CN106712932B

CN106712932B - Key management method, apparatus and system

Info

Publication number: CN106712932B
Application number: CN201610579122.XA
Authority: CN
Inventors: 陈凯
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2016-07-20
Filing date: 2016-07-20
Publication date: 2019-03-19
Anticipated expiration: 2036-07-20
Also published as: CN106712932A; WO2018014723A1

Abstract

The invention discloses a kind of key management methods, apparatus and system, belong to field of information security technology.The described method includes: client generates temporary key, temporary key is encrypted to obtain the first ciphertext using the public key that background server provides, and be sent to background server；Background server decrypts the first ciphertext using private key corresponding with public key to obtain temporary key, obtains session key and key identification, encrypts to obtain the second ciphertext to session key and key identification using temporary key, and be sent to client；Client decrypts to obtain session key and key identification using temporary key to the second ciphertext；Wherein, key identification is for identifying session key, and session key is for the data encryption to session.The present invention take into account key safety and encryption and decryption high efficiency under the premise of, also simplify the complexity that background server is managed key, save the processing and storage resource of background server.

Description

Key management method, apparatus and system

Technical field

The present invention relates to field of information security technology, in particular to a kind of key management method, apparatus and system.

Background technique

Currently, the cipher mode of data includes symmetric cryptography (Symmetric Cryptography) and asymmetric encryption (Asymmetric Cryptography) two classes.

Symmetric cryptography mode is a kind of quick, simple cipher mode, encryption (encryption) and decryption (decryption) be same key (secret key).Symmetric cryptography mode usually using relatively small key, Generally less than 256bit (bit).Because key is bigger, encryption is stronger, but the process for encrypting and decrypting is slower.The size of key It needs to weigh safety and efficiency.Typically, AES (AdvancedEncryption Standard, Advanced Encryption Standard) is used Be symmetric cryptography mode, in cryptography be also known as Rijndael enciphered method.For 256Byte (byte) plaintext, estimation speed Degree is in 900,000 times/second.For symmetric cryptography mode since encryption and decryption use same key, advantage is encryption and decryption Speed it is fast, but its disadvantage is that communication two party needs to arrange key in advance, if key is transmitted by network, safety is not It can guarantee.

Asymmetric encryption mode provides a kind of very safe method for the encryption and decryption of data, using a pair of close Key, public key (public key) and private key (private key).Private key can only cannot be leaked by side's safekeeping, and public key Any party in request can then be issued.Asymmetric encryption mode is decrypted usually using public key encryption using private key.With symmetric cryptography The difference is that since private key does not have in transmission over networks, safety is improved mode.Currently, common asymmetric Encryption Algorithm is a kind of RSA (Rivest ShamirAdleman, public key encryption algorithm) algorithm.The advantage of asymmetric encryption mode Highly-safe, but its disadvantage be encryption and decryption speed it is slow.For the key of 1024bit, estimation decryption speed is in 1000- 1400 times/second, are slightly different according to hardware.

It based on this, is encrypted and decrypted using the data that symmetric cryptography mode transmits needs, but symmetric cryptography mode Used key is transmitted by asymmetric encryption mode, both ensure that key used in symmetric cryptography mode was not direct in this way It is exposed on network, in turn ensures the high efficiency of encryption and decryption.Specifically, in the prior art, one side of communication firstly generates one A random number is as symmetric key, using the public key of communication opposite end offer to the symmetric key encryption, and will be encrypted symmetrical Key is sent to communication opposite end；Opposite end is communicated using the symmetric key decryption after private key pair encryption corresponding with above-mentioned public key, is obtained To symmetric key.Later, it communicates a side and communicates and the data transmitted between the two are carried out using the symmetric key between opposite end Encryption and decryption.

In view of the business scenarios using C/S (Client/Server, client/server) framework some at present, client The day at end, quantity living can reach ten million magnitude even more than one hundred million magnitudes, and the number of sessions between client and server is quite huge, This results in server to need to expend a large amount of resource to manage symmetric key.

Summary of the invention

Symmetric key is managed in order to solve the problems, such as that server needs to expend a large amount of resource in the prior art, the present invention Embodiment provides a kind of key management method, apparatus and system.The technical solution is as follows:

In a first aspect, providing a kind of key management method, which comprises

Generate temporary key；

The temporary key is encrypted using the public key that background server provides, obtains the first ciphertext；

Authentication request is sent to the background server, carries first ciphertext in the authentication request；

The Authentication Response that the background server is sent is received, carries the second ciphertext in the Authentication Response, described second Ciphertext is the ciphertext encrypted using the temporary key to session key and key identification；Wherein, the temporary key is The background server detects described GUID pairs after obtaining the corresponding globally unique identifier GUID of equipment where client First ciphertext is decrypted to obtain using private key corresponding with the public key when authentication request number answered is less than preset threshold , the key identification is for identifying session key, and the session key is for the data encryption to the session；

Second ciphertext is decrypted using the temporary key, obtains the session key and the key identification.

Second aspect provides a kind of key management method, which comprises

The authentication request that client is sent is received, carries the first ciphertext in the authentication request, first ciphertext is to adopt The ciphertext that temporary key is encrypted with the public key that local terminal provides；

The corresponding globally unique identifier GUID of equipment where obtaining the client；

Obtain the corresponding authentication request number of the GUID；

It is close to described first using private key corresponding with the public key if the authentication request number is less than preset threshold Text decryption, obtains the temporary key；

Obtain session key and key identification；Wherein, the key identification is for identifying session key, the session key For the data encryption to the session；

The session key and the key identification are encrypted using the temporary key, obtain the second ciphertext；

Authentication Response is sent to the client, carries second ciphertext in the Authentication Response.

The third aspect, provides a kind of key management apparatus, and described device includes:

Key production module, for generating temporary key；

First encrypting module, the public key for being provided using background server encrypt the temporary key, obtain first Ciphertext；

Request sending module, for sending authentication request to the background server, in the authentication request described in carrying First ciphertext；

Receiving module is responded, for receiving the Authentication Response of the background server transmission, is carried in the Authentication Response Second ciphertext, second ciphertext are the ciphertexts encrypted using the temporary key to session key and key identification；Its In, the temporary key is that the background server is obtaining the corresponding globally unique identifier GUID of equipment where client Afterwards, it detects when the corresponding authentication request number of the GUID is less than preset threshold using private key corresponding with the public key to institute State what the first ciphertext was decrypted, the key identification is used for for identifying session key, the session key to the session Data encryption；

First deciphering module obtains the session key for decrypting using the temporary key to second ciphertext With the key identification.

Fourth aspect, provides a kind of key management apparatus, and described device includes:

Request receiving module carries the first ciphertext for receiving the authentication request of client transmission, in the authentication request, First ciphertext is the ciphertext that the public key provided using local terminal encrypts temporary key；

Identifier acquisition module, for the corresponding globally unique identifier GUID of equipment where obtaining the client；

Number obtains module, for obtaining the corresponding authentication request number of the GUID；

Second deciphering module is used for when the authentication request number is less than preset threshold, using corresponding with the public key Private key first ciphertext is decrypted, obtain the temporary key；

Key Acquisition Module, for obtaining session key and key identification；Wherein, the key identification is for identifying session Key, the session key is for the data encryption to the session；

Second encrypting module is obtained for being encrypted using the temporary key to the session key and the key identification To the second ciphertext；

Sending module is responded, for sending Authentication Response to the client, carries described second in the Authentication Response Ciphertext.

5th aspect, provides a kind of key management system, the system comprises: client and background server；

The client includes the key management apparatus as described in the third aspect；

The background server includes the key management apparatus as described in fourth aspect.

6th aspect, provides a kind of computer readable storage medium, the computer-readable recording medium storage has journey Sequence, described program are executed by processor to realize key management method as described in relation to the first aspect.

7th aspect, provides a kind of computer readable storage medium, the computer-readable recording medium storage has journey Sequence, described program are executed as processor to realize the key management method as described in second aspect.

Technical solution bring beneficial effect provided in an embodiment of the present invention includes:

Background server, background service are sent to after encrypting using asymmetric encryption mode to temporary key by client Device is decrypted after obtaining temporary key, encrypts to obtain the second ciphertext to session key and key identification using the temporary key, and will Second ciphertext is sent to client, and client decrypts the second ciphertext using temporary key, obtains session key and key identification, In order to which client is subsequent when conversating with background server, encryption and decryption is carried out using data of the session key to session； It solves in the prior art since the number of sessions between client and server is quite huge, server is caused to need to expend greatly The resource of amount is come the problem of managing symmetric key；The symmetric key generated by client is directlyed adopt compared to the prior art to meeting The data of words carry out encryption and decryption, and the embodiment of the present invention uses the session key provided by background server to carry out the data of session Encryption and decryption, so that background server only needs management session key, the key without generating to a large amount of clients is managed, To simplify the complexity that background server is managed key, and help to save the resource of background server.

Technical solution provided in an embodiment of the present invention, in the premise of the high efficiency of the safety and encryption and decryption that take into account key Under, the complexity that background server is managed key is also simplified, the processing and storage resource of background server are saved. Therefore, key managing project provided in an embodiment of the present invention can be perfectly suitable for a large amount of high concurrent business scenarios, such as C/S The business scenario of framework, even if the day of client quantity living reaches ten million magnitude even more than one hundred million magnitudes, even if client and service Number of sessions between device is quite huge, server also can simply and effectively managing encrypted required key, and ensure client The safety and encryption and decryption efficiency of data transmission between end and server.

Detailed description of the invention

To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings other Attached drawing.

Fig. 1 is the schematic diagram of implementation environment provided by one embodiment of the present invention；

Fig. 2 be another embodiment of the present invention provides implementation environment schematic diagram；

Fig. 3 is the flow chart of key management method provided by one embodiment of the present invention；

Fig. 4 be another embodiment of the present invention provides key management method flow chart；

Fig. 5 is the flow chart for the authorization phase that one embodiment of the invention is related to；

Fig. 6 is the flow chart for the data communication phase that one embodiment of the invention is related to；

Fig. 7 is the block diagram of key management apparatus provided by one embodiment of the present invention；

Fig. 8 be another embodiment of the present invention provides key management apparatus block diagram；

Fig. 9 is the block diagram of key management system provided by one embodiment of the present invention；

Figure 10 is the structural schematic diagram of terminal provided by one embodiment of the present invention；

Figure 11 is the structural schematic diagram of server provided by one embodiment of the present invention.

Specific embodiment

To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with attached drawing to embodiment party of the present invention Formula is described in further detail.

Referring to FIG. 1, it illustrates the schematic diagrames of implementation environment provided by one embodiment of the present invention.With C/S framework For business scenario, which includes: at least one terminal 11 and background server 12.

Mountable operation client in terminal 11.In embodiments of the present invention, the type of client is not construed as limiting, such as Client can be instant communication client, social application client, payment applications client, video playing client, etc.. Terminal 11 can be mobile phone, tablet computer, E-book reader, multimedia play equipment, laptop portable computer or The electronic equipments such as desktop computer.

Between terminal 11 and background server 12 communication connection can be established by cable network or wireless network.

Background server 12 can be a server, be also possible to the server cluster being made of multiple servers, or Person is a cloud computing service center.

In one example, by taking the server cluster that background server 12 is made of multiple servers as an example, such as Fig. 2 institute Show, background server 12 includes: access server 121, service server 122, Authentication Center server 123 and key management clothes Business device 124.

Access server 121 be between client and service server 122 and Authentication Center server 123 data transmitting and The medium of distribution.Access server 121 by network respectively with service server 122, Authentication Center server 123 and key pipe It manages server 124 and establishes communication connection.

Service server 122 is used to provide business service to client.In embodiments of the present invention, to service server Type of service provided by 122 is not construed as limiting, such as instant messaging service, social business, payment transaction, video traffic, etc..

Authentication Center server 123 is used to provide authentication service to client, key needed for providing encryption for client. Authentication Center server 123 is established by network and Key Management server 124 and is communicated to connect.

Key Management server 124 is for managing key.Optionally, Authentication Center server 123 and cipher key management services Device 124 can be two mutually independent servers or Authentication Center server 123 and Key Management server 124 can also To be integrated into a server.

Technical solution provided in an embodiment of the present invention, can be applied to it is any required to the data transmitted between communication both ends into The business scenario of row encryption.In embodiments of the present invention, it is only illustrated by taking the business scenario of C/S framework as an example.But The embodiment of the present invention is not defined the equipment at communication both ends.For example, the equipment at communication both ends can be operation and have client The terminal and background server at end, are also possible to terminal and base station or server and server, etc..

Referring to FIG. 3, it illustrates the flow charts of key management method provided by one embodiment of the present invention.This method can Applied in implementation environment shown in Fig. 1.This method may include the following steps.

Step 301, client generates temporary key.

Step 302, client encrypts temporary key using the public key that background server provides, and obtains the first ciphertext.

Step 303, client sends authentication request to background server, carries the first ciphertext in authentication request.

Correspondingly, background server receives the authentication request that client is sent.

Step 304, background server decrypts the first ciphertext using private key corresponding with public key, obtains temporary key.

Step 305, background server obtains session key and key identification；Wherein, key identification is close for identifying session Key, session key is for the data encryption to session.

Step 306, background server encrypts session key and key identification using temporary key, obtains the second ciphertext.

Step 307, background server sends Authentication Response to client, carries the second ciphertext in Authentication Response.

Correspondingly, client receives the Authentication Response that background server is sent.

Step 308, client decrypts the second ciphertext using temporary key, obtains session key and key identification.

In conclusion method provided in this embodiment, adds temporary key using asymmetric encryption mode by client Background server is sent to after close, background server is decrypted after obtaining temporary key, using the temporary key to session key and Key identification encrypts to obtain the second ciphertext, and the second ciphertext is sent to client, and client is close to second using temporary key Text decryption, obtains session key and key identification, in order to which client is subsequent when conversating with background server, using meeting The data for talking about key pair session carry out encryption and decryption；It solves in the prior art due to the number of sessions between client and server It is quite huge, cause server to need to expend a large amount of resource come the problem of managing symmetric key；Compared to the prior art directly Encryption and decryption is carried out using data of the symmetric key generated by client to session, the embodiment of the present invention is used by background server The session key of offer carries out encryption and decryption to the data of session, so that background server only needs management session key, is not necessarily to The key generated to a large amount of clients is managed, so that the complexity that background server is managed key is simplified, and Facilitate the resource of saving background server.

In embodiments of the present invention, session (session) referred within a unbroken specific operation time, two Communication interaction between equipment.All data packets mutually transmitted between an ession for telecommunication, two equipment belong to the meeting Words.In one example, by taking the business scenario of C/S framework as an example, session can be certain primary " call of client and server Process ", primary complete request and Recovery Process.

Referring to FIG. 4, it illustrates another embodiment of the present invention provides key management method flow chart.This method can Applied in implementation environment shown in Fig. 1.This method may include the following steps.

Step 401, client generates temporary key.

In one example, temporary key is generated using random number generator.Temporary key is symmetric key.

It should be noted that in embodiments of the present invention, temporary key is not intended to carry out encryption and decryption to the data of session Key, temporary key is only used for carrying out session key encryption and decryption, session key be just actually used for the data of session into The key of row encryption and decryption.

Step 402, client encrypts temporary key using the public key that background server provides, and obtains the first ciphertext.

Public key is to be distributed to client in advance by background server.In one example, background server writes public key Enter binary file, which carries the digital signature of development company corresponding to client, and background server will Binary file with digital signature is sent to client, guarantees that file is not tampered and forges with this, so that it is guaranteed that public Key safely issues.Optionally, public key can be updated with the update of the binary file, when background server enables new public affairs After key, the binary file with the new public key can be sent to client again.

After client generates temporary key, according to asymmetric encryption mode, the public key pair provided using background server Temporary key encryption, obtains the first ciphertext.

Step 403, client sends authentication request to background server, carries the first ciphertext in authentication request.

Authentication request is client in the case where the authentication is passed for requesting background server to authenticate client Key needed for end distribution encryption session data.

Further, since temporary key is that the public key provided using background server is encrypted, even if authentication request quilt Malicious user, which is monitored, to be obtained, and since there is no private keys corresponding with the public key for it, also the first ciphertext can not be decrypted Temporary key out.Therefore, the available guarantee of the safety of temporary key, so that the safety of the session key of subsequent transmission Property can also be guaranteed.

Step 404, background server decrypts the first ciphertext using private key corresponding with public key, obtains temporary key.

After background server receives authentication request, according to asymmetric encryption mode, using private key corresponding with public key First ciphertext is decrypted, temporary key is obtained.

Step 405, background server obtains session key and key identification.

Wherein, key identification is for identifying session key, and session key is for the data encryption to session.Session key is Symmetric key.Optionally, session key is a continuous byte stream, the generally integral multiple of 128bit, is generating random number Produced by device.Key identification is used for unique identification session key, and the same key identification can be used in different sessions, different Key identification corresponds to different session keys.Optionally, key identification is 64 integers.

In one example, background server generates session key using random number generator, and generates and correspond to session The key identification of key.In addition, the corresponding storage session key of background server and key identification.

In another example, background server chooses one group of corresponding session key and key identification from prestored secret key. It wherein, include at least one set of corresponding session key and key identification in prestored secret key.Prestored secret key is pre- by background server First generates and store.Prestored secret key can store in the Cache (cache memory) of background server, or can also To be stored in a file destination.In one example, prestored secret key is not only stored in Cache, but also backup is stored in target In file, in order to which when Cache breaks down, standby is used.

There are one-to-one relationships between key identification and session key.Optionally, each session key has corresponding Validity period, session key is effective within validity period, otherwise session key fail.The validity period of session key can be in session Corresponding setting when key generates.For different session keys, the duration of validity period is usually identical, but can also be different, this reality It applies example and this is not construed as limiting.In addition, in the present embodiment, being also not construed as limiting to the entry-into-force time of the validity period of session key, example If the validity period of session key can come into effect when session key generates, can also send in background server to client should It comes into effect when session key, or comes into effect when client receives the session key.

Client carries out encryption and decryption to session data using the session key of effective status (namely without departing from validity period), After session key failure (namely exceeding validity period), client can be close from the new effective session of background server request Key.Therefore, the execution opportunity of above-mentioned steps 403 can be when existing session key is no longer valid, or be also possible to work as When client needs to initiate session and no longer valid existing session key to background server.If existing session key is also It does not fail, existing session key can be used to carry out encryption and decryption to session data for client, without asking again from background server It asks and obtains new session key.

Optionally, background server chooses one group of corresponding session key and key identification from prestored secret key, it may include Following several sub-steps:

1, background server obtains corresponding IP (Internet Protocol, the Internet protocol) address of client；

For example, background server parses the data packet for the authentication request that client is sent, parses and obtain from packet header Take the corresponding IP address of client.

2, background server determines that key selection range, key selection range include the portion in prestored secret key according to IP address The corresponding session key of split-phase and key identification；

Background server can be segmented prestored secret key, and prestored secret key is divided into multistage, Mei Yiduan by background server Including a part of corresponding session key and key identification.For example, background server calculates the corresponding IP address of client Hash (Hash) value is mapped to a certain section of prestored secret key according to the hash value, this section of prestored secret key is that above-mentioned key chooses model It encloses.In another example background server can also randomly choose one section of prestored secret key from the prestored secret key after segmentation, the section is selected The prestored secret key selected is above-mentioned key selection range.

3, background server chooses one group of corresponding session key and key identification from key selection range.

By the above-mentioned means, can prevent background server from being dragged library, because of the session that the same IP address can be taken Key is certain section of fixed range, rather than all prestored secret keys.

Step 406, background server encrypts session key and key identification using temporary key, obtains the second ciphertext.

Background server encrypts session key and key identification according to symmetric cryptography mode, using temporary key, obtains Second ciphertext.

Step 407, background server sends Authentication Response to client, carries the second ciphertext in Authentication Response.

Optionally, following steps can also be performed after the authentication request for receiving client transmission in background server: Equipment where background server obtains client corresponding GUID (Globally UniqueIdentifier, globally unique identifier Symbol)；Obtain the corresponding authentication request number of GUID；Judge whether authentication request number is greater than preset threshold；If authentication request time Number is greater than preset threshold, then refuses to respond the authentication request；If authentication request number is less than preset threshold, responds the authentication and ask It asks, such as executes above-mentioned steps 404 to 407.Wherein, the corresponding GUID of equipment where client can be from the data packet of authentication request Packet header in parse obtain.By the above-mentioned means, the authentication request number to same GUID limits, it can be in background service When device is by frequent malicious attack, background server is effectively prevent to paralyse.

Step 408, client decrypts the second ciphertext using temporary key, obtains session key and key identification.

After client receives Authentication Response, according to symmetric cryptography mode, the second ciphertext is decrypted using temporary key, Obtain session key and key identification.Later, client is just with the session key come between symmetric cryptography and background server Content of Communication.In the conversation procedure of subsequent client and server, client is taken using session key pair and backstage The data of session transmitted between business device carry out encryption and decryption, and background server uses to be transmitted between session key pair and client The data of session carry out encryption and decryption.

In the following, the process of the data communication phase between client and background server is introduced and is illustrated.

Step 409 to 411 be uplink process, step 412 to 414 be downlink transmission process.

Step 409, client is encrypted using upstream data of the session key to session, obtains encrypted upstream data.

Upstream data refers to client to the data of backstage server transport.

Step 410, client sends upstream data packet to background server.

The packet header of upstream data packet carries key identification, and the backpack body of upstream data packet carries encrypted upstream data.

Correspondingly, background server receives the upstream data packet that client is sent.

Step 411, background server using session key corresponding with the key identification carried in packet header to encryption after Upstream data decryption, obtain upstream data.

After background server receives upstream data packet, inquiry obtains the packet header with upstream data packet from prestored secret key The corresponding session key of the key identification of middle carrying, then according to symmetric cryptography mode, the session key inquired using this Encrypted upstream data is decrypted, upstream data is obtained.

Optionally, background server is before executing decryption oprerations, can also validity period to the session key inquired into Row verifying, terminates process, if executing decryption oprerations without departing from validity period if having exceeded validity period.

Step 412, background server is encrypted using downlink data of the session key to session, obtains encrypted lower line number According to.

Downlink data refers to data of the background server to client transmissions.

Step 413, background server sends downlink data packet to client.

The packet header of downlink data packet carries key identification, and the backpack body of downlink data packet carries encrypted downlink data.

Correspondingly, client receives the downlink data packet that background server is sent.

Step 414, client is using session key corresponding with the key identification carried in packet header under encrypted Row data deciphering, obtains downlink data.

After client receives downlink data packet, inquiry obtains the key identification carried in the packet header with downlink data packet Corresponding session key, then according to symmetric cryptography mode, using the session key inquired to encrypted lower line number According to decryption, downlink data is obtained.

What is needed to add explanation is a little that background server can also obtain the initialization vector corresponding to session key (Init Vector, IV), sends the initialization vector to client.The initialization vector for client using session key into It is used when row symmetric cryptography and decryption.Correspondingly, client receives the initialization vector that background server is sent.For example, backstage In the Authentication Response that server is sent to client, initialization vector is also carried.Initialization vector can be added using temporary key It sends, can not also encrypt, the present embodiment is not construed as limiting this after close.Initialization vector can use random number by background server Generator generates random number, and the random number and session key is combined to generate together.In use, initialization vector can root Change according to related algorithm dynamic.Optionally, initialization vector is the byte stream of 12 bytes.By the above-mentioned means, making same Session key, it is necessary to could complete to decrypt with the use of corresponding initialization vector, to realize that further optimization is reinforced.

In addition, also by the way that corresponding validity period is arranged for session key, in the case where session key does not exceed the time limit, even Different sessions, client can be used the session key and carry out encryption and decryption to the data of session, without thinking highly of from background service The new session key of new request, the processing expense and the communication resource of equipment and background server where saving client.

What is also needed to add explanation is a bit, it is contemplated that be using the speed that rivest, shamir, adelman is decrypted it is slower, Speed is decrypted usually in 2200 time/second of single thread or so, therefore the mode of multi-threaded parallel decryption can be used, so that background service Device does not become system bottleneck in the case where not putting into many machines.In addition, if using OpenSLL (Open Secure Sockets Layer, Open Security are socketed layer protocol) library, due to the library OpenSLL non-multithreaded safety, a service Process can only have a thread to complete decryption work, multi-threaded parallel, it is necessary to multiple processes be run, in this way to exploitation and hair Cloth is all affected, it has not been convenient to safeguard.In embodiments of the present invention, code tune is carried out for the rsa function api in the library OpenSLL It is whole, the unsafe step of multithreading is separated to realize, safe place is put it to and calls, the step of remaining safety, Ji Kewei It is called in multi-thread environment, to reach the requirement of multi-threaded parallel decryption.

In above method embodiment, the key pipe as client-side can be implemented separately in relation to client-side the step of The key management method as background server side can be implemented separately in relation to the step of background server side for reason method.

In the following, application scenarios as shown in connection with fig. 2, are introduced and say to technical solution provided in an embodiment of the present invention It is bright.

Fig. 5 shows the flow chart of authorization phase.As shown in figure 5, authorization phase may include the following steps.

Step 501, client generates temporary key.

Step 502, client encrypts temporary key using the public key that Authentication Center server provides, and it is close to obtain first Key.

Step 503, client sends authentication request to access server, carries the first ciphertext in authentication request.

Correspondingly, access server receives the authentication request that client is sent.

Step 504, access server forwards authentication request to Authentication Center server.

Correspondingly, Authentication Center server receives the authentication request that access server is sent.

Step 505, Authentication Center server decrypts the first ciphertext using private key corresponding with public key, obtains interim close Key.

Step 506, Authentication Center server obtains session key and key identification.

Wherein, key identification is for identifying session key, and session key is for the data encryption to session.

In one example, step 506 includes following sub-step:

Step 506a, Authentication Center server generate session key using random number generator；

Step 506b, Authentication Center server send session key to Key Management server；

Correspondingly, Key Management server receives the session key that Authentication Center server is sent；

Step 506c, Key Management server generate the key identification for corresponding to session key；

Step 506d, the corresponding storage key identification of Key Management server and session key；

Step 506e, Key Management server send key identification to Authentication Center server；

Correspondingly, Authentication Center server receives the key identification that Key Management server is sent.

In another example, step 506 includes following sub-step:

Step 506f, Authentication Center server choose one group of corresponding session key and key identification from prestored secret key.

It wherein, include at least one set of corresponding session key and key identification in prestored secret key.Prestored secret key can be by close Key management server is pre-generated, and is supplied to Authentication Center server.For example, prestored secret key is written Key Management server In file destination, and file destination is sent to Authentication Center server.It, will be in file destination after the starting of Authentication Center server Prestored secret key be loaded onto memory, therefrom choose one group of corresponding session key and key identification at random every time.

Step 507, Authentication Center server encrypts session key and key identification using temporary key, and it is close to obtain second Text.

Step 508, Authentication Center server sends Authentication Response to access server, and it is close to carry second in Authentication Response Text.

Correspondingly, access server receives the Authentication Response that Authentication Center server is sent.

Step 509, access server forwards Authentication Response to client.

Correspondingly, client receives the Authentication Response that access server is sent.

Step 510, client decrypts the second ciphertext using temporary key, obtains session key and key identification.

Fig. 6 shows the flow chart of data communication phase.As shown in fig. 6, data communication phase may include following several steps Suddenly.

Step 601, client is encrypted using upstream data of the session key to session, obtains encrypted upstream data.

Step 602, client sends upstream data packet to access server.

Correspondingly, access server receives the upstream data packet that client is sent.

Step 603, access server inquiry obtains session key corresponding with the key identification carried in packet header.

In one example, step 603 includes following sub-step:

Step 603a, access server obtain corresponding with the key identification carried in packet header from inquiry in local cache Session key.

For example, access server obtains preset-key from Key Management server in advance, and store into local cache.

In another example, step 603 includes following sub-step:

Step 603b, access server send inquiry request to Key Management server, carry the packet in inquiry request The key identification carried in head；

Correspondingly, Key Management server receives the inquiry request that access server is sent；

Step 603c, the key identification that Key Management server is carried from inquiry acquisition in preset-key and inquiry request Corresponding session key；

Step 603d, Key Management server send inquiry response to access server, carry its inquiry in inquiry response Obtained session key；

Correspondingly, access server receives the inquiry response that Key Management server is sent.

Step 604, access server decrypts encrypted upstream data using the session key that inquiry obtains, and obtains Row data.

Step 605, access server sends upstream data to service server.

Correspondingly, service server receives the upstream data that access server is sent.

In one example, upstream data is sent to service server by access server in plain text.In another example, it connects Enter server and use the cipher mode and key consulted in advance with service server, is sent to business after upstream data is encrypted Server.

After service server receives upstream data, which is handled, when necessary to client feedback Return packet.

Step 606, service server sends downlink data to access server.

Correspondingly, access server receives the downlink data that service server is sent.

In one example, downlink data is sent to access server by service server in plain text.In another example, industry Business server uses the cipher mode and key consulted in advance with access server, and access is sent to after downlink data is encrypted Server.

Step 607, access server using inquiry obtain session key to downlink data encrypt, obtain it is encrypted under Row data.

Step 608, access server sends downlink data packet to client.

Correspondingly, client receives the downlink data packet that access server is sent.

Step 609, client is using session key corresponding with the key identification carried in packet header under encrypted Row data deciphering, obtains downlink data.

Following is apparatus of the present invention embodiment, can be used for executing embodiment of the present invention method.For apparatus of the present invention reality Undisclosed details in example is applied, embodiment of the present invention method is please referred to.

Referring to FIG. 7, it illustrates the block diagrams of key management apparatus provided by one embodiment of the present invention.The device has Realize that the function of the key management method of above-mentioned client-side, the function can also pass through hardware by hardware realization Execute corresponding software realization.The apparatus may include: key production module 710, the first encrypting module 720, request send mould Block 730, response receiving module 740 and the first deciphering module 750.

Key production module 710, for generating temporary key.

First encrypting module 720, the public key for being provided using background server encrypt the temporary key, obtain the One ciphertext.

Request sending module 730 carries institute in the authentication request for sending authentication request to the background server State the first ciphertext.

Receiving module 740 is responded, for receiving the Authentication Response of the background server transmission, is taken in the Authentication Response The second ciphertext of band, second ciphertext are the ciphertexts encrypted using the temporary key to session key and key identification. Wherein, the key identification is for identifying session key, and the session key is for the data encryption to the session.

It is close to obtain the session for decrypting using the temporary key to second ciphertext for first deciphering module 750 Key and the key identification.

In conclusion device provided in this embodiment, adds temporary key using asymmetric encryption mode by client It is sent to background server after close, receives it from background server and temporary key is used to encrypt session key and key identification The second ciphertext arrived, and the second ciphertext is decrypted using temporary key, session key and key identification are obtained, in order to client It is subsequent when conversating with background server, encryption and decryption is carried out to the data of session using session key；Solves existing skill Since the number of sessions between client and server is quite huge in art, causes server to need to expend a large amount of resource and carry out pipe The problem of managing symmetric key；The symmetric key generated by client is directlyed adopt compared to the prior art to carry out the data of session Encryption and decryption, the embodiment of the present invention use the session key provided by background server to carry out encryption and decryption to the data of session, so that Background server only needs management session key, and the key without generating to a large amount of clients is managed, to simplify The complexity that background server is managed key, and help to save the resource of background server.

Referring to FIG. 8, it illustrates another embodiment of the present invention provides key management apparatus block diagram.The device has Realize that the function of the key management method of above-mentioned background server side, the function can also pass through by hardware realization Hardware executes corresponding software realization.The apparatus may include: request receiving module 810, the second deciphering module 820, key obtain Modulus block 830, the second encrypting module 840 and response sending module 850.

It is close to carry first for receiving the authentication request of client transmission, in the authentication request for request receiving module 810 Text, first ciphertext are the ciphertexts that the public key provided using local terminal encrypts temporary key.

Second deciphering module 820 obtains institute for decrypting using private key corresponding with the public key to first ciphertext State temporary key.

Key Acquisition Module 830, for obtaining session key and key identification.Wherein, the key identification is for identifying Session key, the session key is for the data encryption to the session.

Second encrypting module 840, for being encrypted using the temporary key to the session key and the key identification, Obtain the second ciphertext.

Sending module 850 is responded, for sending Authentication Response to the client, described the is carried in the Authentication Response Two ciphertexts.

In conclusion device provided in this embodiment, adds temporary key using asymmetric encryption mode by client Background server is sent to after close, background server is decrypted after obtaining temporary key, using the temporary key to session key and Key identification encrypts to obtain the second ciphertext, and the second ciphertext is sent to client, takes in order to which client is subsequent with backstage When business device conversates, encryption and decryption is carried out using data of the session key to session；It solves in the prior art due to client Number of sessions between server is quite huge, and server is caused to need to expend a large amount of resource to manage asking for symmetric key Topic；The symmetric key generated by client is directlyed adopt compared to the prior art, and encryption and decryption, the present invention are carried out to the data of session Embodiment uses the session key provided by background server to carry out encryption and decryption to the data of session, so that background server only needs Session key is managed, the key without generating to a large amount of clients is managed, to simplify background server to close The complexity that key is managed, and help to save the resource of background server.

Referring to FIG. 9, it illustrates the block diagrams of key management system provided by one embodiment of the present invention.The system packet It includes: client 700 and background server 800.

Client 700 may include key management apparatus.The device has the key management side for realizing above-mentioned client-side The function of method, the function can also execute corresponding software realization by hardware realization by hardware.The device can be with It include: key production module 710, the first encrypting module 720, request sending module 730, response receiving module 740 and the first solution Close module 750.

Key production module 710, for generating temporary key.

First encrypting module 720, the public key for being provided using background server 800 encrypt the temporary key, obtain To the first ciphertext.

Request sending module 730 is taken in the authentication request for sending authentication request to the background server 800 With first ciphertext.

Receiving module 740 is responded, the Authentication Response sent for receiving the background server 800, the Authentication Response The second ciphertext of middle carrying, second ciphertext be using the temporary key session key and key identification are encrypted it is close Text.Wherein, the key identification is for identifying session key, and the session key is for the data encryption to the session.

Optionally, described device further include: upstream data encrypting module 762 and upstream data sending module 764.

Upstream data encrypting module 762 is obtained for being encrypted using upstream data of the session key to the session Encrypted upstream data.

Upstream data sending module 764, for sending upstream data packet, the upper line number to the background server 800 The key identification is carried according to the packet header of packet, the backpack body of the upstream data packet carries the encrypted upstream data.

Optionally, described device further include: downlink data receiving module 766 and downlink data deciphering module 768.

Downlink data receiving module 766, the downlink data packet sent for receiving the background server 800, under described The packet header of row data packet carries the key identification, and the backpack body of the downlink data packet carries encrypted downlink data.

Downlink data deciphering module 768, for using meeting corresponding with the key identification carried in the packet header Encrypted downlink data decryption described in key pair is talked about, downlink data is obtained.

In one example, the key production module 710, it is described interim close for being generated using random number generator Key.

Optionally, described device further include: vector receiving module 770.

Vector receiving module 770, for receive that the background server 800 sends correspond to the session key just Beginningization vector, the initialization vector use when carrying out symmetric cryptography and decryption using the session key for local terminal.

Background server 800 may include key management apparatus.The device, which has, realizes the close of above-mentioned background server side The function of key management method, the function can also execute corresponding software realization by hardware realization by hardware.It should Device may include: request receiving module 810, the second deciphering module 820, Key Acquisition Module 830, the second encrypting module 840 With response sending module 850.

Request receiving module 810 carries for receiving the authentication request of the transmission of client 700, in the authentication request One ciphertext, first ciphertext are the ciphertexts that the public key provided using local terminal encrypts temporary key.

Sending module 850 is responded, for sending Authentication Response to the client 700, carries institute in the Authentication Response State the second ciphertext.

In one example, the Key Acquisition Module 830, it is close for generating the session using random number generator Key generates the key identification for corresponding to the session key.

In another example, the Key Acquisition Module 830, it is close for choosing one group of corresponding session from prestored secret key Key and key identification.It wherein, include at least one set of corresponding session key and key identification in the prestored secret key.

Optionally, the Key Acquisition Module 830, comprising: address acquisition unit, range determination unit and key are chosen single Member.

Address acquisition unit, for obtaining the corresponding IP address of the client 700.

Range determination unit, for determining that key selection range, the key selection range include according to the IP address The corresponding session key in part and key identification in the prestored secret key.

Key selection unit, for choosing one group of corresponding session key and key mark from the key selection range Know.

Optionally, described device further include: upstream data receiving module 862 and upstream data deciphering module 864.

Upstream data receiving module 862, the upstream data packet sent for receiving the client 700, the upper line number The key identification is carried according to the packet header of packet, the backpack body of the upstream data packet carries encrypted upstream data.

Upstream data deciphering module 864, for using meeting corresponding with the key identification carried in the packet header Encrypted upstream data decryption described in key pair is talked about, upstream data is obtained.

Optionally, described device further include: downlink data encrypting module 866 and downlink data sending module 868.

Downlink data encrypting module 866 is obtained for being encrypted using downlink data of the session key to the session Encrypted downlink data.

Downlink data sending module 868, for sending downlink data packet, the downlink data packet to the client 700 Packet header carry the key identification, the backpack body of the downlink data packet carries the encrypted downlink data.

Optionally, described device further include: identifier acquisition module 812 and number obtain module 814.

Identifier acquisition module 812, for obtaining the corresponding GUID of the 700 place equipment of client.

Number obtains module 814, for obtaining the corresponding authentication request number of the GUID.

Second deciphering module 820, be also used to when the authentication request number be less than preset threshold when, using with it is described The corresponding private key of public key decrypts first ciphertext, obtains the temporary key.

Optionally, described device further include: vector obtains module 870 and vector sending module 880.

Vector obtains module 870, for obtaining the initialization vector for corresponding to the session key.

Vector sending module 880, for sending the initialization vector, the initialization vector to the client 700 It is used when carrying out symmetric cryptography and decryption using the session key for the client 700.

In conclusion system provided in this embodiment, adds temporary key using asymmetric encryption mode by client Background server is sent to after close, background server is decrypted after obtaining temporary key, using the temporary key to session key and Key identification encrypts to obtain the second ciphertext, and the second ciphertext is sent to client, and client is close to second using temporary key Text decryption, obtains session key and key identification, in order to which client is subsequent when conversating with background server, using meeting The data for talking about key pair session carry out encryption and decryption；It solves in the prior art due to the number of sessions between client and server It is quite huge, cause server to need to expend a large amount of resource come the problem of managing symmetric key；Compared to the prior art directly Encryption and decryption is carried out using data of the symmetric key generated by client to session, the embodiment of the present invention is used by background server The session key of offer carries out encryption and decryption to the data of session, so that background server only needs management session key, is not necessarily to The key generated to a large amount of clients is managed, so that the complexity that background server is managed key is simplified, and Facilitate the resource of saving background server.

It should be understood that device provided by the above embodiment is when realizing its function, only with above-mentioned each functional module It divides and carries out for example, can according to need in practical application and be completed by different functional modules above-mentioned function distribution, The internal structure of equipment is divided into different functional modules, to complete all or part of the functions described above.In addition, Apparatus and method embodiment provided by the above embodiment belongs to same design, and specific implementation process is detailed in embodiment of the method, this In repeat no more.

Referring to FIG. 10, it illustrates the structural schematic diagrams of terminal provided by one embodiment of the present invention.The terminal is used for The key management method of the client-side provided in above-described embodiment is provided.Specifically:

Terminal 1000 may include RF (Radio Frequency, radio frequency) circuit 1010, include one or more Memory 1020, input unit 1030, display unit 1040, the sensor 1050, voicefrequency circuit of computer readable storage medium 1060, WiFi (wireless fidelity, Wireless Fidelity) module 1070, include one or more than one processing core Processor 1080 and the components such as power supply 1090.It will be understood by those skilled in the art that terminal structure shown in Figure 10 is simultaneously The not restriction of structure paired terminal may include perhaps combining certain components or different than illustrating more or fewer components Component layout.Wherein:

RF circuit 1010 can be used for receiving and sending messages or communication process in, signal sends and receivees, particularly, by base station After downlink information receives, one or the processing of more than one processor 1080 are transferred to；In addition, the data for being related to uplink are sent to Base station.In general, RF circuit 1010 include but is not limited to antenna, at least one amplifier, tuner, one or more oscillator, It is subscriber identity module (SIM) card, transceiver, coupler, LNA (Low Noise Amplifier, low-noise amplifier), double Work device etc..In addition, RF circuit 1010 can also be communicated with network and other equipment by wireless communication.The wireless communication can be with Using any communication standard or agreement, including but not limited to GSM (Global System of Mobile communication, Global system for mobile communications), GPRS (General Packet Radio Service, general packet radio service), CDMA (Code Division Multiple Access, CDMA), WCDMA (Wideband CodeDivision Multiple Access, wideband code division multiple access), LTE (Long Term Evolution, long term evolution), Email, SMS (Short Messaging Service, short message service) etc..

Memory 1020 can be used for storing software program and module, and processor 1080 is stored in memory by operation 1020 software program and module, thereby executing various function application and data processing.Memory 1020 can mainly include Storing program area and storage data area, wherein storing program area can application journey needed for storage program area, at least one function Sequence (such as sound-playing function, image player function etc.) etc.；Storage data area can be stored is created according to using for terminal 1000 Data (such as audio data, phone directory etc.) built etc..In addition, memory 1020 may include high-speed random access memory, It can also include nonvolatile memory, a for example, at least disk memory, flush memory device or other volatile solid-states are deposited Memory device.Correspondingly, memory 1020 can also include Memory Controller, to provide processor 1080 and input unit 1030 Access to memory 1020.

Input unit 1030 can be used for receiving the number or character information of input, and generate and user setting and function Control related keyboard, mouse, operating stick, optics or trackball signal input.Specifically, input unit 1030 may include figure As input equipment 1031 and other input equipments 1032.Image input device 1031 can be camera, be also possible to photoelectricity Scanning device.In addition to image input device 1031, input unit 1030 can also include other input equipments 1032.Specifically, Other input equipments 1032 can include but is not limited to physical keyboard, function key (such as volume control button, switch key etc.), One of trace ball, mouse, operating stick etc. are a variety of.

Display unit 1040 can be used for showing information input by user or the information and terminal 1000 that are supplied to user Various graphical user interface, these graphical user interface can be by figure, text, icon, video and any combination thereof come structure At.Display unit 1040 may include display panel 1041, optionally, can using LCD (Liquid Crystal Display, Liquid crystal display), the forms such as OLED (Organic Light-Emitting Diode, Organic Light Emitting Diode) configure display Panel 1041.

Terminal 1000 may also include at least one sensor 1050, such as optical sensor, motion sensor and other biographies Sensor.Specifically, optical sensor may include ambient light sensor and proximity sensor, wherein ambient light sensor can be according to ring The light and shade of border light adjusts the brightness of display panel 1041, and proximity sensor can close when terminal 1000 is moved in one's ear Display panel 1041 and/or backlight.As a kind of motion sensor, gravity accelerometer can detect in all directions The size of (generally three axis) acceleration, can detect that size and the direction of gravity, can be used to identify mobile phone posture when static It (for example pedometer, is struck using (such as horizontal/vertical screen switching, dependent game, magnetometer pose calibrating), Vibration identification correlation function Hit) etc.；Other biographies such as gyroscope, barometer, hygrometer, thermometer, infrared sensor for can also configure as terminal 1000 Sensor, details are not described herein.

Voicefrequency circuit 1060, loudspeaker 1061, microphone 1062 can provide the audio interface between user and terminal 1000. Electric signal after the audio data received conversion can be transferred to loudspeaker 1061, by loudspeaker 1061 by voicefrequency circuit 1060 Be converted to voice signal output；On the other hand, the voice signal of collection is converted to electric signal by microphone 1062, by voicefrequency circuit 1060 receive after be converted to audio data, then by after the processing of audio data output processor 1080, through RF circuit 1010 to send It exports to memory 1020 to such as another terminal, or by audio data to be further processed.Voicefrequency circuit 1060 may be used also It can include earphone jack, to provide the communication of peripheral hardware earphone Yu terminal 1000.

WiFi belongs to short range wireless transmission technology, and terminal 1000 can help user to receive and dispatch electricity by WiFi module 1070 Sub- mail, browsing webpage and access streaming video etc., it provides wireless broadband internet access for user.Although Figure 10 shows Go out WiFi module 1070, but it is understood that, and it is not belonging to must be configured into for terminal 1000, it completely can be according to need It to omit within the scope of not changing the essence of the invention.

Processor 1080 is the control centre of terminal 1000, utilizes each portion of various interfaces and connection whole mobile phone Point, by running or execute the software program and/or module that are stored in memory 1020, and calls and be stored in memory Data in 1020 execute the various functions and processing data of terminal 1000, to carry out integral monitoring to mobile phone.Optionally, Processor 1080 may include one or more processing cores；Preferably, processor 1080 can integrate application processor and modulatedemodulate Adjust processor, wherein the main processing operation system of application processor, user interface and application program etc., modem processor Main processing wireless communication.It is understood that above-mentioned modem processor can not also be integrated into processor 1080.

Terminal 1000 further includes the power supply 1090 (such as battery) powered to all parts, it is preferred that power supply can pass through Power-supply management system and processor 1080 are logically contiguous, to realize management charging, electric discharge, Yi Jigong by power-supply management system The functions such as consumption management.Power supply 1090 can also include one or more direct current or AC power source, recharging system, power supply The random components such as fault detection circuit, power adapter or inverter, power supply status indicator.

Although being not shown, terminal 1000 can also be including bluetooth module etc., and details are not described herein.

Specifically in the present embodiment, terminal 1000 further includes having memory and one or more than one program, In one perhaps more than one program be stored in memory and be configured to be executed by one or more than one processor. Said one or more than one program include the instruction for executing the key management method of above-mentioned client-side.

Figure 11 is please referred to, it illustrates the structural schematic diagrams of server provided by one embodiment of the present invention.The server The key management method of background server side for implementing to provide in above-described embodiment.Specifically:

The server 1100 includes 1102 He of central processing unit (CPU) 1101 including random access memory (RAM) The system storage 1104 of read-only memory (ROM) 1103, and connection system storage 1104 and central processing unit 1101 System bus 1105.The server 1100 further includes that the substantially defeated of information is transmitted between each device helped in computer Enter/output system (I/O system) 1106, and is used for storage program area 1113, application program 1114 and other program modules 1115 mass-memory unit 1107.

The basic input/output 1106 includes display 1108 for showing information and inputs for user The input equipment 1109 of such as mouse, keyboard etc of information.Wherein the display 1108 and input equipment 1109 all pass through The input and output controller 1110 for being connected to system bus 1105 is connected to central processing unit 1101.The basic input/defeated System 1106 can also include input and output controller 1110 to touch for receiving and handling from keyboard, mouse or electronics out Control the input of multiple other equipment such as pen.Similarly, input and output controller 1110 also provide output to display screen, printer or Other kinds of output equipment.

The mass-memory unit 1107 (is not shown by being connected to the bulk memory controller of system bus 1105 It is connected to central processing unit 1101 out).The mass-memory unit 1107 and its associated computer-readable medium are Server 1100 provides non-volatile memories.That is, the mass-memory unit 1107 may include such as hard disk or The computer-readable medium (not shown) of person's CD-ROM drive etc.

Without loss of generality, the computer-readable medium may include computer storage media and communication media.Computer Storage medium includes information such as computer readable instructions, data structure, program module or other data for storage The volatile and non-volatile of any method or technique realization, removable and irremovable medium.Computer storage medium includes RAM, ROM, EPROM, EEPROM, flash memory or other solid-state storages its technologies, CD-ROM, DVD or other optical storages, tape Box, tape, disk storage or other magnetic storage devices.Certainly, skilled person will appreciate that the computer storage medium It is not limited to above-mentioned several.Above-mentioned system storage 1104 and mass-memory unit 1107 may be collectively referred to as memory.

According to various embodiments of the present invention, the server 1100 can also be arrived by network connections such as internets Remote computer operation on network.Namely server 1100 can be connect by the network being connected on the system bus 1105 Mouth unit 1111 is connected to network 1112, in other words, it is other kinds of to be connected to that Network Interface Unit 1111 also can be used Network or remote computer system (not shown).

The memory further includes that one or more than one program, the one or more programs are stored in In memory, and it is configured to be executed by one or more than one processor.Said one or more than one program include For executing the instruction of the key management method of above-mentioned background server side.

It should be understood that referenced herein " multiple " refer to two or more."and/or", description association The incidence relation of object indicates may exist three kinds of relationships, for example, A and/or B, can indicate: individualism A exists simultaneously A And B, individualism B these three situations.Character "/" typicallys represent the relationship that forward-backward correlation object is a kind of "or".

The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.

Those of ordinary skill in the art will appreciate that realizing that all or part of the steps of above-described embodiment can pass through hardware It completes, relevant hardware can also be instructed to complete by program, the program can store in a kind of computer-readable In storage medium, storage medium mentioned above can be read-only memory, disk or CD etc..

The foregoing is merely presently preferred embodiments of the present invention, is not intended to limit the invention, it is all in spirit of the invention and Within principle, any modification, equivalent replacement, improvement and so on be should all be included in the protection scope of the present invention.

Claims

1. a kind of key management method, which is characterized in that the described method includes:

Generate temporary key；

The Authentication Response that the background server is sent is received, carries the second ciphertext, second ciphertext in the Authentication Response It is the ciphertext encrypted using the temporary key to session key and key identification；Wherein, the temporary key is described Background server detects that the GUID is corresponding after obtaining the corresponding globally unique identifier GUID of equipment where client First ciphertext is decrypted using private key corresponding with the public key when authentication request number is less than preset threshold, institute Key identification is stated for identifying the session key, the session key is for the data encryption to the session；

2. the method according to claim 1, wherein described use the temporary key to the second ciphertext solution It is close, after obtaining the session key and the key identification, further includes:

It is encrypted using upstream data of the session key to the session, obtains encrypted upstream data；

Upstream data packet is sent to the background server, the packet header of the upstream data packet carries the key identification, described The backpack body of upstream data packet carries the encrypted upstream data.

3. the method according to claim 1, wherein described use the temporary key to the second ciphertext solution It is close, after obtaining the session key and the key identification, further includes:

The downlink data packet that the background server is sent is received, the packet header of the downlink data packet carries the key identification, The backpack body of the downlink data packet carries encrypted downlink data；

Using session key corresponding with the key identification carried in the packet header to the encrypted downlink data Decryption, obtains downlink data.

4. the method according to claim 1, wherein the generation temporary key, comprising:

The temporary key is generated using random number generator.

5. the method according to claim 1, wherein the method also includes:

The initialization vector corresponding to the session key that the background server is sent is received, the initialization vector is for this End uses when carrying out symmetric cryptography and decryption using the session key.

6. a kind of key management method, which is characterized in that the described method includes:

The authentication request that client is sent is received, the first ciphertext is carried in the authentication request, first ciphertext is using this The ciphertext that the public key that end provides encrypts temporary key；

Obtain the corresponding authentication request number of the GUID；

If the authentication request number is less than preset threshold, using private key corresponding with the public key to the first ciphertext solution It is close, obtain the temporary key；

Obtain session key and key identification；Wherein, for identifying session key, the session key is used for the key identification Data encryption to the session；

7. according to the method described in claim 6, it is characterized in that, the acquisition session key and key identification, comprising:

The session key is generated using random number generator；

Generate the key identification for corresponding to the session key.

8. according to the method described in claim 6, it is characterized in that, the acquisition session key and key identification, comprising:

One group of corresponding session key and key identification are chosen from prestored secret key；

It wherein, include at least one set of corresponding session key and key identification in the prestored secret key.

9. according to the method described in claim 8, it is characterized in that, described to choose one group of corresponding session from prestored secret key close Key and key identification, comprising:

Obtain the corresponding internet protocol address of the client；

Determine that key selection range, the key selection range include the part phase in the prestored secret key according to the IP address Corresponding session key and key identification；

One group of corresponding session key and key identification are chosen from the key selection range.

10. according to the method described in claim 6, it is characterized in that, being gone back after the transmission Authentication Response to the client Include:

The upstream data packet that the client is sent is received, the packet header of the upstream data packet carries the key identification, described The backpack body of upstream data packet carries encrypted upstream data；

Using session key corresponding with the key identification carried in the packet header to the encrypted upstream data Decryption, obtains upstream data.

11. according to the method described in claim 6, it is characterized in that, being gone back after the transmission Authentication Response to the client Include:

It is encrypted using downlink data of the session key to the session, obtains encrypted downlink data；

Downlink data packet is sent to the client, the packet header of the downlink data packet carries the key identification, the downlink The backpack body of data packet carries the encrypted downlink data.

12. according to the method described in claim 6, it is characterized in that, the method also includes:

Obtain the initialization vector for corresponding to the session key；

The initialization vector is sent to the client, the initialization vector uses the session key for the client Used when symmetric cryptography and decryption.

13. a kind of key management apparatus, which is characterized in that described device includes:

Key production module, for generating temporary key；

First encrypting module, the public key for being provided using background server encrypt the temporary key, obtain the first ciphertext；

Request sending module carries described first in the authentication request for sending authentication request to the background server Ciphertext；

Receiving module is responded, for receiving the Authentication Response of the background server transmission, carries second in the Authentication Response Ciphertext, second ciphertext are the ciphertexts encrypted using the temporary key to session key and key identification；Wherein, institute Stating temporary key is the background server after obtaining the corresponding globally unique identifier GUID of equipment where client, detection Using private key corresponding with the public key to described first when the corresponding authentication request number of the GUID is less than preset threshold out What ciphertext was decrypted, the key identification is used for the data to the session for identifying session key, the session key Encryption；

First deciphering module obtains the session key and institute for decrypting using the temporary key to second ciphertext State key identification.

14. device according to claim 13, which is characterized in that described device further include:

Upstream data encrypting module, for being encrypted using upstream data of the session key to the session, after obtaining encryption Upstream data；

Upstream data sending module, for sending upstream data packet, the packet header of the upstream data packet to the background server The key identification is carried, the backpack body of the upstream data packet carries the encrypted upstream data.

15. device according to claim 13, which is characterized in that described device further include:

Downlink data receiving module, the downlink data packet sent for receiving the background server, the downlink data packet Packet header carries the key identification, and the backpack body of the downlink data packet carries encrypted downlink data；

Downlink data deciphering module, for using session key pair corresponding with the key identification carried in the packet header The encrypted downlink data decryption, obtains downlink data.

16. device according to claim 13, which is characterized in that

The key production module, for generating the temporary key using random number generator.

17. device according to claim 13, which is characterized in that described device further include:

Vector receiving module, the initialization vector corresponding to the session key sent for receiving the background server, The initialization vector uses when carrying out symmetric cryptography and decryption using the session key for local terminal.

18. a kind of key management apparatus, which is characterized in that described device includes:

Request receiving module carries the first ciphertext for receiving the authentication request of client transmission, in the authentication request, described First ciphertext is the ciphertext that the public key provided using local terminal encrypts temporary key；

Second deciphering module is used for when the authentication request number is less than preset threshold, using private corresponding with the public key Key decrypts first ciphertext, obtains the temporary key；

Key Acquisition Module, for obtaining session key and key identification；Wherein, the key identification is close for identifying session Key, the session key is for the data encryption to the session；

Second encrypting module obtains for encrypting using the temporary key to the session key and the key identification Two ciphertexts；

Sending module is responded, for sending Authentication Response to the client, carries second ciphertext in the Authentication Response.

19. device according to claim 18, which is characterized in that

The Key Acquisition Module generates for generating the session key using random number generator and corresponds to the session The key identification of key.

20. device according to claim 18, which is characterized in that

The Key Acquisition Module, for choosing one group of corresponding session key and key identification from prestored secret key；

21. device according to claim 20, which is characterized in that the Key Acquisition Module, comprising:

Address acquisition unit, for obtaining the corresponding internet protocol address of the client；

Range determination unit, for determining that key selection range, the key selection range include described according to the IP address The corresponding session key in part and key identification in prestored secret key；

Key selection unit, for choosing one group of corresponding session key and key identification from the key selection range.

22. device according to claim 18, which is characterized in that described device further include:

Upstream data receiving module, the upstream data packet sent for receiving the client, the packet header of the upstream data packet The key identification is carried, the backpack body of the upstream data packet carries encrypted upstream data；

Upstream data deciphering module, for using session key pair corresponding with the key identification carried in the packet header The encrypted upstream data decryption, obtains upstream data.

23. device according to claim 18, which is characterized in that described device further include:

Downlink data encrypting module, for being encrypted using downlink data of the session key to the session, after obtaining encryption Downlink data；

Downlink data sending module, for sending downlink data packet to the client, the packet header of the downlink data packet is carried The backpack body of the key identification, the downlink data packet carries the encrypted downlink data.

24. device according to claim 18, which is characterized in that described device further include:

Vector obtains module, for obtaining the initialization vector for corresponding to the session key；

Vector sending module, for sending the initialization vector to the client, the initialization vector supplies the client End uses when carrying out symmetric cryptography and decryption using the session key.

25. a kind of key management system, which is characterized in that the system comprises: client and background server；

The client includes such as the described in any item key management apparatus of claim 13 to 17；

The background server includes such as the described in any item key management apparatus of claim 18 to 24.

26. a kind of computer readable storage medium, which is characterized in that the computer-readable recording medium storage has program, institute Program is stated to be executed by processor to realize such as key management method described in any one of claim 1 to 5.

27. a kind of computer readable storage medium, which is characterized in that the computer-readable recording medium storage has program, institute Program is stated to be executed by processor to realize such as the described in any item key management methods of claim 6 to 11.