CN106330868B - A kind of high speed network encryption storage key management system and method - Google Patents

A kind of high speed network encryption storage key management system and method Download PDF

Info

Publication number
CN106330868B
CN106330868B CN201610666670.6A CN201610666670A CN106330868B CN 106330868 B CN106330868 B CN 106330868B CN 201610666670 A CN201610666670 A CN 201610666670A CN 106330868 B CN106330868 B CN 106330868B
Authority
CN
China
Prior art keywords
key
equipment
network storage
encryption
working
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610666670.6A
Other languages
Chinese (zh)
Other versions
CN106330868A (en
Inventor
朱云
李元骅
张晓囡
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Shield Mdt Infotech Ltd
Original Assignee
Beijing Shield Mdt Infotech Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Shield Mdt Infotech Ltd filed Critical Beijing Shield Mdt Infotech Ltd
Priority to CN201610666670.6A priority Critical patent/CN106330868B/en
Publication of CN106330868A publication Critical patent/CN106330868A/en
Application granted granted Critical
Publication of CN106330868B publication Critical patent/CN106330868B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention is based on network storage encryption equipments; a kind of high speed network encryption storage key management system is provided; it is characterized in that; the key management system passes through four kinds of keys; using the method protected step by step; key management is completed to equipment to be encrypted; specific management content includes production, distribution, storage, backup, replacement, restores and destroy; the key management system includes equipment root key, equipment identities key, key-encrypting key and working key using the key maintenance strategy concentrated, and key management security is controllable.Using remote online key distribution mechanism, cipher key configuration is flexible and convenient, it can be achieved that the quick arrangement and adjustment of encryption system securely and reliably.

Description

A kind of high speed network encryption storage key management system and method
Technical field
The invention belongs to field of information security technology, and in particular to a kind of high speed network encryption storage key management system and Method.
Background technique
In field of storage, FC SAN (optical fiber storage area network) is based on its inborn high-performance, stability occupies always Most of market.With the outburst of various information security events in recent years, people there is an urgent need to have a kind of approach ensure from Oneself data safety, especially as units such as banks.Application environment, FC agreement feature for the FC logical volume transfer method and storage network system of user And high-availability requirement, privacy problem that is how reliable and stable, safely controllable, quickly and efficiently solving user's storage network data And cipher key management considerations, exactly develop the background and meaning of high speed network storage encryption equipment.High speed network storage encryption Owner will be by a kind of data encrypting and deciphering mechanism based on FC agreement, and the application server in parsing FC SAN network is (hereinafter referred to as Server end) and disk array (hereinafter referred to as memory end) between FC agreement, for being passed between server end and memory end Defeated data carry out encryption and decryption.Network is added in network storage encryption equipment by the way of transparent transmission, adds in real time except offer is above-mentioned Decrypt FCP agreement in sector data major function, also support high availability, log audit, disk management, key management, The functions such as access control.Advanced design, integrate it is reasonable, reliable and stable, safely controllable, rapidly and efficiently, security intensity it is high, be to meet It is that national commercial cipher technical specification and management require, can be used for FC network storage encryption and decryption, with independent intellectual property rights Security equipments.
Summary of the invention
To solve the above-mentioned problems, the present invention provides a kind of high speed network encryption storage key management system, the key Management system is by four kinds of keys, using the method protected step by step, completes key management to equipment to be encrypted, specifically manages content Including production, distribution, storage, backup, replacement, recovery and destruction;
Further, the key management system includes equipment root key, equipment identities key, key-encrypting key and work Make key;
Equipment root key, the equipment root key is for realizing the storage encipherment protection to key parameter, key etc.;
Equipment identities key, the equipment identities key are used for the machine authentication, share for the key of cluster device Journey provides cryptoguard;
Key-encrypting key, the key-encrypting key for realizing in key distribution procedure to the encryption of working key Protection;
Working key, the working key is for realizing the encipherment protection transmitted to service data information;
Further, the equipment root key is divided into three parts of S1, S2, S3 after being generated by equipment, and wherein S1 is solid in production Change in the safety chip inside network storage encryption equipment;S2 is stored in component key1;S3 is stored in component key2;
Further, the equipment identities key is asymmetric cryptographic algorithm key, the asymmetric cryptographic algorithm key For one group of public private key-pair, wherein private key length is 256 bits, and public key length is 512 bits, the public key by USB Key or The export of configuration management interface, private key are stored in the safety chip in network storage encryption equipment;
Further, the key-encrypting key is the symmetric block ciphers algorithm secret key of 128 bit of length, for collection The sharing of working key carries out encryption and decryption protection in group, and the key-encrypting key is every time encrypting network storage each in cluster It when machine carries out key sharing, is generated in real time by the random number generation unit of promoter and is used after examining, key distribution is completed It destroys, does not save afterwards;
Further, the working key is the symmetric block ciphers algorithm secret key of 128 bit of length, is used for optical-fibre channel Encryption and decryption of the middle data in magnetic disk in transmission process needs first to use the former encryption data in disk when changing working key It is stored after reusing new working key encryption after former working key decryption, then reuses the new former work of working key replacement Key, the working key are obtained from safety chip, and the safety chip obtains two from two WNG9 randomizers A random number, using the exclusive or result of two random numbers as the working key of LUN, after then being encrypted using equipment root key It stores in database;
Further, a kind of high speed network encryption storage key management method, the method includes;
1) key generates, and the equipment root key, equipment identities key and working key are by double in network storage encryption equipment The noise generator of safety chip generates;
2) key is distributed, and the equipment root key is not distributed, and the equipment identities key is by each network storage encryption equipment It generates, private key does not export, the certificate request file of public key generating device after exporting in network storage encryption equipment, then with injection Key is carrier, is uniformly issued to each device node after Key Management Center is signed and issued, and the working key is by KMC or close Key generates end equipment and initiates, under the premise of authentication, by way of digital envelope, by public key signature and the key The protection of encryption key is distributed;
3) key stores, and the equipment root key obtains 3 parts of different pieces through over-segmentation, and 1 part is maintained at network storage and adds In close machine safety chip, in addition 2 parts of encryptions are independently saved on 2 USB Key, and equipment root key is present in when in use In safety chip internal SRAM, power down is lost, the equipment identities key once generating just with equipment root key as key, Using SM4 algorithm, it is stored in inside network storage encryption equipment safety chip in FLASH after being encrypted in network storage encryption equipment, Safety chip decrypts equipment identities key into internal SRAM when use, and power down is lost;The key-encrypting key is interim It uses, destroys, do not save immediately, the working key is saved after generating using two ways;
4) key uses, and the key use includes: that equipment root key uses and works key use;
The equipment root key uses step:
411) pass through subscriber authentication: user needs to be inserted into two in five-minute period interval in authentication USB Key;
412) at least two USB Key are by the way that after authentication, the root key component in component Key is read into network storage In the SRAM of encryption equipment safety chip;
413) it is calculated and sets by mould 2 plus operation along with a root key component inside network storage encryption equipment The plaintext of standby root key;
414) equipment root key is stored in the specific position of the SRAM of safety chip after restoring, until power down is lost;
415) after the completion of the injection of equipment root key, component key is extracted or is continued to save;
The working key uses step:
421) by obtaining permission after operator's authentication;
422) according to the specified determining manner of decryption of user;
423) the working key ciphertext being stored in FLASH is read in SRAM;
424) with equipment root key as key, using SM4 algorithm, or the plaintext for obtaining working key is decrypted with private key;
425) it is stored in the specific position of SRAM, until power down is lost;
426) it reuses and needs to decrypt again;
5) cipher key backup:
51) equipment root key segmentation is stored in 2 usb key;
52) equipment identities cipher key backup uses the equipment root in safety chip SRAM after obtaining administrator's identity authority Key is stored in backup after encrypting the equipment identities key that network storage encryption equipment stores and is situated between as key using SM4 algorithm In matter, public key and private key are independently saved by two backup mediums;
53) key-encrypting key is not backed up;
54) working key is to do the equipment root key in safety chip in SRAM after obtaining administrator's identity authority It is stored in after encryption in USB key for key using SM4 algorithm;
6) key replacement includes the replacement of equipment root key, the replacement of equipment identities key and working key replacement;
Key recovery, the key recovery include that the recovery of equipment root key, equipment identities key recovery and working key are extensive It is multiple;
Further, two kinds of store methods after the working key generation include;
31) it is stored in inside network storage encryption equipment in FLASH, is needed using SM4 algorithm for encryption as key with private key When decrypted in network storage encryption equipment CACHE again;
32) it is stored in inside network storage encryption equipment in FLASH with the equipment root key encryption of encrypted card, needs Shi Zaiyong Equipment root key is decrypted in network storage encryption equipment CACHE;
Further, the cipher key backup specifically includes: the replacement of equipment root key;
The cipher key backup specifically includes: the replacement of equipment root key:
611) replacing apparatus root key when initializing network storage encryption equipment for the first time;
612) it regenerates and sets when public private key pair and all sensitive informations are present in the SRAM of network storage encryption equipment Standby root key, and regenerate 2 USB Key;
The replacement of equipment identities key: after user obtains administrator right, new by interface or order line generation a pair Public and private key pair, and old public and private key pair is override, it then exports new public key and generates new certificate request file, through key Administrative center using USB Key as carrier is issued to each network storage encryption equipment after signing and issuing, at the same also to new key pair again It is backed up;
Working key replacement: disk Central Plains encryption data is backed up as clear data, new working key encryption is reused To carry out disk storage after ciphertext data;
Further, the key replacement specifically includes:
71) equipment root key restores: administrator is sequentially inserted into 2 USB Key, and safety chip is by the root on USB key card Merge the plaintext of forming apparatus root key after key components reading network storage encryption equipment memory with the component in card;
72) equipment identities key recovery: the cipher-text information stored in backup medium is read in network storage and encrypted by administrator Machine, safety chip use equipment root key to believe ciphertext in network storage encryption equipment using SM4 algorithm as decruption key The corresponding region SRAM is stored in after breath decryption;
73) working key restores: the cipher-text information stored in backup medium is read in network storage encryption equipment, peace by administrator Full chip uses equipment root key to re-download working key using SM4 algorithm as decruption key;
Beneficial effects of the present invention are as follows:
1) using the key management allocation plan divided according to LUN.Different LUN uses different data encrypting and deciphering keys, Ensure that data in magnetic disk encryption is split by different LUN;Each network storage encryption equipment only possesses and oneself LUN encryption and decryption phase Associated key, the security threat of a network storage encryption equipment only influence the peace of business information associated with the encryption equipment Entirely, the safety of the whole network other users business information is unaffected;
2) using the key maintenance strategy concentrated, key management security is controllable.It is close using remote online key distribution mechanism Key configuration is flexible and convenient, it can be achieved that the quick arrangement and adjustment of encryption system securely and reliably.
3) ability with key and key parameter in remote destroying network storage encryption equipment, can be in case of emergency to net Network storage encryption equipment implementation is effectively isolated, it is ensured that the safety of entire storage system;
4) core that the SM4 standard cipher algorithm for selecting the close office's approval of state to use is encrypted as information encryption and decryption and storage protection Heart carrier, and carry out system development work according to national commercial cipher equipment preparation specification;
5) in the development of secrecy system, using machine, the isolated booting certification of card, key and parameter store encipherment protection, Special purpose system algorithm chip, linux system kernel/specific drivers/special purpose system service management module/private key distribution The safe practices such as management agreement so that secrecy system itself have self very strong safety precautions, individual equipment it is out of control Lethal damage will not be caused safely to system.
Detailed description of the invention
Fig. 1 is the hardware structure diagram of heretofore described network storage encryption equipment;
Fig. 2 is the hierarchical relationship of heretofore described key structure;
Fig. 3 is cryptographic key security system structure in the present invention.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right The present invention is explained in further detail.It should be appreciated that specific embodiment described herein is used only for explaining the present invention, and It is not used in the restriction present invention.On the contrary, the present invention cover it is any be defined by the claims do on the essence and scope of the present invention Substitution, modification, equivalent method and scheme.Further, in order to make the public have a better understanding the present invention, below to this It is detailed to describe some specific detail sections in the datail description of invention.It is thin without these for a person skilled in the art The present invention can also be understood completely in the description of section part.
The present invention will be further explained below with reference to the attached drawings and specific examples, but not as a limitation of the invention. Most preferred embodiment is enumerated below for of the invention:
As shown in Figs. 1-2, the present invention is based on network storage encryption equipments, provide a kind of high speed network encryption storage key management System, which is characterized in that the key management system is by four kinds of keys, using the method protected step by step, to equipment to be encrypted Key management is completed, the specific content that manages includes production, distribution, storage, backup, replacement, restores and destroy, the key management System includes equipment root key, equipment identities key, key-encrypting key and working key;
Equipment root key, the equipment root key is for realizing the storage encipherment protection to key parameter, key etc.;
Equipment identities key, the equipment identities key are used for the machine authentication, share for the key of cluster device Journey provides cryptoguard;
Key-encrypting key, the key-encrypting key for realizing in key distribution procedure to the encryption of working key Protection;
Working key, the working key is for realizing the encipherment protection transmitted to service data information, the equipment root Key is divided into three parts of S1, S2, S3 after being generated by equipment, wherein S1 is solidificated in the safety inside network storage encryption equipment in production In chip;S2 is stored in component key1;S3 is stored in component key2, and the equipment identities key is asymmetric cryptographic algorithm Key, the asymmetric cryptographic algorithm key are one group of public private key-pair, and wherein private key length is 256 bits, and public key length is 512 bits, the public key are exported by USB Key or configuration management interface, and private key is stored in the peace in network storage encryption equipment In full chip, the key-encrypting key is the symmetric block ciphers algorithm secret key of 128 bit of length, for working in cluster The sharing of key carries out encryption and decryption protection, and the key-encrypting key is close to network storage encryption equipment each in cluster progress every time It when key is shared, is generated in real time by the random number generation unit of promoter and is used after examining, destroyed after the completion of key distribution, It does not save, the working key is the symmetric block ciphers algorithm secret key of 128 bit of length, for data in magnetic disk in optical-fibre channel Encryption and decryption in transmission process when changing working key needs that the former encryption data in disk is first used former working key It is stored after reusing new working key encryption after decryption, then reuses new working key and replace former working key, it is described Working key is obtained from safety chip, and the safety chip obtains two random numbers from two WNG9 randomizers, Using the exclusive or result of two random numbers as the working key of LUN, number is arrived in storage after then being encrypted using equipment root key According in library.
A kind of high speed network encryption storage key management method, which comprises
1) key generates, and the equipment root key, equipment identities key and working key are by double in network storage encryption equipment The noise generator of safety chip generates;
2) key is distributed, and the equipment root key is not distributed, and the equipment identities key is by each network storage encryption equipment It generates, private key does not export, the certificate request file of public key generating device after exporting in network storage encryption equipment, then with injection Key is carrier, is uniformly issued to each device node after Key Management Center is signed and issued, and the working key is by KMC or close Key generates end equipment and initiates, under the premise of authentication, by way of digital envelope, by public key signature and the key The protection of encryption key is distributed;
3) key stores, and the equipment root key obtains 3 parts of different pieces through over-segmentation, and 1 part is maintained at network storage and adds In close machine safety chip, in addition 2 parts of encryptions are independently saved on 2 USB Key, and equipment root key is present in when in use In safety chip internal SRAM, power down is lost, the equipment identities key once generating just with equipment root key as key, Using SM4 algorithm, it is stored in inside network storage encryption equipment safety chip in FLASH after being encrypted in network storage encryption equipment, Safety chip decrypts equipment identities key into internal SRAM when use, and power down is lost;The key-encrypting key is interim It uses, destroys, do not save immediately, the working key is saved after generating using two ways;
4) key uses, and the key use includes: that equipment root key uses and works key use;
The equipment root key uses step:
411) pass through subscriber authentication: user needs to be inserted into two in five-minute period interval in authentication USB Key;
412) at least two USB Key are by the way that after authentication, the root key component in component Key is read into network storage In the SRAM of encryption equipment safety chip;
413) it is calculated and sets by mould 2 plus operation along with a root key component inside network storage encryption equipment The plaintext of standby root key;
414) equipment root key is stored in the specific position of the SRAM of safety chip after restoring, until power down is lost;
415) after the completion of the injection of equipment root key, component key is extracted or is continued to save;
The working key uses step:
421) by obtaining permission after operator's authentication;
422) according to the specified determining manner of decryption of user;
423) the working key ciphertext being stored in FLASH is read in SRAM;
424) with equipment root key as key, using SM4 algorithm, or the plaintext for obtaining working key is decrypted with private key;
425) it is stored in the specific position of SRAM, until power down is lost;
426) it reuses and needs to decrypt again;
5) cipher key backup:
51) equipment root key segmentation is stored in 2 usb key;
52) equipment identities cipher key backup uses the equipment root in safety chip SRAM after obtaining administrator's identity authority Key is stored in backup after encrypting the equipment identities key that network storage encryption equipment stores and is situated between as key using SM4 algorithm In matter, public key and private key are independently saved by two backup mediums;
53) key-encrypting key is not backed up;
54) working key is to do the equipment root key in safety chip in SRAM after obtaining administrator's identity authority It is stored in after encryption in USB key for key using SM4 algorithm;
6) key replacement includes the replacement of equipment root key, the replacement of equipment identities key and working key replacement;
7) key recovery, the key recovery include the recovery of equipment root key, equipment identities key recovery and working key Restore.
Two kinds of store methods after the working key generates include:
31) it is stored in inside network storage encryption equipment in FLASH, is needed using SM4 algorithm for encryption as key with private key When decrypted in network storage encryption equipment CACHE again;
32) it is stored in inside network storage encryption equipment in FLASH with the equipment root key encryption of encrypted card, needs Shi Zaiyong Equipment root key is decrypted in network storage encryption equipment CACHE.
The cipher key backup specifically includes: the replacement of equipment root key:
613) replacing apparatus root key when initializing network storage encryption equipment for the first time;
614) it regenerates and sets when public private key pair and all sensitive informations are present in the SRAM of network storage encryption equipment Standby root key, and regenerate 2 USB Key;
The replacement of equipment identities key: after user obtains administrator right, new by interface or order line generation a pair Public and private key pair, and old public and private key pair is override, it then exports new public key and generates new certificate request file, through key Administrative center using USB Key as carrier is issued to each network storage encryption equipment after signing and issuing, at the same also to new key pair again It is backed up;
Working key replacement: disk Central Plains encryption data is backed up as clear data, new working key encryption is reused To carry out disk storage after ciphertext data, the key replacement is specifically included:
71) equipment root key restores: administrator is sequentially inserted into 2 USB Key, and safety chip is by the root on USB key card Merge the plaintext of forming apparatus root key after key components reading network storage encryption equipment memory with the component in card;
72) equipment identities key recovery: the cipher-text information stored in backup medium is read in network storage and encrypted by administrator Machine, safety chip use equipment root key to believe ciphertext in network storage encryption equipment using SM4 algorithm as decruption key The corresponding region SRAM is stored in after breath decryption;
73) working key restores: the cipher-text information stored in backup medium is read in network storage encryption equipment, peace by administrator Full chip uses equipment root key to re-download working key using SM4 algorithm as decruption key.
Network storage encryption equipment mentioned in the present invention uses standard cipher algorithm configuration, and (the close office's approval of state uses SM2, SM3, SM4 algorithm), the cryptographic key security system of three-level key structure, network storage encryption equipment is the rack of 2U height Formula equipment, main body are data processing FPGA and configuration management CPU, in addition, further including power module, blower module and monitoring mould Block.Its hardware composition is as shown in Figure 1.Key management system of the present invention devises business datum Encryption Algorithm, digital signature Algorithm, storage protection Encryption Algorithm and key distribute Encryption Algorithm.Wherein business datum Encryption Algorithm is realized using SM4 algorithm, Block length is 128bit, and key length is 128bi t;Digital Signature Algorithm uses SM2, SM3 algorithm to realize jointly, public and private key It is respectively 512 and 256bit to length;Storage protection Encryption Algorithm is using the realization of SM4 algorithm, grouping algorithm key length 128bi t;Key distributes Encryption Algorithm and uses SM2, SM3 and SM4 algorithm is realized, public private key pair length is respectively 512 and 256bit, grouping Length is 128bit, key length 128bit.Entire cryptographic key security system has used 4 kinds of keys:
Equipment root key (DRK): i.e. management key, for the password storage protection to keys other in equipment, every equipment One.
Equipment identities secret key and private key (DSK): the cryptoguard for the machine authentication and to secret key remote distribution procedure, Every equipment one.
Equipment identities public key (DPK): the cryptoguard for the machine authentication and to secret key remote distribution procedure, Every equipment one.
Key-encrypting key (KEK): the encrypted transmission for key is protected, and is generated by random number generator.
LUN block key (LBK): i.e. working key, session key.For the cryptoguard to disk storage data, (SM4 is calculated Method) it uses, every LUN mono-.
The cryptographic key security system structure and hierarchical relationship of encryption module are as shown in Figure 3.
The major function of network storage encryption equipment is: completing decryption work of the application server from RAID Read access evidence The encrypted work of data is written to disk array for work, application server;Receive the unified management of Key Management Center.Wherein key The function of administrative center is as follows.
For ensure network storage encryption equipment can always in the environment of safety and attack resistance it is reliable and stable, quickly and efficiently Every cryptographic service task is completed, just must be from the overall safety angle of system, and take into account enterprise customer network information system The characteristics of demand of system, to network storage encryption equipment cipher key configuration and using in terms of carry out comprehensive, comprehensive design with Implement.
In view of application field and use environment, network storage encryption equipment has used more perfect key structure, configuration And Managed Solution.
Key management module of the present invention includes:
1) equipment root key
Length is that 128 symmetric cryptographic algorithm keys store FLASH in network storage encryption equipment using SM4 algorithm Equipment identities key, the sensitive datas such as LUN working key encrypt.Equipment root key is divided into three after being generated by equipment Part S1, S2, S3, wherein S1 is solidificated in the safety chip inside network storage encryption equipment in production;S2 is stored in component In key1;S3 is stored in component key2.If necessary to more new equipment root key, it is ensured that equipment identities key and all working The sensitive informations such as key are decrypted into network storage encryption equipment sram memory, then reuse new equipment root key encryption Afterwards, then old root key principal component is deleted.
1 key type of table and purposes
2) equipment identities key
Asymmetric cryptographic algorithm key.The equipment identities key of network storage encryption equipment is one group of public private key-pair, and length is 256 bit of private key, 512 bit of public key, using SM2 algorithm, for sharing in the machine authentication and working key remote cluster When key-encrypting key encipherment protection.
The public private key-pair of equipment identities key is generated by equipment, and public key can be led by USB Key or configuration management interface Out, private key cannot go out network storage encryption equipment, can only be stored in the safety chip in network storage encryption equipment.Network storage adds Close machine and the identity key of its equipment are mutually indepedent, different.
3) key-encrypting key
Length is the symmetric block ciphers algorithm secret key of 128 bits.Using SM4 algorithm, for working key in cluster Sharing carry out encryption and decryption protection.
Key-encrypting key only every time to network storage encryption equipment each in cluster carry out key sharing when, by promoter's Random number generation unit is generated in real time and is used after examining, and is destroyed, is not saved after the completion of key distribution.
4) working key
Length is the symmetric block ciphers algorithm secret key of 128 bits, using SM4 algorithm, for disk number in optical-fibre channel According to the encryption and decryption in transmission process.Each LUN uses different working keys, and each sector also uses different work close Key.Due to the special nature of storage encryption, working key can not be changed at will.When user needs to change working key, elder generation is needed By the former encryption data in disk using being stored after reusing new working key encryption after the decryption of former working key, then New working key can be used and replace former working key.It is close that the working key table of network storage encryption equipment can store 1024 work The ciphertext of key.
Network storage encryption equipment working key can also be injected by oneself generating by infusing close key, and user is in addition disk When array LUN information, encryption equipment calls the key of safety chip to obtain interface, and safety chip is from two WNG9 randomizers Two random numbers are obtained, using the exclusive or result of two random numbers as the working key of LUN, are then carried out using equipment root key Encryption equipment is returned to after encryption, is finally stored in database.
2 hierarchical relationships
The hierarchical relationship for the key structure that network storage encryption equipment uses is as shown in Figure 2.
Network storage encryption equipment key takes the mode protected step by step:
1) using Secret splitting mode back up with restorer root key, equipment root key be physically present mode be segmentation At 3 parts, 1 part is stored in network storage encryption equipment safety chip, and 1 part is stored in component key1, and 1 part is stored in component key2 On.When normal work, equipment root key exists only in the SRAM of safety chip in plain text, and power down is lost, and reloads equipment root Key needs to be inserted into correct component key;
2) equipment identities key is present in network storage encryption equipment in the FLASH of safety chip.When needing using equipment When identity key, from being read in the SRAM for being stored in safety chip in the FLASH of safety chip, power down is lost;
3) when working key is shared, key-encrypting key encrypts working key, meanwhile, use equipment identities key Public key to key-encrypting key encrypt, then together with the ciphertext of working key, cluster is distributed in a manner of digital envelope Interior network storage encryption equipment.
Working key is present in the FLASH of network storage encryption equipment with ciphertext form, and when use reads close from FLASH Text is decrypted using equipment root key as key, will be configured in plain text in the SRAM of FPGA and use after decryption, and power down is lost.
Configuration design
Cipher key configuration briefly describes as shown in table 2 in network storage encryption equipment.
Wherein, equipment identities public and private key, root key press network storage encryption equipment separate configurations, add with other network storages Close machine is different;Working key is configured by LUN, and every LUN is different.
Managed Solution
Key management (including production, distribution, storage, backup, replacement, the recovery, destruction etc.) side of network storage encryption equipment Case is as shown in table 4.
3 key management of table
Key generates
Equipment root key, equipment identities key and working key are the keys for protecting data, the general property to Guan Chong such as at random It wants, it is ensured that its randomness, nonrepeatability and unpredictability, we mainly use by safety double in network storage encryption equipment The noise generator of chip generates the scheme of key, and after statistical check is qualified, just for generating various keys.
Equipment root key is generated when network storage encryption equipment makes USB key, each from two WNG9 noise generators 3 components after taking 3 16 byte random numbers to carry out exclusive or as equipment root key, are temporarily stored in the SRAM of safety chip, connect Need to make 2 USB Key, 1 component exists block in safety chip FLASH in, 2 components are respectively present 2 USB On Key, this is equipment root key uniquely non-volatile carrier.It is close that a root has been generated before the factory of network storage encryption equipment Key is stored in 3 positions as factory root key after segmentation;User will pass through 2 when first time using network storage encryption equipment A USB Key obtains administrator right, generates an equipment root key again, and wipe 2 USB Key of factory, then again Generate the splitting factor that new equipment root key is saved in 2 USB Key.Factory root key fails immediately.
Equipment identities key is in network storage encryption equipment, in the safety chip by the certification of national Password Management office SM2 algorithm generates;Equipment identities key uses the FLASH that safety chip in network storage encryption equipment is stored in after root key encryption In, public key can export, and be used to generate the certificate request of the equipment after public key export, under unified after Key Management Center is signed and issued It is dealt into each device node.
Key-encrypting key and working key are generated by network storage encryption equipment, and You Yeke is generated with KMC, and concrete condition needs It to be determined by application design.The generation of key must be by that can use after randomness test, Repeatability checking.
Key distribution
Equipment root key is generated when network storage encryption equipment makes USB key, does not need to distribute.Equipment identities key by Each network storage encryption equipment generates, and private key cannot export, the card of public key generating device after exporting in network storage encryption equipment Book demand file is uniformly issued to each device node then to be injection key as carrier after Key Management Center is signed and issued. The distribution of working key generates end equipment by KMC or key and initiates, and under the premise of authentication, passes through the side of digital envelope Formula is distributed by the protection of public key signature and key-encrypting key.
Key storage
Equipment root key obtains 3 parts of different pieces through over-segmentation, and 1 part is maintained in network storage encryption equipment safety chip, In other 2 parts of encrypting storings to 2 USB Key, it is desirable that this 2 USB Key are independently saved.Equipment root key when in use It is present in safety chip internal SRAM, power down is lost.
Equipment identities key is just encrypted using SM4 algorithm in network storage with equipment root key as key once generation It is stored in after being encrypted in machine inside network storage encryption equipment safety chip in FLASH.Safety chip is close by equipment identities when use Key is decrypted into internal SRAM, and power down is lost.
Key-encrypting key temporarily uses, and destroys immediately, does not save.
Working key is saved after generating using two kinds of optional modes of user:
With private key as key, it is stored in inside network storage encryption equipment in FLASH, when needing using SM4 algorithm for encryption It is decrypted in network storage encryption equipment CACHE again.
It is stored in inside network storage encryption equipment in FLASH with the equipment root key encryption of encrypted card, again with setting when needing Standby root key decryption is in network storage encryption equipment CACHE.
Key uses
Equipment root key uses step:
1) must pass through subscriber authentication first: user needs to be inserted into five-minute period interval in authentication Two USB Key;
2) at least two USB Key are by the way that after authentication, the root key component in component Key can be read into network storage In the SRAM of encryption equipment safety chip;
3) equipment is calculated by mould 2 plus operation along with a root key component inside network storage encryption equipment The plaintext of root key;
4) equipment root key remains stored in the specific position of the SRAM of safety chip after restoring, until power down is lost;Under It is secondary to be refilled using needs;
5) after the completion of the injection of equipment root key, component key can be extracted, and continue to save;
The use step of equipment identities key:
1) permission is obtained by authentication using two USB Key;
2) the equipment identities key being stored in the FLASH of safety chip is read in the SRAM of safety chip;
3) equipment identities key is stored in the specific position of the SRAM of safety chip after reading, until power down is lost;Next time It is re-read using needs;
4) after the completion of equipment identities key authentication, component Key can be extracted, and continue to save.
The use step of working key:
1) by obtaining permission after operator's authentication;
2) which kind of manner of decryption is used according to the specified of user;
3) the working key ciphertext being stored in FLASH is read in SRAM;
4) with equipment root key as key, using SM4 algorithm, or the plaintext for obtaining working key is decrypted with private key;
5) it is stored in the specific position of SRAM, until power down is lost;Next use needs to decrypt again.
Cipher key backup
The backup of network storage encryption equipment is primarily referred to as being used to store key and protectiveness number in backup network storage encryption equipment According to FLASH in key message.Back-up job is extremely important to the sustainability for maintaining operation system, network storage encryption equipment Support other media (usbkey) backup of internal information.The backup of network storage encryption equipment must be by the pipe of network storage encryption equipment Reason person carries out under system maintenance mode, and backup medium should be responsible for keeping by special messenger.
The storage form of root key is that segmentation is stored in 2 usb key, without other backups.
Equipment identities cipher key backup needs after obtaining administrator's identity authority, uses the equipment root in safety chip SRAM Key is stored in backup after encrypting the equipment identities key that network storage encryption equipment stores and is situated between as key using SM4 algorithm In matter.It is required that public key and private key are independently saved with two backup mediums when backup.
Key-encrypting key is not backed up.
Working key is the key that decryption data in magnetic disk, it is necessary to selection backup, else if currently used working key Destroyed or file corruption, the data in magnetic disk of user will be unable to restore.It needs after obtaining administrator's identity authority, makes when backup Equipment root key in safety chip in SRAM, using SM4 algorithm, is stored in USB key as key after encryption.
Key can schedule backup or irregularly backup as needed.
Key replacement
Equipment root key is generated when network storage encryption equipment produces, and once write-in, the external world cannot be read;User is for the first time Equipment root key when needing to regenerate equipment root key when initializing network storage encryption equipment, and displacing factory;Later may be used To be changed without.If necessary to more exchange device root key, it is ensured that public private key pair and all sensitive informations are present in network storage In the SRAM of encryption equipment, then equipment root key is regenerated, and regenerates 2 USB Key.
Equipment identities key is replaced after being more than to use the time by user manually, i.e., user first obtains administrator right, is led to It crosses interface or order line regenerates public and private key pair new in a pair, and override old public and private key pair, then export new public affairs Key generates new certificate request file, is issued to each network storage by carrier of USB Key after Key Management Center is signed and issued Encryption equipment.It also needs to re-start backup operation to new key pair simultaneously.
Working key is updated manually by user, is needed to back up disk Central Plains encryption data before update for clear data, so Reuse new working key encryption afterwards to carry out disk storage after ciphertext data.
Key recovery
Restorer root key: administrator needs to be sequentially inserted into 2 USB Key, and safety chip is by the root on USB key card Merge the plaintext of forming apparatus root key after key components reading network storage encryption equipment memory with the component in card.
Restorer identity key: the cipher-text information stored in backup medium is read in network storage encryption equipment by administrator, Safety chip uses equipment root key as decruption key, using SM4 algorithm, by cipher-text information solution in network storage encryption equipment The corresponding region SRAM is stored in after close for using.
Resume work key: the cipher-text information stored in backup medium is read in network storage encryption equipment, safety by administrator Chip uses equipment root key that it is i.e. renewable to re-download working key using SM4 algorithm as decruption key.
Other than the cryptographic algorithm, the multistage key of configuration, implementation non-parametric segmentation specified using close office, state, network storage encryption Machine is also devised with multiple safety protection mechanism, it is ensured that the safety of communication data and system itself.
The encryption and decryption point of network storage encryption equipment is embedded in the FC data between the inintial of storage system and target On frame, effective Confidentiality protection can be implemented to the transmission of all FC data frames in a link.
Using the key management allocation plan divided according to LUN.Different LUN uses different data encrypting and deciphering keys, really Data in magnetic disk encryption has been protected to be split by different LUN;Each network storage encryption equipment only possesses related to oneself LUN encryption and decryption The key of connection, the security threat of a network storage encryption equipment only influence the safety of business information associated with the encryption equipment, The safety of the whole network other users business information is unaffected.
Using the key maintenance strategy of concentration, key management security is controllable.Using remote online key distribution mechanism, key Configuration is flexible and convenient, it can be achieved that the quick arrangement and adjustment of encryption system securely and reliably.
Ability with key and key parameter in remote destroying network storage encryption equipment, can be in case of emergency to network Storage encryption equipment implementation is effectively isolated, it is ensured that the safety of entire storage system.Close office, state is selected to ratify the SM4 standard cipher used The core carrier that algorithm is encrypted as information encryption and decryption and storage protection, and opened according to national commercial cipher equipment preparation specification Open up system development work.In the development of secrecy system, using the isolated booting certification of machine, card, key and parameter storage encryption Protection, special purpose system algorithm chip, security customization linux system kernel/specific drivers/special purpose system service management mould The safe practices such as block/private key distribution management agreement, so that secrecy system itself has self very strong safety precautions, The out of control of individual equipment will not cause safely lethal damage to system.
Embodiment described above, only one kind of the present invention more preferably specific embodiment, those skilled in the art The usual variations and alternatives that member carries out within the scope of technical solution of the present invention should be all included within the scope of the present invention.

Claims (8)

1. a kind of high speed network encryption storage key management method, which is characterized in that the described method includes:
1) key generates, and equipment root key, equipment identities key and working key are by dual safety machine in network storage encryption equipment The noise generator of the chip of system generates;
2) key is distributed, and the equipment root key is not distributed, and the equipment identities key is generated by each network storage encryption equipment, Private key does not export, then the certificate request file of public key generating device after exporting in network storage encryption equipment is to inject key Carrier, is uniformly issued to each device node after Key Management Center is signed and issued, and the working key is generated by KMC or key End equipment is initiated, under the premise of authentication, by way of digital envelope, by public key signature and key-encrypting key Protection distribution;
3) key stores, and the equipment root key obtains 3 parts of different pieces through over-segmentation, and 1 part is maintained at network storage encryption equipment In safety chip, in addition 2 alternate device root keys are independently saved on 2 USBKey, and equipment root key exists when in use In safety chip internal SRAM, power down is lost, and the equipment identities key is once generation just with equipment root key as close Key is stored in FLASH inside network storage encryption equipment safety chip after encrypting in network storage encryption equipment using SM4 algorithm In, safety chip decrypts equipment identities key into internal SRAM when use, and power down is lost;
The key-encrypting key temporarily uses, and destroys immediately, does not save;
The working key is saved after generating using one of following two mode:
First, being stored in inside network storage encryption equipment in FLASH, when needing as key using SM4 algorithm for encryption with private key It is decrypted in network storage encryption equipment CACHE again;
Second, equipment root key encryption is stored in inside network storage encryption equipment in FLASH, Shi Zaiyong equipment root key solution is needed It is close in network storage encryption equipment CACHE;
4) key uses, and the key use includes: that equipment root key uses and works key use;
The equipment root key uses step:
411) pass through subscriber authentication: user needs to be inserted into two in five-minute period interval in authentication USBKey;
412) at least two USBKey are by the way that after authentication, the root key component in component Key is read into network storage encryption In the SRAM of machine safety chip;413) along with a root key component inside network storage encryption equipment, by mould 2 plus fortune It calculates, the plaintext of equipment root key is calculated;
414) equipment root key is stored in the specific position of the SRAM of safety chip after restoring, until power down is lost;
415) after the completion of the injection of equipment root key, component key is extracted or is continued to save;
The working key uses step:
421) by obtaining permission after operator's authentication;
422) according to the specified determining manner of decryption of user;
423) the working key ciphertext being stored in FLASH is read in SRAM;
424) with equipment root key as key, using SM4 algorithm, or the plaintext for obtaining working key is decrypted with private key;
425) it is stored in the specific position of network storage encryption equipment CACHE, until power down is lost;
426) it reuses and needs to decrypt again;
5) cipher key backup:
51) equipment root key is not backed up;
53) key-encrypting key is not backed up;
54) working key is to make the equipment root key in safety chip in SRAM as close after obtaining administrator's identity authority Key is stored in USBkey after encryption using SM4 algorithm;
6) key replacement includes the replacement of equipment root key, the replacement of equipment identities key and working key replacement;
7) key recovery, the key recovery include that equipment root key restores, equipment identities key recovery and working key restore.
2. key management method according to claim 1, which is characterized in that the key replacement specifically includes: equipment root Key replacement:
611) replacing apparatus root key when initializing network storage encryption equipment for the first time;
612) equipment root is regenerated when public private key pair and all sensitive informations are present in the SRAM of network storage encryption equipment Key, and regenerate 2 USBKey;The replacement of equipment identities key: after user obtains administrator right, pass through interface or life It enables row generate a pair of new public and private key pair, and overrides old public and private key pair, then export new public key and generate new card Book demand file is issued to each network storage encryption equipment by carrier of USBKey after Key Management Center is signed and issued, simultaneously also Backup is re-started to new key pair;Working key replacement: disk Central Plains encryption data is backed up as clear data, is reused New working key encryption be ciphertext data after carry out disk storage.
3. key management method according to claim 1, which is characterized in that the key recovery specifically includes:
71) equipment root key restores: administrator is sequentially inserted into 2 USBKey, and safety chip divides the root key on USBkey card Merge forming apparatus root key with the component in network storage encryption equipment safety chip after amount reading network storage encryption equipment memory In plain text;
72) equipment identities key recovery: the cipher-text information stored in backup medium is read in network storage encryption equipment, peace by administrator Full chip uses equipment root key to decrypt cipher-text information in network storage encryption equipment using SM4 algorithm as decruption key After be stored in the corresponding region SRAM;
73) working key restores: the cipher-text information stored in backup medium is read in network storage encryption equipment, safe core by administrator Piece uses equipment root key to re-download working key using SM4 algorithm as decruption key.
4. key management method according to claim 3, which is characterized in that the key that the key management method is managed Management system includes equipment root key, equipment identities key, key-encrypting key and working key;
Equipment root key, the equipment root key is for realizing the storage encipherment protection to key parameter, key;
Equipment identities key, the equipment identities key are used for the machine authentication, mention for the key sharing process of cluster device For cryptoguard;
Key-encrypting key, the key-encrypting key protect the encryption of working key for realizing in key distribution procedure Shield;
Working key, the working key is for realizing the encipherment protection transmitted to service data information.
5. key management method according to claim 4, which is characterized in that the equipment root key divides after being generated by equipment For three parts of S1, S2, S3, wherein S1 is solidificated in the safety chip inside network storage encryption equipment in production;S2 is stored in point It measures in key1;S3 is stored in component key2.
6. key management method according to claim 4, which is characterized in that the equipment identities key is asymmetric cryptography Algorithm secret key, the asymmetric cryptographic algorithm key are one group of public private key-pair, and wherein private key length is 256 bits, public key length For 512 bits, the public key is exported by USBKey or configuration management interface, and private key is stored in the peace in network storage encryption equipment In full chip.
7. key management method according to claim 5, which is characterized in that the key-encrypting key is the ratio of length 128 Special symmetric block ciphers algorithm secret key carries out encryption and decryption protection for the sharing to working key in cluster, and the key adds Key is real by the random number generation unit of promoter when carrying out key sharing to network storage encryption equipment each in cluster every time When generate and used after examining, key distribution after the completion of i.e. destroy, do not save.
8. key management method according to claim 5, which is characterized in that the working key is 128 bit of length Symmetric block ciphers algorithm secret key, for encryption and decryption of the data in magnetic disk in optical-fibre channel in transmission process, when change work is close When key, need to deposit after reusing new working key encryption after first decrypting the former encryption data in disk using former working key Then storage reuses new working key and replaces former working key, the working key is obtained from safety chip, the safety Chip obtains two random numbers from two WNG9 randomizers, using the exclusive or result of two random numbers as the work of LUN Key, after then being encrypted using equipment root key inside storage to network storage encryption equipment in FLASH.
CN201610666670.6A 2016-08-14 2016-08-14 A kind of high speed network encryption storage key management system and method Active CN106330868B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610666670.6A CN106330868B (en) 2016-08-14 2016-08-14 A kind of high speed network encryption storage key management system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610666670.6A CN106330868B (en) 2016-08-14 2016-08-14 A kind of high speed network encryption storage key management system and method

Publications (2)

Publication Number Publication Date
CN106330868A CN106330868A (en) 2017-01-11
CN106330868B true CN106330868B (en) 2019-11-26

Family

ID=57739521

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610666670.6A Active CN106330868B (en) 2016-08-14 2016-08-14 A kind of high speed network encryption storage key management system and method

Country Status (1)

Country Link
CN (1) CN106330868B (en)

Families Citing this family (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106953732B (en) * 2017-03-10 2020-02-07 南方城墙信息安全科技有限公司 Key management system and method for chip card
CN108400868B (en) * 2018-01-17 2021-06-15 深圳市文鼎创数据科技有限公司 Seed key storage method and device and mobile terminal
CN108650242B (en) * 2018-04-23 2020-07-10 中国石油天然气集团有限公司 Confidential topographic map transmission method, system and system using method
CN108566325B (en) * 2018-04-28 2021-01-12 江苏中安智信通信科技股份有限公司 Encryption type ring network switch system
CN108768636B (en) * 2018-05-31 2021-02-19 上海万向区块链股份公司 Method for recovering private key by utilizing multi-party cooperation
US10965453B2 (en) * 2018-09-14 2021-03-30 Beijing Jingdong Shangke Information Technology Co., Ltd. System and method for authenticated encryption based on device fingerprint
CN109474429B (en) * 2018-12-24 2022-02-15 无锡市同威科技有限公司 Key configuration strategy method facing FC storage encryption gateway
CN109787756B (en) * 2018-12-24 2021-11-26 吉林微思智能科技有限公司 Vehicle-mounted terminal key distribution management method based on white-box encryption technology
CN110166458B (en) * 2019-05-23 2022-08-02 王怀尊 Three-level key encryption method
CN110166236B (en) * 2019-05-31 2022-01-18 北京中金国信科技有限公司 Key processing method, device and system and electronic equipment
CN110474768A (en) * 2019-08-22 2019-11-19 上海豆米科技有限公司 A kind of information safety transmission system and method having the control of group's decrypted rights
CN110635908B (en) * 2019-09-29 2023-03-24 杭州尚尚签网络科技有限公司 Management method for supporting billions of keys for electronic contract
CN110932853B (en) * 2019-12-06 2022-12-06 深圳市纽创信安科技开发有限公司 Key management device and key management method based on trusted module
CN111010275A (en) * 2019-12-31 2020-04-14 嘉兴太美医疗科技有限公司 Key management method, method for generating key and key management system
CN112257119B (en) * 2020-10-20 2022-10-28 河北素数信息安全有限公司 Identity authentication method and protection method for ensuring security of encryption device
CN112000975B (en) * 2020-10-28 2021-02-09 湖南天琛信息科技有限公司 Key management system
CN112436937B (en) * 2020-11-25 2022-01-18 公安部交通管理科学研究所 Radio frequency tag initialization key distribution system and method
CN112738083B (en) * 2020-12-28 2023-05-19 福建正孚软件有限公司 System and method for managing secure access key based on cross-network and cross-border data transmission
CN114765546B (en) * 2020-12-30 2023-07-18 海能达通信股份有限公司 End-to-end hard encryption method, system, encryption equipment and key management server
CN113037483A (en) * 2021-04-20 2021-06-25 重庆九格慧科技有限公司 Distributed key management method based on threshold
CN114124373B (en) * 2021-11-02 2024-07-05 广东省通信产业服务有限公司 Video key management method and system for automatic backup and recovery
CN113824560B (en) * 2021-11-24 2022-02-25 北京亿赛通科技发展有限责任公司 Data encryption protection method, system, storage medium and terminal
CN114928444A (en) * 2022-05-30 2022-08-19 建信金融科技有限责任公司 Method, device and equipment for processing master control key of encryption machine and storage medium
CN114785503B (en) * 2022-06-16 2022-09-23 北京智芯半导体科技有限公司 Cipher card, root key protection method thereof and computer readable storage medium
CN114978774B (en) * 2022-07-28 2022-10-04 四川九洲空管科技有限责任公司 Multi-level key management method based on nested protection structure
CN115348016A (en) * 2022-08-29 2022-11-15 南方电网科学研究院有限责任公司 Electric automobile charging network password management system
CN116055048B (en) * 2023-03-31 2023-05-30 成都四方伟业软件股份有限公司 Method and device for storing and restoring scattered keys
CN116400199B (en) * 2023-06-05 2023-09-15 中国汽车技术研究中心有限公司 Chip clock burr fault injection cross-validation test method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101841412A (en) * 2010-04-09 2010-09-22 兰州韦尔斯信息科技有限公司 Method and device for encrypting network environment of storage domain
CN101986596A (en) * 2010-10-21 2011-03-16 无锡江南信息安全工程技术中心 Key management mechanism
US8111828B2 (en) * 2007-07-31 2012-02-07 Hewlett-Packard Development Company, L.P. Management of cryptographic keys for securing stored data
US8590042B2 (en) * 2008-01-31 2013-11-19 Hitachi, Ltd. Storage system, and encryption key management method and encryption key management program thereof
CN105656621A (en) * 2014-11-12 2016-06-08 江苏威盾网络科技有限公司 Safety management method for cryptographic device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8111828B2 (en) * 2007-07-31 2012-02-07 Hewlett-Packard Development Company, L.P. Management of cryptographic keys for securing stored data
US8590042B2 (en) * 2008-01-31 2013-11-19 Hitachi, Ltd. Storage system, and encryption key management method and encryption key management program thereof
CN101841412A (en) * 2010-04-09 2010-09-22 兰州韦尔斯信息科技有限公司 Method and device for encrypting network environment of storage domain
CN101986596A (en) * 2010-10-21 2011-03-16 无锡江南信息安全工程技术中心 Key management mechanism
CN105656621A (en) * 2014-11-12 2016-06-08 江苏威盾网络科技有限公司 Safety management method for cryptographic device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
FC加密存储交换机的密钥管理系统的研究与设计;黄容;《中国优秀硕士学位论文全文数据库信息科技辑》;20111215;第5-7、35页 *

Also Published As

Publication number Publication date
CN106330868A (en) 2017-01-11

Similar Documents

Publication Publication Date Title
CN106330868B (en) A kind of high speed network encryption storage key management system and method
US10148431B2 (en) Master key generation and distribution for storage area network devices
CN101159556B (en) Group key server based key management method in sharing encryption file system
Blaze Key Management in an Encrypting File System.
CN100464549C (en) Method for realizing data safety storing business
CN105656864B (en) Key management system and management method based on TCM
CN111143870B (en) Distributed encryption storage device, system and encryption and decryption method
CN105681031B (en) A kind of storage encryption gateway key management system and method
CN109561047A (en) Encryption data storage system and method based on the storage of key strange land
US20090252330A1 (en) Distribution of storage area network encryption keys across data centers
CN102567688B (en) File confidentiality keeping system and file confidentiality keeping method on Android operating system
CN104618096B (en) Protect method, equipment and the TPM key administrative center of key authorization data
WO2020192285A1 (en) Key management method, security chip, service server and information system
CN105426775A (en) Method and system for protecting information security of smartphone
US9071589B1 (en) Encryption key management for storage area network devices
CN108537537A (en) A kind of safe and reliable digital cash Wallet System
CN112787996B (en) Password equipment management method and system
WO2017126571A1 (en) Ciphertext management method, ciphertext management device, and program
CN107911221A (en) The key management method of solid-state disk data safety storage
CN117459275A (en) Data processing method, device and medium based on commercial passwords
CN103577771A (en) Virtual desktop data leakage-preventive protection technology on basis of disk encryption
CN110457924A (en) Storing data guard method and device
CN109726583A (en) Cloud data base encryption server system
CN115412236A (en) Method for key management and password calculation, encryption method and device
CN115913560A (en) Confidential paper authorization and use system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: A high speed network encryption storage key management system and method

Effective date of registration: 20210312

Granted publication date: 20191126

Pledgee: Beijing Yanhong Financing Guarantee Co.,Ltd.

Pledgor: BEIJING SHUDUN INFORMATION TECHNOLOGY Co.,Ltd.

Registration number: Y2021990000232

PE01 Entry into force of the registration of the contract for pledge of patent right
PC01 Cancellation of the registration of the contract for pledge of patent right

Date of cancellation: 20220325

Granted publication date: 20191126

Pledgee: Beijing Yanhong Financing Guarantee Co.,Ltd.

Pledgor: BEIJING SHUDUN INFORMATION TECHNOLOGY CO.,LTD.

Registration number: Y2021990000232

PC01 Cancellation of the registration of the contract for pledge of patent right
CP02 Change in the address of a patent holder

Address after: 100000 901, Floor 9, Building 7, Yard 8, Auto Museum East Road, Fengtai District, Beijing

Patentee after: BEIJING SHUDUN INFORMATION TECHNOLOGY CO.,LTD.

Address before: Room 101-502, 5 / F, building 10, courtyard 3, fengxiu Middle Road, Haidian District, Beijing 100083

Patentee before: BEIJING SHUDUN INFORMATION TECHNOLOGY CO.,LTD.

CP02 Change in the address of a patent holder