CN107682375A - A kind of key management and dynamic key guard method - Google Patents

A kind of key management and dynamic key guard method Download PDF

Info

Publication number
CN107682375A
CN107682375A CN201711168187.6A CN201711168187A CN107682375A CN 107682375 A CN107682375 A CN 107682375A CN 201711168187 A CN201711168187 A CN 201711168187A CN 107682375 A CN107682375 A CN 107682375A
Authority
CN
China
Prior art keywords
key
public key
public
pond
recipient
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201711168187.6A
Other languages
Chinese (zh)
Inventor
宋奕
董芳芳
李弯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Jia Hong Technology Co Ltd
Original Assignee
Wuhan Jia Hong Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Jia Hong Technology Co Ltd filed Critical Wuhan Jia Hong Technology Co Ltd
Priority to CN201711168187.6A priority Critical patent/CN107682375A/en
Publication of CN107682375A publication Critical patent/CN107682375A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of key management and dynamic key guard method, sets the public key pond of a predefined size for recipient first, generates multiple keys pair at random, and retains wherein private key, public key therein and be sent to public key pond;It is spare public key that a public key is specified from public key pond, selects a public key to be used for encrypting confidential information to be added from the public key pond of recipient;Then one rescue bag of sender's public key and Symmetric key generation, security platform is sent to, recipient downloads rescue bag from security platform, and decrypts message.The method provided by the invention is mainly characterized in that the multipair key pair of output, separate management public key and private key, on the basis of rivest, shamir, adelman is realized, safe management key, ensure to transmit the security reliability of message.By using with delete key, ensure the security that key uses, identical key will not be reused, come ensure transmit message reliability.

Description

A kind of key management and dynamic key guard method
Technical field
The invention belongs to field of information security technology, is related to a kind of key management and dynamic key guard method, by existing Some AESs and key management method proposed by the invention realize the security of electronic equipment exchange.
Background technology
With the prosperity of science and technology, increasing people is exchanged using electronic equipment with other people, but is not ensured that so Exchange be safe.The method of existing protection secure communication, such as digital certificate, may make management become cumbersome, And may be under attack.
The content of the invention
In order to solve the above-mentioned technical problem, the present invention provides a kind of management key on the basis of digital certificate is not needed Method, ensure that the safety of communication.
The technical solution adopted in the present invention is:A kind of key management and dynamic key guard method, it is characterised in that bag Include following steps:
Step 1:The public key pond of one predefined size is set for recipient, first sets the size in pond herein, is gone back in public key pond Public key is not generated, then generates multiple keys pair at random, and retains private key therein, and public key therein, which is sent to, sets size Public key pond in;It is spare public key to specify a public key in public key pond, selects a public key to be used for from the public key pond of recipient Encrypt confidential information to be added;
Step 2:One rescue bag of sender's public key and Symmetric key generation, is sent to security platform, and recipient is from peace Full platform downloads rescue bag, and decrypts message.
Preferably, in step 1, the public key that prioritizing selection during public key is not spare public key is selected.
Preferably, in step 1, a public key is selected to be used for after encrypting from the public key pond of recipient, from public key pond Delete selected public key.
Preferably, in step 1, a public key for being used for encrypting is selected from the public key pond of recipient, then will be chosen Public key be sent to sender.
Preferably, in step 1, public key is supplemented when public key quantity is less than preset value in the public key pond.
Preferably, in step 2, generation random symmetric key is used for encrypting message.
Preferably, in step 2, using public key encryption symmetric key, (symmetric key encryption message, is then added with public key Close symmetric key).
Preferably, in step 2, the rescue bag of generation sends security platform to, and the key of transmission is sender and safety The shared key of platform, this key symmetric key newly-generated when being sender and security platform transmission information.
Preferably, in step 2, recipient is known from security platform message sink, and recipient checks that hardware information is No matching, check whether the information in recipient's equipment and rescue bag is identical, if it is different, message will be unable to access, if letter Breath matching, then authorisation device is decrypted using private key.
The method provided by the invention is mainly characterized in that the multipair key pair of output, separate management public key and private key, are realizing asymmetric encryption calculation On the basis of method, safe management key, ensure to transmit the security reliability of message.By using close with deletion key, guarantee The security that key uses, identical key will not be reused, to ensure to transmit the reliability of message.
Brief description of the drawings
Fig. 1 is that the security platform of inventive embodiments promotes the schematic diagram of secure communication;
Fig. 2 a are the flow chart of the user installation and registration APP processes of inventive embodiments;
Fig. 2 b are the process flow diagram flow chart of many keys pair of generation of inventive embodiments;
Fig. 3 is the flow chart of the message transmitting process of inventive embodiments;
Fig. 4 is the flow chart of the security foam of inventive embodiments;
Fig. 5 is the process flow diagram flow chart of the access safety bag message of inventive embodiments;
Fig. 6 is the flow chart of the registration process performed by equipment of inventive embodiments;
Fig. 7 is the process flow diagram flow chart of the transmission message of inventive embodiments;
Fig. 8 be inventive embodiments receive key after perform synchronisation key buffer update flow chart;
Fig. 9 is the flow chart of the asynchronous cipher key cache renewal of execution of inventive embodiments.
Embodiment
Understand for the ease of those of ordinary skill in the art and implement the present invention, below in conjunction with the accompanying drawings and embodiment is to this hair It is bright to be described in further detail, it will be appreciated that implementation example described herein is merely to illustrate and explain the present invention, not For limiting the present invention.
In secure communication, key management is extremely important, and the present invention proposes a key management and dynamic key Guard method, it ensure that the safety of communication, it is ensured that the safe exchange of electric room.
Fig. 1 shows the embodiment securely communicated by security platform.100 be software distribution server, security platform 102 are communicated with client device 106 and 114 by network 104.Assuming that 106 equipment user Zhang San and 114 Lee equipment user Four communications.Zhang San and Li Si obtain application program and registered.
Security platform 102 is communicated including one or more interfaces 118 with client device.120 be relational database, Including user name hash table 124, public key and reference value 126, device id table 128, APPID tables 130 and an information table 132.Peace Full platform 102 also includes processing engine 134, and its execution interface 118 interacts with database 120.Being performed by platform 102 for task Have (for example, by handling engine 134):A public key is specified in public key pond as spare public key;Add for the public key pond of user Add new public key;The size in dynamic adjustment client public key pond as needed.
Fig. 2 a show installation and registration process (such as equipment 106).Equipment generates multipair key pair in step 202, can To use the asymmetric cryptographic algorithms such as RSA generation key pair.In an example, every a piece of news that Zhang San sends will use it One public key encryption of middle generation, will destroy this public key after having used.Random server seed is generated in step 204, is walked The rapid random local seed of 205 generation.Seed is for generating key, and in some instances, seed is determined by hardware information. Step 208 creates equipment id from the hardware information of capture.APP requires that Zhang San provides username and password, in step 210 Generate and protect user cipher.Step 212 generates APPid, and APPid is the APP of an installation specific mark, in some realities In example, this id is the Hash of user cipher or the cryptographic Hash etc. of facility information.After the above information is generated, public affairs Key, equipment id and APPid are sent to server.At the end of flow 200, Zhang San is already prepared to send and receive communication.
Fig. 2 b show the process for generating many keys pair.Flow 250 is that the step 202 of flow 200 generates key to portion Divide and performed in client devices (such as equipment 106).Step 252 initialization server key cache size, that is, pool of keys Size, this pool of keys are the pool of keys (such as equipment 106) of user oneself.In an example, application program 116 is put down from safety It is 50 that pool of keys size is received in platform 102, and amount of capacity can be adjusted dynamically.Step 254 generates key pair, such as in equipment 106 generations.Step 256, to assigned references value, such as gives 50 encryption key distributions 50 reference values to key, and reference value is to use To distinguish the key in pool of keys.Reference value can generate at random.Step 268 stores key and reference value, in some instances, It can be stored in the safety database of equipment 106, corresponding public key sends security platform 102,102 to again from public key pond middle finger A fixed key is spare key.
Fig. 3 shows the example of message transmitting process.This flow 300 realizes such as 106 on a client device.Step 302 Public key, the equipment id and APPid of recipient is obtained from security platform 102.This process occurs to select addressee Shi Huo in Zhang San When person Zhang San sends message.Step 304 generates random symmetric cryptographic key.Step 306 symmetric key encryption message, annex And message control option.Step 308 (obtains) encrypted symmetric key with the public key of recipient from public key pond, generates rescue bag. The rescue bag of generation is safely transferred to platform 102, in some instances, the symmetric key of platform and collaborative share safe to use To transmit rescue bag.No matter Zhang San specifies how many addressee, an only rescue bag is sent to 102 platforms.In security platform After receiving rescue bag, processing engine 134 opens it and determines the recipient of message.134 by contrasting rescue bag and database 120 In equipment id and user name determine the recipient of message.After security platform receives rescue bag, processing engine 134 is disappearing Cease and an entry is created in table 132, and notify recipient to there is message to need to receive.In some instances, once recipient is successful Receive rescue bag and just remove it, a time limit can also be set, if recipient does not receive in this time limit, just force to move Except rescue bag.
Fig. 4 shows the example of security foam.Flow 400 is generated by the implementation procedure 300 of application program 116.402 be to disappear Breath and annex, 404 be message control option, and message control option is for example:Life cycle, the time is terminated, is shared, preserve etc..406 It is to use the symmetric key encryption 402 and 404 in step 304, i.e., with symmetric key encryption message and annex.408 be to use recipient Public key encryption symmetric key.410 be some relevant informations, including the user name of the DeviceID of each addressee, hash, AppID and reference value.412 be expanded function, for extending the key digit of symmetric key.414 use EK1,2Encryption, EK1,2It is The symmetric key that application program 116 and security platform 102 are shared, that is, send security platform to after encrypting whole rescue bag.
Zhang San sends message, and when security platform receives, by setting flag bit, to represent recipient, so-and-so needs to receive Message.When Li Si is using APP on mobile phone (application program 138 in equipment 114), application program is carried out with platform 102 Communication, judges whether Li Si has new information by judging the flag bit of database 120 in security platform.
Fig. 5 is the process 500 that wherein message is accessed after recipient receives rescue bag.This process occurs recipient's In equipment, such as in the equipment 114 of Li Si.502 steps are that recipient's equipment receives rescue bag, (such as in 114 equipment 138 application programs) application program 138 communicates with 102 security platforms, it is determined that there is no marks to represent that recipient receives message (mark Represent that recipient receives one or more message), and download rescue bag from platform 102.Step 504 checks hardware information, inspection Whether the information looked into recipient's equipment and rescue bag is identical, if it is different, message will be unable to access, if information matches, The equipment is authorized to be decrypted with private key.Equipment 114 selects the private key corresponding to the public key of the recipient selected when message is sent Decrypt rescue bag.
Fig. 6 is the flow 600 of the registration process performed by equipment 106.602 steps receive one of pool of keys size initially Value, such as 50, step 604 produces key pair, and quantity is the initial value set in step 602.Step 606 is joined to key to distribution Value is examined, reference value is used for identifying different keys pair.Private key and reference value, in some instances, 50 is being locally stored in step 608 The private key and reference value of individual cipher key pair are stored in the database of equipment 106, and carry out safeguard protection.Step 610 transmits public affairs Key and reference value give 102 security platforms, and it is spare key that platform, which will specify one of them in 50 public keys,.
Fig. 7 is the process 700 for sending message, and when Li Si is to Zhang San's transmission message, this process is performed by equipment 114.Step The public key of rapid 702 request recipient.Equipment 114 asks the public key associated with Zhang San to platform 102.If the pool of keys of Zhang San Many of public key, platform can prioritizing selection one non-spare key send, this key is sent to after equipment 114 just by it Delete this key.If there was only a public key (such as there was only spare key in pond), security platform 102 in the pool of keys of Zhang San This spare key can be sent to equipment 114, but not is deleted.704 steps are that equipment 114 receives request from security platform 102 Public key and its reference value.Step 706 uses the public key encryption message received.Step 708 transmits this message.
Fig. 8 is to perform the step 800 of synchronisation key buffer update after receiving key, that is, updates key in pool of keys Step.Such as during Zhang San's reception message, the process is performed by equipment 106.802 steps are that equipment 106 communicates with security platform 102 To receive and obtain message.Step 804 obtains private key and decrypted.The reference of key is obtained from message obtained in the previous step Value, then the private key decryption message of corresponding reference value is found in slave unit 106.806 steps are the extra keys pair of the output of equipment 106 To fill pool of keys, such as 106 can be with the key pair for the message equal amount that output is a collection of and receives.Step 808 produces to new Key to assigned references value, there is private key and reference value local in step 810, step 812 sends public key and reference value to Security platform.
Fig. 9 is the process 900 for performing asynchronous cipher key cache renewal, is performed by equipment 106.902 steps are equipment 106 with putting down Platform 102 connects.This connection can periodically be connected, such as daily, per hour etc..It can also be in response to trigger thing Part, such as just switch on power, just it is connected to network etc..Step 904 the reception server cipher key cache counts, i.e., is currently The quantity of key in the pool of keys that user provides.Step 906 generates an appropriate number of key pair and reference value, and stores and send out Send.If cipher key cache is counted as zero, it is spare key to specify one in newly-generated key, and former spare key is by pin Ruin.
It should be appreciated that the part that this specification does not elaborate belongs to prior art.
It should be appreciated that the above-mentioned description for preferred embodiment is more detailed, therefore can not be considered to this The limitation of invention patent protection scope, one of ordinary skill in the art are not departing from power of the present invention under the enlightenment of the present invention Profit is required under protected ambit, can also be made replacement or deformation, be each fallen within protection scope of the present invention, this hair It is bright scope is claimed to be determined by the appended claims.

Claims (9)

1. a kind of key management and dynamic key guard method, it is characterised in that comprise the following steps:
Step 1:The public key pond of one predefined size is set for recipient, first sets the size in pond herein, is not given birth to also in public key pond Into public key, multiple keys pair are then generated at random, and retain private key therein, and public key therein is sent to the public affairs for setting size In key pond;It is spare public key to specify a public key in public key pond, selects a public key to be used for encrypting from the public key pond of recipient Confidential information to be added;
Step 2:One rescue bag of sender's public key and Symmetric key generation, is sent to security platform, recipient puts down from safety Platform downloads rescue bag, and decrypts message.
2. key management according to claim 1 and dynamic key guard method, it is characterised in that:In step 1, selection is public Prioritizing selection is not the public key of spare public key during key.
3. key management according to claim 1 and dynamic key guard method, it is characterised in that:In step 1, from reception Select a public key to be used for after encrypting in the public key pond of person, selected public key is deleted from public key pond.
4. key management according to claim 1 and dynamic key guard method, it is characterised in that:In step 1, from reception A public key for being used for encrypting is selected in the public key pond of person, the public key chosen then is sent to sender.
5. key management and dynamic key guard method according to claim 1-4 any one, it is characterised in that:Step In 1, public key is supplemented when public key quantity is less than preset value in the public key pond.
6. key management according to claim 1 and dynamic key guard method, it is characterised in that:In step 2, generate with Machine symmetric key is used for encrypting message.
7. key management according to claim 1 and dynamic key guard method, it is characterised in that:In step 2, public affairs are used Key encrypted symmetric key.
8. key management according to claim 1 and dynamic key guard method, it is characterised in that:In step 2, generation Rescue bag sends security platform to, and the key that the key of transmission is sender and security platform is shared, this key is sender With symmetric key newly-generated during security platform transmission information.
9. key management and dynamic key guard method according to claim 1,6-8 any one, it is characterised in that:Step In rapid 2, recipient is known from security platform message sink, recipient check information whether match, check recipient's equipment and Whether the information in rescue bag is identical, if it is different, message will be unable to access, if information matches, authorisation device uses private Key is decrypted.
CN201711168187.6A 2017-11-21 2017-11-21 A kind of key management and dynamic key guard method Withdrawn CN107682375A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711168187.6A CN107682375A (en) 2017-11-21 2017-11-21 A kind of key management and dynamic key guard method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711168187.6A CN107682375A (en) 2017-11-21 2017-11-21 A kind of key management and dynamic key guard method

Publications (1)

Publication Number Publication Date
CN107682375A true CN107682375A (en) 2018-02-09

Family

ID=61150327

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711168187.6A Withdrawn CN107682375A (en) 2017-11-21 2017-11-21 A kind of key management and dynamic key guard method

Country Status (1)

Country Link
CN (1) CN107682375A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109687960A (en) * 2018-12-29 2019-04-26 如般量子科技有限公司 Cloud storage method and system is acted on behalf of in anti-quantum calculation based on multiple public asymmetric key ponds

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1633071A (en) * 2005-01-14 2005-06-29 南相浩 Method and apparatus for cipher key generation based on identification
CN1773905A (en) * 2004-11-10 2006-05-17 日电(中国)有限公司 Method, equipment and system for generating anonymous common key in safety communication system
CN105024807A (en) * 2014-04-30 2015-11-04 宇龙计算机通信科技(深圳)有限公司 Data processing method and system
CN105763540A (en) * 2016-02-01 2016-07-13 上海凭安网络科技有限公司 Data communication method for protecting identity privacy of both sides
US9698976B1 (en) * 2014-02-24 2017-07-04 Wickr Inc. Key management and dynamic perfect forward secrecy

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1773905A (en) * 2004-11-10 2006-05-17 日电(中国)有限公司 Method, equipment and system for generating anonymous common key in safety communication system
CN1633071A (en) * 2005-01-14 2005-06-29 南相浩 Method and apparatus for cipher key generation based on identification
US9698976B1 (en) * 2014-02-24 2017-07-04 Wickr Inc. Key management and dynamic perfect forward secrecy
CN105024807A (en) * 2014-04-30 2015-11-04 宇龙计算机通信科技(深圳)有限公司 Data processing method and system
CN105763540A (en) * 2016-02-01 2016-07-13 上海凭安网络科技有限公司 Data communication method for protecting identity privacy of both sides

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109687960A (en) * 2018-12-29 2019-04-26 如般量子科技有限公司 Cloud storage method and system is acted on behalf of in anti-quantum calculation based on multiple public asymmetric key ponds
CN109687960B (en) * 2018-12-29 2021-08-10 如般量子科技有限公司 Anti-quantum computing proxy cloud storage method and system based on multiple public asymmetric key pools

Similar Documents

Publication Publication Date Title
CN106656476B (en) Password protection method and device and computer readable storage medium
CN109495274B (en) Decentralized intelligent lock electronic key distribution method and system
CN108985099B (en) Proxy cloud storage security control method and system based on public key pool
CN105323070B (en) A kind of safety E-mail implementation method based on digital envelope
CN109150519A (en) Anti- quantum calculation cloud storage method of controlling security and system based on public keys pond
CN101515319B (en) Cipher key processing method, cipher key cryptography service system and cipher key consultation method
CN102970299A (en) File safe protection system and method thereof
JP2009103774A (en) Secret sharing system
CN108667791B (en) Identity authentication method
CN105610789B (en) A kind of data ciphering method for chatting instant messaging suitable for more crowds
KR101189683B1 (en) System, apparatus and method for encoding transmittance of personal information proteced document
JP2005502240A5 (en)
JPWO2018235845A1 (en) Key exchange system and key exchange method
CN106605419A (en) Method and system for secure SMS communications
CN108199838A (en) A kind of data guard method and device
CA2536865A1 (en) System and method for securing wireless data
CN104270380A (en) End-to-end encryption method and system based on mobile network and communication client side
JPH09321748A (en) Communication system by shared cryptographic key, server device and client device for the system, and method for sharing cryptographic key in communication system
CN102404107B (en) A kind of ensure the method for input content safety, device, transmitting terminal and receiving terminal
CN104811451A (en) Link login method and system
CN110493124A (en) Protect the encryption instantaneous communication system and communication means of data safety
CN111541603B (en) Independent intelligent safety mail terminal and encryption method
CN107682375A (en) A kind of key management and dynamic key guard method
CN109299618A (en) Anti- quantum calculation cloud storage method and system based on quantum key card
CN104796411A (en) Method for safely transmitting, storing and utilizing data in cloud and mobile terminal

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20180209

WW01 Invention patent application withdrawn after publication