater.Only simply convey information different from bridge, gateway will repack the information received, with adaptation to end The demand of system.
Key management is mainly responsible for and is managed to the key in entire encryption system, from the generation of key to key The various aspects of destruction.Mainly find expression in generation, distribution, replacement and injection of management system, management agreement and key etc..Specifically Process generally comprises: key generation, authentication secret, more new key, key storage, backup keys, destroys key at key distribution.
CBC(Cipher-block chaining, cipher block chaining) mode, refer to when being encrypted, each flat text After block first carries out exclusive or with previous ciphertext blocks, then encrypted.In this approach, each ciphertext blocks all rely on before it All flat literary blocks.Meanwhile the uniqueness in order to guarantee every message, it needs in first block using initialization vector.
ECB(Electronic Codebook, code book) mode be block cipher the most basic operating mode of one kind. In this mode, information to be processed is divided into sizeable grouping, and then each grouping is independently encrypted or solved respectively Close processing.
With the continuous propulsion of informatization, every profession and trade, enterprises and institutions utilize computer system and computer network The storage and processing that technology carries out key business data are all the more frequent.Various data storage devices focus on data center machine room Various businesses front end application server provides data storage service, with the popularization of cloud computing and big data business, data center The data of storage will more increase by geometric progression.It is generation that data storage, which relies primarily on various disk arrays, under current technical conditions There is great data safety risk in use without safety precautions in the network storage equipment of table, data itself.
And existing key management system, function are simpler, do not carry out complete pipe to the whole life cycle of key Reason.Cause some cases that can not handle, causes can not decrypting with failed encryption for data etc..In addition to this, existing key pipe Reason system mostly uses the external algorithm developed to be encrypted and decrypted, and security of system is caused to be under suspicion;Client when encryption Application program is also required to be participated in, and increases the load of client.In addition, identical block of plaintext data is encrypted when encryption Ciphertext is the same, so that reversed decode becomes easy, reduces the safety of system.
Summary of the invention
In consideration of it, the present invention provides a kind of storage encryption gateway key management system and method, which adds It is big, safer that data after close crack difficulty, and has carried out complete management to entire key lifetimes.
The technical solution adopted by the invention is as follows:
A kind of storage encryption gateway key management system, which is characterized in that the system comprises: Key Management Center is deposited Store up encryption gateway, front end application server, storage equipment;
The key of generation is sent to storage encryption gateway for generating key by the Key Management Center;Detection system Whether middle key is expired, if key expiration, it is close to storage encryption gateway progress to send key updating instruction and new key The update of key;The cipher key destruction request from storage encryption gateway is received, key is destroyed, the key storage of destruction is close in history In key memory block;After the key loss for storing encryption gateway, the recovery key request of storage encryption gateway is received, again by key It is sent to storage encryption gateway;
The storage encryption gateway for receiving the key of Key Management Center generation, and is answered using the key pair front end With server transmitting come data be encrypted and decrypted;The instruction of Key Management Center more new key is received, carries out key more Newly;After deleting key, notice Key Management Center carries out the destruction of key;It connects between front end application server and storage equipment Data communication;.
The Key Management Center includes central data communications module, key production module, key updating module, key pin Ruin module, history cipher key storage block and cipher key backup recovery module;
The central data communications module, for receiving data and request from storage encryption gateway, and by key Storage encryption gateway is sent to instruction;The key production module is used for generating device master key MK, Data protection keys KEK and data encryption key DEK;The key updating module, for the Data protection keys KEK in detection system whether mistake Phase sends key updating instruction and new Data protection keys KEK to storing encryption if Data protection keys KEK is expired Gateway;The cipher key destruction module, for being requested according to the cipher key destruction from storage encryption gateway, the data in destroying system Key KEK and data encryption key DEK is protected, the Data protection keys KEK of destruction and data encryption key DEK are stored in and are gone through History cipher key storage block;The history cipher key storage block, for that will generate and send to the key progress of storage encryption gateway Backup, carries out storage record for the key after destruction;The cipher key backup recovery module, for the key in storage encryption gateway After loss, according to the recovery key request of storage encryption gateway, the key of backup is obtained from history cipher key storage block, it will be close Key, which retransmits, gives storage encryption gateway.
The storage encryption gateway includes gateway data communication module, encrypting-decrypting module, key updating module and file System creation/removing module;
The gateway data communication module is used to connect front end application server and stores the data communication between equipment, connects It receives the data from front end application server and receives the data in storage equipment;It receives from the close of Key Management Center Key and instruction, and data and request are sent to Key Management Center;The encrypting-decrypting module, for taking front end applications The data in storage equipment that the data that business device passes over are encrypted and be will acquire are decrypted;The key updating mould Block, key updating instruction and new Data protection keys KEK for being sent according to Key Management Center carry out key more Newly;File system creation/the removing module sends a command to storage equipment for the request according to front end application server and deletes Except file system, and destroy Data protection keys KEK and data encryption key DEK.
A method of the storage encryption gateway key management system based on one of claims 1 to 3, which is characterized in that The method specific steps are as follows:
Step 1: system initialization, after starting successfully, storage encryption gateway is registered in Key Management Center, is registered Key Management Center generating device master key MK after function, and it is sent to storage encryption gateway;
Step 2: storage encryption gateway new files system when, to key management system request for data protection key KEK and Data encryption key DEK;After Key Management Center is connected to application, generates 1 Data protection keys KEK and 256 data encryptions are close Key DEK, and it is sent to storage encryption gateway;
Step 3: storage encryption gateway generates the initialization vector of CBC mode encryption;
Step 4: storage encryption gateway receives the data from front end application server, encrypts to data;Use number Data are encrypted using CBC mode according to encryption key DEK;
Step 5: encrypted encrypted data chunk is transmitted in storage equipment by storage encryption gateway, write storage device When, generate encryption data block identification;By the used data encryption key DEK of corresponding data block and corresponding encrypted data chunk mark Know one-to-one relationship to be stored in storage equipment, forms key chain;
Step 6: Hash operation being carried out to encryption data block identification, is virtually numbered, then takes the last bit 1 virtually numbered A byte is as Bucket Id;Data encryption key DEK and Bucket Id are corresponded;
Step 7: storage encryption gateway obtains storage equipment after the request for receiving front end application server acquisition data The corresponding data block of upper storage uses when can find encryption according to Bucket Id different in different data block Which DEK;Storage encryption gateway is first decrypted using equipment master key MK;Then it is carried out using Data protection keys KEK Decryption is finally decrypted with data encryption key DEK using CBC mode;
Step 8:, can be by key updating after Key Management Center detects that the Data protection keys KEK in system is expired Request and the new Data protection keys KEK generated are sent to storage encryption gateway;
Step 9: after storage encryption gateway deletes file system, Data protection keys KEK and data encryption key can be destroyed Then DEK sends a request to Key Management Center;After Key Management Center receives the request, the key storage of destruction is existed History cipher key storage block;
Step 10: after storage encryption gateway Lost Security Key, key recovery request can be sent to Key Management Center, key pipe Reason center receives the key for obtaining backup after the request from history cipher key storage block, key is sent to again storage plus Close gateway.
The Data protection keys KEK, equipment master key MK can be encrypted using CBC mode, can also use ECB Mode is encrypted, and data encryption key DEK can only be encrypted using CBC mode.
The generation method of the initialization vector of the CBC encryption mode are as follows: storage encryption gateway is set in the storage of initialization Standby middle reading virtual data block number and logical unit number, logical unit number is connected to behind virtual data block number, is synthesized The data of 16 bytes;If the data length after synthesis is greater than 16 bytes, remove after logical unit number more than 16 bytes Part;If inadequate 16 byte of data length after synthesis, defect bit length is added behind and is supplied;As composite signal is long Degree is 14 bytes, adds 0X1010 behind and supplies 16 bytes;Then the data after the synthesis are encrypted using DEK, after the encryption Data be CBC encryption mode initialization vector.
Using above technical scheme, present invention produces following the utility model has the advantages that
1, key lifecycle management: whole system completely manages the Life cycle of key
Reason, can cope with calmly various problems encountered in system operation.Perfect cipher key backup mechanism guarantees close The restorability of key.Key in key management system and storage encryption gateway is lost, and it is extensive that corresponding mechanism/medium all can be used It is multiple, guarantee the normal operation of system, effectively preventing data can not decrypt, encrypt the problems such as unsuccessful.
2, domestic algorithm: encryption and decryption is carried out to data using domestic algorithm, can be promoted to the full extent
The safety of system, the problem of preventing using back door and loophole intrusion system.
3, the transparent encryption and decryption of data block: client application is not engaged in entire encryption process,
The operating load for effectively reducing client improves the fluency of client.
4, random initial vector: when system initialization largely there is identical data in each LUN data block, add
The encryption that random initial vector carries out CBC mode is entered, it is ensured that close after identical block of plaintext data is encrypted Text is different.To prevent the reversed decoding in the excessive situation of sample data, the safety of system is effectively improved.
Detailed description of the invention
Fig. 1 is a kind of structural schematic diagram of storage encryption gateway key management system of the invention.
Fig. 2 is a kind of structural schematic diagram for the Key Management Center for storing encryption gateway key management system of the present invention.
Fig. 3 is a kind of structural schematic diagram of the storage encryption gateway of storage encryption gateway key management system of the present invention.
Fig. 4 is a kind of structural schematic diagram for the key chain for storing encryption gateway key management method of the present invention.
Specific embodiment
All features disclosed in this specification or disclosed all methods or in the process the step of, in addition to mutually exclusive Feature and/or step other than, can combine in any way.
Any feature disclosed in this specification (including any accessory claim, abstract), unless specifically stated, It is replaced by other equivalent or with similar purpose alternative features.That is, unless specifically stated, each feature is a series of An example in equivalent or similar characteristics.
A kind of storage encryption gateway key management system and method are provided in the embodiment of the present invention 1, system construction drawing is such as Shown in Fig. 1, the specific steps are as follows:
Step 1: storage equipment and storage encryption gateway, Key Management Center, front end application server are linked together, System is completely built.
Step 2: system initialization, after starting successfully, storage encryption gateway is registered in Key Management Center, is registered Key Management Center generating device master key MK after function, and it is sent to storage encryption gateway.
Step 3: storage encryption gateway new files system when, to key management system request for data protection key KEK and Data encryption key DEK;After Key Management Center is connected to application, generates 1 Data protection keys KEK and 256 data encryptions are close Key DEK, and it is sent to storage encryption gateway.
Step 4: storage encryption gateway reads virtual data block number and logical unit number in the storage equipment of initialization, Logical unit number is connected to behind virtual data block number, the data of 16 bytes are synthesized;If the data length after synthesis Greater than 16 bytes, then remove the part after logical unit number more than 16 bytes;If inadequate 16 byte of data length after synthesis, Then addition defect bit length is supplied behind;If composite signal length is 14 bytes, 0X1010 is added behind and supplies 16 words Section;Then the data after the synthesis, initialization vector of the encrypted result as CBC mode encryption are encrypted using DEK.
Step 5: storage encryption gateway receives the data from front end application server, encrypts to data;Make first Data are encrypted using CBC mode with data encryption key DEK, are adopted for the different situations of different data block last bit byte It is encrypted with different DEK, is then encrypted using Data protection keys KEK, finally carried out using equipment master key MK Encryption;
Step 6: encrypted encrypted data chunk is transmitted in storage equipment by storage encryption gateway, write storage device When, generate encryption data block identification;By the used data encryption key DEK of corresponding data block and corresponding encrypted data chunk mark Know one-to-one relationship to be stored in storage equipment, forms key chain.
Step 7: Hash operation being carried out to encryption data block identification, is virtually numbered, then takes the last bit 1 virtually numbered A byte is as Bucket Id;Data encryption key DEK and Bucket Id are corresponded.
Step 8: storage encryption gateway obtains storage equipment after the request for receiving front end application server acquisition data The corresponding data block of upper storage uses when can find encryption according to Bucket Id different in different data block Which DEK;Storage encryption gateway is first decrypted using equipment master key MK;Then it is carried out using Data protection keys KEK Decryption;It is finally decrypted with data encryption key DEK using CBC mode, the data after being decrypted.
A kind of storage encryption gateway key management system and method are provided in the embodiment of the present invention 2, system construction drawing is such as Shown in Fig. 1, specific step is as follows, the specific steps are as follows:
Step 1: storage equipment and storage encryption gateway, Key Management Center, front end application server are linked together, System is completely built.
Step 2: system initialization, after starting successfully, storage encryption gateway is registered in Key Management Center, is registered Key Management Center generating device master key MK after function, and it is sent to storage encryption gateway.
Step 3: storage encryption gateway new files system when, to key management system request for data protection key KEK and Data encryption key DEK;After Key Management Center is connected to application, generates 1 Data protection keys KEK and 256 data encryptions are close Key DEK, and it is sent to storage encryption gateway.
Step 4: storage encryption gateway reads virtual data block number and logical unit number in the storage equipment of initialization, Logical unit number is connected to behind virtual data block number, the data of 16 bytes are synthesized;If the data length after synthesis Greater than 16 bytes, then remove the part after logical unit number more than 16 bytes;If inadequate 16 byte of data length after synthesis, Then addition defect bit length is supplied behind;If composite signal length is 14 bytes, 0X1010 is added behind and supplies 16 words Section;Then the data after the synthesis, initialization vector of the encrypted result as CBC mode encryption are encrypted using DEK.
Step 5: storage encryption gateway receives the data from front end application server, encrypts to data;Make first Data are encrypted using CBC mode with data encryption key DEK, are adopted for the different situations of different data block last bit byte It is encrypted with different DEK, is then encrypted using Data protection keys KEK using CBC mode, then use equipment master Key MK is encrypted using CBC mode;Encrypted third data encryption block is transmitted in storage equipment.
Step 6: encrypted encrypted data chunk is transmitted in storage equipment by storage encryption gateway, write storage device When, generate encryption data block identification;By the used data encryption key DEK of corresponding data block and corresponding encrypted data chunk mark Know one-to-one relationship to be stored in storage equipment, forms key chain.
Step 7: Hash operation being carried out to encryption data block identification, is virtually numbered, then takes the last bit 1 virtually numbered A byte is as Bucket Id;Data encryption key DEK and Bucket Id are corresponded.
Step 8: storage encryption gateway obtains storage equipment after the request for receiving front end application server acquisition data The corresponding data block of upper storage uses when can find encryption according to Bucket Id different in different data block Which DEK;Storage encryption gateway is first decrypted using equipment master key MK using CBC mode;Then data protection is used Key KEK is decrypted using CBC mode;Finally it is decrypted with data encryption key DEK using CBC mode.
Step 9:, can be by key updating after Key Management Center detects that the Data protection keys KEK in system is expired Request and the new Data protection keys KEK generated are sent to storage encryption gateway;Storage encryption gateway can be first to using the number It is decrypted according to protection key KEK using the information that CBC mode is encrypted, then the information after being decrypted uses data Encryption key DEK is encrypted using CBC mode, is encrypted using new Data protection keys KEK using CBC mode, so It is encrypted afterwards using equipment master key MK using CBC mode.
A kind of storage encryption gateway key management system and method are provided in the embodiment of the present invention 3, system construction drawing is such as Shown in Fig. 1, specific step is as follows, the specific steps are as follows:
Step 1: storage equipment and storage encryption gateway, Key Management Center, front end application server are linked together, System is completely built.
Step 2: system initialization, after starting successfully, storage encryption gateway is registered in Key Management Center, is registered Key Management Center generating device master key MK after function, and it is sent to storage encryption gateway;
Step 3: storage encryption gateway new files system when, to key management system request for data protection key KEK and Data encryption key DEK;After Key Management Center is connected to application, generates 1 Data protection keys KEK and 256 data encryptions are close Key DEK, and it is sent to storage encryption gateway;
Step 4: storage encryption gateway reads virtual data block number and logical unit number in the storage equipment of initialization, Logical unit number is connected to behind virtual data block number, the data of 16 bytes are synthesized;If the data length after synthesis Greater than 16 bytes, then remove the part after logical unit number more than 16 bytes;If inadequate 16 byte of data length after synthesis, Then addition defect bit length is supplied behind;If composite signal length is 14 bytes, 0X1010 is added behind and supplies 16 words Section;Then the data after the synthesis, initialization vector of the encrypted result as CBC mode encryption are encrypted using DEK;
Step 5: storage encryption gateway receives the data from front end application server, encrypts to data;Make first Data are encrypted using CBC mode with data encryption key DEK, are adopted for the different situations of different data block last bit byte It is encrypted with different DEK, is then encrypted using Data protection keys KEK using ecb mode, then use equipment master Key MK is encrypted using ecb mode.
Step 6: encrypted data block is transmitted in storage equipment by storage encryption gateway, raw when write storage device At encryption data block identification;By the used data encryption key DEK of corresponding data block and corresponding encryption data block identification one One-to-one correspondence is stored in storage equipment, forms key chain;
Step 7: Hash operation being carried out to encryption data block identification, is virtually numbered, then takes the last bit 1 virtually numbered A byte is as Bucket Id;Data encryption key DEK and Bucket Id are corresponded;
Step 8: storage encryption gateway obtains storage equipment after the request for receiving front end application server acquisition data The corresponding data block of upper storage uses when can find encryption according to Bucket Id different in different data block Which DEK;Storage encryption gateway is first decrypted using equipment master key MK using ecb mode;Then data protection is used Key KEK is decrypted using ecb mode;It is finally decrypted, is decrypted using CBC mode with data encryption key DEK Data afterwards;Data after decryption are sent to front end application server;
Step 9: after storage encryption gateway deletes file system, Data protection keys KEK and data encryption key can be destroyed Then DEK sends a request to Key Management Center;After Key Management Center receives the request, the key storage of destruction is existed History cipher key storage block.
A kind of storage encryption gateway key management system and method are provided in the embodiment of the present invention 4, system construction drawing is such as Shown in Fig. 1, specific step is as follows, the specific steps are as follows:
Step 1: storage equipment and storage encryption gateway, Key Management Center, front end application server are linked together, System is completely built.
Step 2: system initialization, after starting successfully, storage encryption gateway is registered in Key Management Center, is registered Key Management Center generating device master key MK after function, and it is sent to storage encryption gateway;
Step 3: storage encryption gateway new files system when, to key management system request for data protection key KEK and Data encryption key DEK;After Key Management Center is connected to application, generates 1 Data protection keys KEK and 256 data encryptions are close Key DEK, and it is sent to storage encryption gateway;
Step 4: storage encryption gateway reads virtual data block number and logical unit number in the storage equipment of initialization, Logical unit number is connected to behind virtual data block number, the data of 16 bytes are synthesized;If the data length after synthesis Greater than 16 bytes, then remove the part after logical unit number more than 16 bytes;If inadequate 16 byte of data length after synthesis, Then addition defect bit length is supplied behind;If composite signal length is 14 bytes, 0X1010 is added behind and supplies 16 words Section;Then the data after the synthesis, initialization vector of the encrypted result as CBC mode encryption are encrypted using DEK.
Step 5: storage encryption gateway receives the data from front end application server, and encrypting module adds data It is close;Data are encrypted using CBC mode using data encryption key DEK first, for different data block last bit byte Different situations are encrypted using different DEK, are then encrypted using Data protection keys KEK using ecb mode, then It is encrypted using equipment master key MK using ecb mode;Encrypted data block is transmitted in storage equipment.
Step 6: encrypted data block is transmitted in storage equipment by storage encryption gateway, raw when write storage device At encryption data block identification;By the used data encryption key DEK of corresponding data block and corresponding encryption data block identification one One-to-one correspondence is stored in storage equipment, forms key chain.
Step 7: Hash operation being carried out to encryption data block identification, is virtually numbered, then takes the last bit 1 virtually numbered A byte is as Bucket Id;Data encryption key DEK and Bucket Id are corresponded.
Step 8: storage encryption gateway obtains storage equipment after the request for receiving front end application server acquisition data The corresponding data block of upper storage uses when can find encryption according to Bucket Id different in different data block Which DEK;Storage encryption gateway is first decrypted using equipment master key MK using ecb mode;Then data protection is used Key KEK is decrypted using ecb mode;It is finally decrypted, is decrypted using CBC mode with data encryption key DEK Data afterwards.
Step 9: after storage encryption gateway Lost Security Key, key recovery request can be sent to Key Management Center, key pipe Reason center receives the key for obtaining backup after the request from history cipher key storage block, key is sent to again storage plus Close gateway.
The invention is not limited to specific embodiments above-mentioned.The present invention, which expands to, any in the present specification to be disclosed New feature or any new combination, and disclose any new method or process the step of or any new combination.

Claims (5)

1. a kind of method based on storage encryption gateway key management system, the system comprises: Key Management Center, storage add Close gateway;
The key of generation is sent to storage encryption gateway for generating key by the Key Management Center;It is close in detection system Whether key is expired, if key expiration, sends key updating instruction and new key to storage encryption gateway and carries out key It updates;The cipher key destruction request from storage encryption gateway is received, key is destroyed, the key storage of destruction is deposited in history key In storage area;After the key loss for storing encryption gateway, the recovery key request of storage encryption gateway is received, key is retransmitted Give storage encryption gateway;
The storage encryption gateway is taken for receiving the key of Key Management Center generation, and using the key pair front end applications The data that business device transmitting comes are encrypted and decrypted;The instruction of Key Management Center more new key is received, key updating is carried out;It deletes After key, notice Key Management Center carries out the destruction of key;It connects front end application server and stores the number between equipment According to communication;
It is characterized in that, the method specific steps are as follows:
Step 1: system initialization, after starting successfully, storage encryption gateway is registered in Key Management Center, after succeeding in registration Key Management Center generating device master key MK, and it is sent to storage encryption gateway;
Step 2: when storage encryption gateway new files system, protecting key KEK and data to key management system request for data Encryption key DEK;After Key Management Center is connected to application, 1 Data protection keys KEK and 256 data encryption keys are generated DEK, and it is sent to storage encryption gateway;
Step 3: storage encryption gateway generates the initialization vector of CBC mode encryption;
Step 4: storage encryption gateway receives the data from front end application server, encrypts to data;Data encryption is close Key DEK encrypts data using CBC mode;
Step 5: encrypted encrypted data chunk is transmitted in storage equipment by storage encryption gateway, raw when write storage device At encryption data block identification;By the used data encryption key DEK of corresponding data block and corresponding encryption data block identification one One-to-one correspondence is stored in storage equipment, forms key chain;
Step 6: Hash operation being carried out to encryption data block identification, is virtually numbered, then takes 1 word of last bit virtually numbered Section is used as Bucket Id;Data encryption key DEK and Bucket Id are corresponded;
Step 7: storage encryption gateway is obtained and is deposited in storage equipment after the request for receiving front end application server acquisition data Which the corresponding data block of storage, uses when can find encryption according to Bucket Id different in different data block A DEK;Storage encryption gateway is first decrypted using equipment master key MK;Then it is decrypted using Data protection keys KEK, Finally it is decrypted with data encryption key DEK using CBC mode;
Step 8: after Key Management Center detects that the Data protection keys KEK in system is expired, key updating can be requested Storage encryption gateway is sent to the new Data protection keys KEK of generation;
Step 9: after storage encryption gateway deletes file system, Data protection keys KEK and data encryption key DEK can be destroyed, Then Key Management Center is sent a request to;After Key Management Center receives the request, by the key storage of destruction in history Cipher key storage block;
Step 10: after storage encryption gateway Lost Security Key, key recovery request can be sent to Key Management Center, in key management The heart receives the key for obtaining backup after the request from history cipher key storage block, and key is sent to storage densification network again It closes.
2. the method as described in claim 1 based on storage encryption gateway key management system, which is characterized in that the data Protection key KEK, equipment master key MK can be encrypted using CBC mode, can also be encrypted using ecb mode, number It can only be encrypted using CBC mode according to encryption key DEK.
3. the method as described in claim 1 based on storage encryption gateway key management system, which is characterized in that the CBC The generation method of the initialization vector of mode are as follows: storage encryption gateway reads dummy data block volume in the storage equipment of initialization Number and logical unit number, logical unit number is connected to behind virtual data block number, the data of 16 bytes are synthesized;If closed Data length after is greater than 16 bytes, then removes the part after logical unit number more than 16 bytes;If the data after synthesis Inadequate 16 byte of length, then addition defect bit length is supplied behind;If composite signal length is 14 bytes, add behind 0X1010 supplies 16 bytes;Then the data after the synthesis are encrypted using DEK, which is CBC encryption mode Initialization vector.
4. the method as described in claim 1 based on storage encryption gateway key management system, which is characterized in that the key Administrative center includes central data communications module, key production module, key updating module, cipher key destruction module, history key Memory module and cipher key backup recovery module;
The central data communications module and by key and refers to for receiving data and request from storage encryption gateway Order is sent to storage encryption gateway;The key production module, for generating device master key MK, Data protection keys KEK and Data encryption key DEK;The key updating module, it is whether expired for the Data protection keys KEK in detection system, if Data protection keys KEK is expired, then sends key updating instruction and new Data protection keys KEK to storing encryption gateway;Institute Cipher key destruction module is stated, for requesting according to the cipher key destruction from storage encryption gateway, the data protection in destroying system is close The Data protection keys KEK of destruction and data encryption key DEK are stored in history key by key KEK and data encryption key DEK Memory module;The history cipher key storage block is backed up for will generate and send to the key of storage encryption gateway, will Key after destruction carries out storage record;The cipher key backup recovery module, after being lost in the key for storing encryption gateway, According to the recovery key request of storage encryption gateway, the key of backup is obtained from history cipher key storage block, again by key It is sent to storage encryption gateway.
5. the method as described in claim 1 based on storage encryption gateway key management system, which is characterized in that the storage Encryption gateway include gateway data communication module, encrypting-decrypting module, key updating module and file system create/delete mould Block;
The gateway data communication module is used to connect front end application server and stores the data communication between equipment, receives and From the data of front end application server and receive the data in storage equipment;Receive key from Key Management Center and Instruction, and data and request are sent to Key Management Center;The encrypting-decrypting module is used for front end application server The data in storage equipment that the data passed over are encrypted and be will acquire are decrypted;The key updating module, Key updating instruction and new Data protection keys KEK for being sent according to Key Management Center carry out the update of key; File system creation/the removing module sends a command to storage equipment for the request according to front end application server and deletes File system, and destroy Data protection keys KEK and data encryption key DEK.
CN201610008401.0A 2016-01-08 2016-01-08 A kind of storage encryption gateway key management system and method Active CN105681031B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610008401.0A CN105681031B (en) 2016-01-08 2016-01-08 A kind of storage encryption gateway key management system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610008401.0A CN105681031B (en) 2016-01-08 2016-01-08 A kind of storage encryption gateway key management system and method

Publications (2)

Publication Number Publication Date
CN105681031A CN105681031A (en) 2016-06-15
CN105681031B true CN105681031B (en) 2018-12-21

Family

ID=56299237

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610008401.0A Active CN105681031B (en) 2016-01-08 2016-01-08 A kind of storage encryption gateway key management system and method

Country Status (1)

Country Link
CN (1) CN105681031B (en)

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106060084A (en) * 2016-07-18 2016-10-26 青岛大学 Transparent file encryption technology
CN107944255B (en) * 2016-10-13 2020-08-04 深圳市图灵奇点智能科技有限公司 Block chain-oriented key management method
CN106411715B (en) * 2016-11-02 2019-11-19 中国人民公安大学 A kind of security instant communication method and system based on cloud
CN108206820B (en) * 2016-12-20 2021-05-11 扬智科技股份有限公司 Network device and decryption method of transport stream packet thereof
CN106790697A (en) * 2017-02-20 2017-05-31 深圳市中博睿存信息技术有限公司 Safe Realization of Storing and device
CN108174151A (en) * 2017-12-27 2018-06-15 北京计算机技术及应用研究所 Video monitoring system and control method, the call method of video information
CN111147430A (en) * 2018-11-06 2020-05-12 中移(杭州)信息技术有限公司 Encryption method and device applied to intelligent home gateway
CN110351082A (en) * 2019-07-12 2019-10-18 上海瀚银信息技术有限公司 A kind of key management system
CN111625843A (en) * 2019-07-23 2020-09-04 方盈金泰科技(北京)有限公司 Data transparent encryption and decryption system suitable for big data platform
CN112800439B (en) * 2020-12-02 2022-02-08 中国电子科技集团公司第三十研究所 Key management protocol design method and system for secure storage
CN114124373A (en) * 2021-11-02 2022-03-01 广东省通信产业服务有限公司 Video key management method and system for automatic backup and recovery
CN117221878B (en) * 2023-09-22 2024-05-28 深圳市神州共赢信息技术有限公司 Information security control method and device based on wireless network equipment
CN117014143B (en) * 2023-10-07 2024-01-05 北京数盾信息科技有限公司 Key distribution method, system and equipment of load encryption gateway equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101635924A (en) * 2009-08-27 2010-01-27 成都卫士通信息产业股份有限公司 CDMA port-to-port encryption communication system and key distribution method thereof
CN105119719A (en) * 2015-10-16 2015-12-02 成都卫士通信息产业股份有限公司 Key management method of secure storage system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8135645B2 (en) * 2005-12-06 2012-03-13 Microsoft Corporation Key distribution for secure messaging

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101635924A (en) * 2009-08-27 2010-01-27 成都卫士通信息产业股份有限公司 CDMA port-to-port encryption communication system and key distribution method thereof
CN105119719A (en) * 2015-10-16 2015-12-02 成都卫士通信息产业股份有限公司 Key management method of secure storage system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
FC加密存储交换机的密钥管理系统的研究与设计;黄容;《中国优秀硕士学位论文全文数据库 信息科技辑》;20111231(第12期);I136-280 *

Also Published As

Publication number Publication date
CN105681031A (en) 2016-06-15

Similar Documents

Publication Publication Date Title
CN105681031B (en) A kind of storage encryption gateway key management system and method
US20190318356A1 (en) Offline storage system and method of use
US10402571B2 (en) Community-based de-duplication for encrypted data
US8401186B2 (en) Cloud storage data access method, apparatus and system based on OTP
KR101588541B1 (en) System and method for wireless data protection
US9852300B2 (en) Secure audit logging
KR20210066867A (en) An encrypted asset encryption key portion that allows assembly of an asset encryption key using a subset of the encrypted asset encryption key portion.
US9256499B2 (en) Method and apparatus of securely processing data for file backup, de-duplication, and restoration
CN106330868A (en) Encrypted storage key management system and method of high-speed network
CN105072107A (en) System and method for enhancing data transmission and storage security
EP2745212A1 (en) Virtual zeroisation system and method
CN109543434B (en) Block chain information encryption method, decryption method, storage method and device
CN111523133A (en) Block chain and cloud data collaborative sharing method
CN112400299B (en) Data interaction method and related equipment
CN111737770A (en) Key management method and application
CN112800462A (en) Method for storing confidential information in cloud computing environment
CN109302400B (en) Asset password exporting method for operation and maintenance auditing system
CN103916237A (en) Method and system for managing user encrypted-key retrieval
CN115412236A (en) Method for key management and password calculation, encryption method and device
CN104283868A (en) Encryption method for internet of things and cloud computing secure storage distributed file system
CN108173880A (en) A kind of file encryption system based on third party's key management
CN114036541A (en) Application method for compositely encrypting and storing user private content
Devaki Re-encryption model for multi-block data updates in network security
CN113691373B (en) Anti-quantum key escrow system and method based on alliance block chain
Jacob et al. Secured and reliable file sharing system with de-duplication using erasure correction code

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: No. 333, Yunhua Road, high tech Zone, Chengdu, Sichuan 610041

Patentee after: China Electronics Technology Network Security Technology Co.,Ltd.

Address before: No. 333, Yunhua Road, high tech Zone, Chengdu, Sichuan 610041

Patentee before: CHENGDU WESTONE INFORMATION INDUSTRY Inc.

CP01 Change in the name or title of a patent holder