CN107979461B - Key retrieving method, device, terminal, key escrow server and readable medium - Google Patents

Key retrieving method, device, terminal, key escrow server and readable medium Download PDF

Info

Publication number
CN107979461B
CN107979461B CN201711026657.5A CN201711026657A CN107979461B CN 107979461 B CN107979461 B CN 107979461B CN 201711026657 A CN201711026657 A CN 201711026657A CN 107979461 B CN107979461 B CN 107979461B
Authority
CN
China
Prior art keywords
key
sub
ith
identifier
strings
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711026657.5A
Other languages
Chinese (zh)
Other versions
CN107979461A (en
Inventor
张建俊
唐子超
藏军
邹文伟
李茂材
王宗友
秦青
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202010455600.2A priority Critical patent/CN111600710B/en
Priority to CN201711026657.5A priority patent/CN107979461B/en
Priority to CN202010455890.0A priority patent/CN111585760B/en
Publication of CN107979461A publication Critical patent/CN107979461A/en
Application granted granted Critical
Publication of CN107979461B publication Critical patent/CN107979461B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage

Abstract

The application discloses a method, a device, a terminal, a key escrow server and a readable medium for retrieving a secret key, and relates to the field of data encryption. The method comprises the following steps: acquiring a threshold value k; sending an acquisition request to a key escrow server for at least k times according to a threshold value k, wherein the key escrow server is connected with m storage nodes, a target key is divided into n sub-key strings which are respectively stored in the n storage nodes, and k is more than or equal to 2 and is less than or equal to n and is less than or equal to m; acquiring at least k sub-key strings fed back by a key escrow server; and reconstructing a target key according to at least k sub-key strings. The secret keys are segmented to obtain a plurality of sub secret key strings, and the plurality of sub secret key strings are stored in a plurality of storage nodes respectively.

Description

Key retrieving method, device, terminal, key escrow server and readable medium
Technical Field
The embodiment of the application relates to the field of data encryption, in particular to a method, a device, a terminal, a key escrow server and a readable medium for retrieving a key.
Background
Asymmetric encryption is an encryption method that encrypts by a public key and a private key. Typically, the public key is held by the server side and the private key is held by the user side. When the user forgets the private key, the private key needs to be retrieved.
In the related art, a server stores a backup key. The first time the user obtains the key, the user may reserve a private mailbox to the server. When the user needs to retrieve the secret key, a secret key retrieval request is submitted to the server. And the server sends the secret key to the reserved private mailbox according to the secret key retrieval request. And after the user opens the private mailbox, checking the retrieved secret key.
When a malicious person attacks the server through a hacking program, the malicious person can directly obtain the secret key of the user, so that the secret key recovery method is poor in security.
Disclosure of Invention
The embodiment of the application provides a method, a device, a terminal, a key escrow server and a readable medium for retrieving a key, which can solve the problem that malicious personnel can directly obtain the key of a user through attacking the server. The technical scheme is as follows:
in a first aspect, a method for recovering a key is provided, where the method includes:
acquiring a threshold value k;
sending an obtaining request to a key escrow server for at least k times according to the threshold k, wherein the ith obtaining request is used for requesting to obtain an ith sub-key string of the target key, the key escrow server is connected with m storage nodes, the target key is divided into n sub-key strings which are respectively stored in the n storage nodes, i is more than or equal to 0 and less than or equal to k, and k is more than or equal to 2 and less than or equal to n and less than or equal to m;
acquiring at least k sub-key strings fed back by the key escrow server;
and reconstructing the target key according to the at least k sub-key strings.
In a second aspect, a key recovery method is provided, and is applied to a key escrow server, where the key escrow server is connected to m storage nodes, and the method includes:
receiving an acquisition request sent by a terminal at least k times, wherein the ith acquisition request is used for requesting to acquire an ith sub-key string of a target key, the target key is divided into n sub-key strings which are respectively stored in n storage nodes, i is more than or equal to 0 and less than or equal to k, and k is more than or equal to 2 and less than or equal to n and less than or equal to m;
acquiring at least k sub key strings from the n storage nodes according to the at least k acquisition requests;
and sending the at least k sub-key strings to the terminal.
In a third aspect, there is provided a key recovery apparatus, including:
a first obtaining module, configured to obtain a threshold k;
a first sending module, configured to send an acquisition request to a key escrow server for at least k times according to the threshold k, where the ith acquisition request is used to request to acquire an ith sub-key string of a target key, the key escrow server is connected to m storage nodes, the target key is divided into n sub-key strings, the n sub-key strings are respectively stored in the n storage nodes, i is greater than or equal to 0 and less than or equal to k, and k is greater than or equal to 2 and less than or equal to n and less than or equal to m;
the first obtaining module is further configured to obtain at least k sub-key strings fed back by the key escrow server;
and the reconstruction module is used for reconstructing the target key according to the at least k sub-key strings.
In a fourth aspect, there is provided an apparatus for recovering keys, the apparatus being connected to m storage nodes, the apparatus including:
the receiving module is used for receiving at least k times of obtaining requests sent by a terminal, the ith obtaining request is used for requesting to obtain the ith sub-key string of the target key, the target key is divided into n sub-key strings which are respectively stored in n storage nodes, i is more than or equal to 0 and less than or equal to k, and k is more than or equal to 2 and less than or equal to n and less than or equal to m;
a second obtaining module, configured to obtain at least k sub-key strings from the n storage nodes according to the at least k obtaining requests;
a second sending module, configured to send the at least k sub-key strings to the terminal.
In a fifth aspect, a terminal is provided, where the terminal includes a processor and a memory, where the memory stores at least one instruction, at least one program, a set of codes, or a set of instructions, and the at least one instruction, the at least one program, the set of codes, or the set of instructions is loaded and executed by the processor to implement the key recovery method according to any one of the first aspect and the optional embodiments of the embodiment of the present application.
In a sixth aspect, there is provided a key escrow server comprising a processor and a memory, wherein the memory has at least one instruction, at least one program, a set of codes, or a set of instructions stored therein, and the at least one instruction, the at least one program, the set of codes, or the set of instructions is loaded and executed by the processor to implement the key recovery method according to any one of the second aspect and the optional embodiments of the present application.
In a seventh aspect, there is provided a computer-readable storage medium, where at least one instruction, at least one program, a set of codes, or a set of instructions is stored, and the at least one instruction, the at least one program, the set of codes, or the set of instructions is loaded and executed by the processor to implement the key recovery method according to any one of the first aspect and the optional embodiments of the embodiment of the present application.
In an eighth aspect, there is provided a computer-readable storage medium having at least one instruction, at least one program, a set of codes, or a set of instructions stored therein, the at least one instruction, the at least one program, the set of codes, or the set of instructions being loaded and executed by a processor to implement the key recovery method according to any one of the second aspect and the optional embodiments of the embodiment of the present application.
The beneficial effects brought by the technical scheme provided by the embodiment of the application at least comprise:
the target key is segmented to obtain a plurality of sub-key strings, and the plurality of sub-key strings are stored in a plurality of storage nodes respectively.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a block diagram of a key recovery system provided in an exemplary embodiment of the present application;
fig. 2 is a flowchart of a key recovery method according to an exemplary embodiment of the present application;
fig. 3 is a flowchart of a key recovery method according to another exemplary embodiment of the present application;
fig. 4 is a flowchart of a key recovery method according to another exemplary embodiment of the present application;
fig. 5 is a flowchart of a key recovery method according to another exemplary embodiment of the present application;
FIG. 6 is a flow diagram of key segment storage provided by an exemplary embodiment of the present application;
fig. 7 is a flow diagram illustrating key segment acquisition in accordance with an exemplary embodiment of the present application;
fig. 8 is a block diagram of a key recovery apparatus according to an exemplary embodiment of the present application;
fig. 9 is a block diagram of a key recovery apparatus according to another exemplary embodiment of the present application;
fig. 10 is a block diagram of a structure of a terminal provided in an exemplary embodiment of the present application;
fig. 11 is a block diagram of the structure of a key escrow server provided in another exemplary embodiment of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
Fig. 1 is a block diagram of a key recovery system according to an exemplary embodiment of the present application, and as shown in fig. 1, the key recovery system includes: a terminal 11, a key escrow server 12, m storage nodes 13 and a communication network 14. Wherein:
the terminal 11 is configured to split the target key into n sub-key strings, and store the n sub-key strings in the n storage nodes 13. When the target key needs to be retrieved, the terminal 11 acquires and reconstructs a sub-key string of the segmented target key. Optionally, the terminal 11 is further configured to obtain a target key, such as: the terminal 11 obtains a target key through a server for distributing keys, and segments the obtained target key to obtain a plurality of sub-key strings. Illustratively, the terminal 11 may be a mobile terminal, such as: any one of a mobile phone, a tablet and a portable notebook computer.
The terminal 11 is connected to a key escrow server 12 via a communication network 14. The communication network 14 may be a wired network or a wireless network.
The key escrow server 12 is used for routing a message between the terminal 11 and the storage node 13. That is, the key escrow server 12 is configured to search for an IP address corresponding to the storage node according to the received acquisition request (used for acquiring the target key), and forward the acquisition request to the terminal 11. Optionally, the key escrow server stores a correspondence table between the identifier of each storage node and the IP address corresponding to each storage node.
The key escrow server 12 is connected to the storage node 13 through a communication network 14.
The storage node 13 is configured to store a sub-key string of the segmented key in the terminal 11. Optionally, the storage node 13 includes: storage node 131, storage node 132, storage node 133, and storage node 134. For the same target key, only one sub-key string can be stored in one storage node. The sub-key strings stored between any two storage nodes are mutually unknown.
In the above embodiment, the key recovery system includes 4 storage nodes as an example for explanation, in an actual operation, the number of the storage nodes 13 may be more or less, and this is not limited in this embodiment of the application.
Fig. 2 is a flowchart of a key recovery method according to an exemplary embodiment of the present application, and is described by taking as an example that the method is applied to the key recovery system shown in fig. 1 and the number of storage nodes is m, as shown in fig. 2, the key recovery method includes two stages:
firstly, a key backup stage;
in step 201, the terminal divides the target key into n sub-key strings according to a threshold k.
Optionally, the threshold k is manually selected by a user, or the threshold k is preset by the terminal, or the threshold k is randomly generated by the terminal.
Optionally, the terminal divides the target key into n sub-key strings by using a lagrangian interpolation algorithm and according to a threshold k. And any k or more than k sub-key strings in the n sub-key strings can reconstruct the target key.
Illustratively, the terminal divides the target key into n interrelated sub-key strings through a lagrangian interpolation algorithm and a threshold value k, optionally, the n interrelated sub-key strings are determined by a polynomial determined by the lagrangian interpolation algorithm, and the target key can be reconstructed from any k or more sub-key strings in the n sub-key strings.
In step 202, the terminal sends n storage requests to the key escrow server.
Optionally, the ith storage request is used to request that the ith sub-key string of the target key is stored in the ith storage node, where the key escrow server is connected to the m storage nodes, i is greater than or equal to 0 and less than or equal to n, and k is greater than or equal to 2 and less than or equal to n and less than or equal to m.
Optionally, the number of storage nodes is m, the target key is divided into n sub-key strings, and n is less than or equal to m. The storage node can only store one sub-key string of the target key in one storage node, and each sub-key string stored in the second storage node can be selected by a user, or the storage node storing the sub-key string of the target key can be selected randomly by the terminal. And in the process of self-selection by the user, the selected storage node cannot be selected for the second time.
Meanwhile, the terminal also stores: and the corresponding relation between the first identifier of the sub-key string and the second identifier of the storage node storing the sub-key string.
In step 203, the key escrow server receives n storage requests sent by the terminal.
In step 204, the key escrow server stores n sub-key strings on n storage nodes according to the n storage requests.
Optionally, the key escrow server stores an IP address of each storage node, and stores n sub-key strings to the corresponding storage nodes according to the n storage requests.
In step 205, the terminal obtains a storage result fed back by the key escrow server.
Optionally, the storage result sent by the key escrow server to the terminal includes: store a success response or store a failure response.
The steps 203, 204 and 205 may be executed n times in a loop, and when the ith storage is successful, the (i + 1) th storage process is executed again.
Secondly, key retrieving;
in step 206, the terminal obtains a threshold k.
The threshold value k is used for determining the minimum number of sub-key strings for reconstructing the target key, and the sub-key strings are sub-strings obtained by segmenting the target key by the terminal.
Illustratively, the terminal includes a key segmentation Interface, where the key segmentation Interface is an API (Application Programming Interface) for segmenting a key, and the terminal divides a target key into n segments through the key segmentation Interface, that is, the target key is divided into n sub-key strings, and k is a threshold value; the target key can be reconstructed by at least k sub-key strings in the n sub-key strings, wherein k is more than or equal to 2 and less than or equal to n.
Step 207, the terminal sends at least k acquisition requests to the key escrow server according to the threshold k.
The acquisition request is used for acquiring a sub-key string of the target key. Optionally, the ith acquisition request is used to request to acquire an ith sub-key string of the target key, the key escrow server is connected to m storage nodes, the m storage nodes are used to store the sub-key strings of the target key, the target key is divided into n sub-key strings and stored in the n storage nodes, i is greater than or equal to 0 and less than or equal to k, and k is greater than or equal to 2 and less than or equal to n and less than or equal to m.
Optionally, the number of storage nodes is m, the target key is divided into n sub-key strings, and n is less than or equal to m. The storage node can only store one sub-key string of the target key in one storage node, and each sub-key string stored in the second storage node can be selected by a user, or the storage node storing the sub-key string of the target key can be selected randomly by the terminal. And in the process of self-selection by the user, the selected storage node cannot be selected for the second time.
In step 208, the key escrow server receives at least k acquisition requests sent by the terminal.
Optionally, the terminal may send an acquisition request to the key escrow server k times to acquire k sub-key strings, or send an acquisition request to the key escrow server more than k times and less than or equal to n times to acquire k sub-key strings and less than or equal to n sub-key strings.
In step 209, the key escrow server obtains at least k sub-key strings from the n storage nodes according to the at least k obtaining requests.
Optionally, the key escrow server stores an IP address of each storage node, and acquires the sub-key string from the corresponding storage node according to at least k acquisition requests and the IP address of each storage node.
In step 210, the key escrow server sends at least k sub-key strings to the terminal.
The key escrow server sends the received at least k sub-key strings to the terminal, and the terminal reconstructs the target key according to the received at least k sub-key strings.
In step 211, the terminal obtains at least k sub-key strings fed back by the key escrow server.
In step 212, the terminal reconstructs the target key according to the at least k sub-key strings.
Optionally, the terminal reconstructs the target key according to at least k sub-key strings by using a lagrangian interpolation algorithm.
Illustratively, a polynomial may be obtained according to the lagrange interpolation algorithm by concatenating at least k sub-keys and reconstructing the target key.
In summary, in the key retrieving method provided in this embodiment, the target key is segmented to obtain a plurality of sub-key strings, and the plurality of sub-key strings are stored in the plurality of storage nodes, respectively, because there are many storage nodes for storing the sub-key strings and the sub-key strings stored between different storage nodes are unknown to each other, when a malicious person attacks the storage nodes through a hacking procedure, the malicious person does not know which storage nodes store the sub-key strings of the target key, and cannot obtain all the sub-key strings by attacking one storage node, so that the security is high.
In an optional embodiment, the obtaining request sent by the terminal includes: the key escrow server acquires the sub-key string from the corresponding storage node according to the first identifier and the second identifier.
Fig. 3 is a flowchart of a key recovery method according to another exemplary embodiment of the present application, where as shown in fig. 3, the key recovery method includes:
in step 301, the terminal obtains a threshold k.
The threshold value k is used for determining the minimum number of sub-key strings for reconstructing the target key, and the sub-key strings are sub-strings obtained by segmenting the target key by the terminal.
Illustratively, the terminal includes a key segmentation interface, where the key segmentation interface is an API for segmenting a key, and the terminal divides a target key into n segments through the key segmentation interface, that is, divides the target key into n sub-key strings, and determines k as a threshold; the target key can be reconstructed by at least k sub-key strings in the n sub-key strings, where k is greater than or equal to 2 and less than or equal to n, and the k sub-key strings can be any k sub-key strings in the n sub-key strings.
Optionally, the threshold k is manually selected by a user, or the threshold k is preset by the terminal, or the threshold k is randomly generated by the terminal.
Step 302, the terminal obtains a pre-stored corresponding relationship.
Optionally, the terminal stores the pre-stored correspondence relationship, where the correspondence relationship includes a correspondence relationship between a first identifier of the sub-key string and a second identifier of the storage node. Optionally, the correspondence includes a first identifier of each sub-key string and a second identifier of a storage node storing the sub-key string.
Illustratively, taking 4 sub-key strings and 6 storage nodes as an example for explanation, the correspondence between the first identifier and the second identifier is shown in the following table one:
watch 1
Sub-key string Storage node
Sub-key string of No. 1 Node2
Sub-key string of 2 nd Node5
3 rd sub-key string Node3
4 th sub-key string Node1
Step 303, the terminal determines a first identifier of the ith sub-key string to be acquired.
Optionally, the terminal obtains the sub-key strings one by one, and when obtaining the ith sub-key string, first determines a first identifier of the ith sub-key string to be obtained.
And step 304, the terminal queries a second identifier of the ith storage node in the corresponding relationship according to the first identifier of the ith sub-key string.
Optionally, the terminal stores a correspondence between the first identifier of the ith sub-key string and the second identifier of the storage node that stores the ith sub-key string, and queries the second identifier of the ith storage node corresponding to the ith sub-key string through the correspondence.
Illustratively, the terminal determines that the sub-key string to be acquired is the 2 nd sub-key string, and in combination with the table one, the terminal queries to obtain the second identifier of the storage Node corresponding to the 2 nd sub-key string, which is Node 5.
In step 305, the terminal sends the ith acquisition request to the key escrow server.
Optionally, the ith acquisition request is used for requesting to acquire the ith sub-key string of the target key.
Illustratively, the sub-key string to be obtained is the 2 nd sub-key string, and the obtaining request includes the "2 nd sub-key string" and "Node 5".
Optionally, the ith acquisition request further includes a terminal identifier of the terminal and an IP address of the terminal.
In step 306, the key escrow server receives the ith acquisition request sent by the terminal.
Step 307, the key escrow server queries the IP address of the ith storage node according to the second identifier of the ith storage node carried in the ith acquisition request.
Optionally, the key escrow server stores a correspondence between the second identifiers of all m storage nodes and the IP address of each storage node, and queries the IP address of the ith storage node by referring to the correspondence through the second identifier of the ith storage node carried in the ith acquisition request.
Illustratively, taking the total number of the storage nodes as 6 as an example, the correspondence between the second identifiers of all the storage nodes and the IP address of each storage node is shown in the following table two:
watch two
Second label IP address
Node1 152.1.1.0
Node2 152.2.1.1
Node3 152.2.5.15
Node4 152.1.1.250
Node5 152.1.2.0
Node6 152.3.1.0
It should be noted that, the key escrow server receives an ith acquisition request sent by the terminal, where the acquisition request includes a first identifier of an ith sub-key string and a second identifier of the storage node, but the key escrow server does not store a correspondence between the first identifier of the ith sub-key string and the second identifier of the storage node, and does not store the correspondence between the received first identifier of the ith sub-key string and the second identifier of the storage node.
And step 308, the key escrow server locates the ith storage node according to the IP address, and acquires the ith sub-key string from the ith storage node according to the first identifier of the ith sub-key string carried in the ith acquisition request.
Optionally, when the key escrow server acquires the ith sub-key string from the ith storage node, the key escrow server sends a substring acquisition request to the ith sub-key string, where the substring acquisition request includes a first identifier of the ith sub-key string and a tokenID, and the ith storage node confirms, according to the tokenID, that the received substring acquisition request is sent by the key escrow server.
Optionally, the substring acquisition request includes an IP address of the key escrow server, and the ith storage node sends the ith sub-key string to the key escrow server according to the IP address.
Optionally, when the ith storage node sends the ith sub-key string to the key escrow server, the token id is returned to the key escrow server, and the key escrow server confirms that the received ith sub-key string is sent by the ith storage node and corresponds to the target key according to the token id.
In step 309, the key escrow server sends the ith sub-key string to the terminal.
Optionally, the key escrow server sends the ith sub-key string to the terminal according to the terminal identifier and the IP address of the terminal.
In step 310, the terminal obtains at least k sub-key strings fed back by the key escrow server.
And circularly executing the steps 302 to 309 at least k times, and when the ith acquisition is successful, executing the (i + 1) th acquisition process, namely acquiring at least k sub-key strings fed back by the key escrow server by the terminal.
In step 311, the terminal reconstructs the target key according to the at least k sub-key strings.
Optionally, the terminal reconstructs the target key according to at least k sub-key strings by using a lagrangian interpolation algorithm.
In summary, the keys are segmented to obtain a plurality of sub-key strings, and the plurality of sub-key strings are stored in a plurality of storage nodes respectively, because there are many storage nodes for storing the sub-key strings, and the sub-key strings stored between different storage nodes are unknown to each other, when a malicious person attacks a storage node through a hacking procedure, the malicious person does not know which storage nodes have the sub-key strings stored thereon, and cannot obtain all the sub-key strings by attacking one storage node, so that the security is high;
since the key management server only stores the correspondence between the storage node and the IP address of the storage node, and does not store the correspondence between the sub-key string and the storage node storing the sub-key string, a hacker cannot obtain the correspondence between the sub-key string and the storage node storing the sub-key string by breaking the key management server.
It is noted that, before step 305 in the above embodiment, the terminal and the key escrow server may perform two-way certificate authentication.
Fig. 4 is a flowchart of a key recovery method according to another exemplary embodiment of the present application, and as shown in fig. 4, the key recovery method includes two stages:
firstly, a key backup stage;
in step 401, the terminal divides the target key into n sub-key strings according to a threshold k.
Optionally, the threshold k is manually selected by a user, or the threshold k is preset by the terminal, or the threshold k is randomly generated by the terminal.
Optionally, the terminal divides the target key into n sub-key strings by using a lagrangian interpolation algorithm. And any k or more than k sub-key strings in the n sub-key strings can reconstruct the target key.
Illustratively, the terminal divides the target key into n sub-key strings through a lagrangian interpolation algorithm and according to a threshold value k, and optionally, the n interrelated sub-key strings are determined by one polynomial determined by the lagrangian interpolation algorithm, wherein the target key can be reconstructed by any k or more sub-key strings in the n sub-key strings.
Illustratively, the process of dividing the target key into n sub-key strings by the lagrangian interpolation algorithm and according to the threshold k is as follows, where k is equal to or less than n:
1. dividing the target key into n sub-key strings to obtain a sub-key string set { x }1,x2,…,xnWherein different sub-key strings comprise different IDsi,i∈[1,n]
Let a0A and randomly selecting k-1 polynomial parameters (e.g., a)1,a2,…,ak-1) Constructing a polynomial in which for each sub-key string x there is:
f(x)=a0+a1x+…+ak-1xk-1
2. calculating a key string xi=f(IDi),i∈[1,n]Obtaining each sub-key string.
In step 402, the terminal sends n storage requests to the key escrow server.
Optionally, the ith storage request is used to request that the ith sub-key string of the target key is stored in the ith storage node, where the key escrow server is connected to the m storage nodes, i is greater than or equal to 0 and less than or equal to n, and k is greater than or equal to 2 and less than or equal to n and less than or equal to m.
Optionally, the number of storage nodes is m, the target key is divided into n sub-key strings, and n is less than or equal to m. The storage node can only store one sub-key string of the target key in one storage node, and each sub-key string stored in the second storage node can be selected by a user, or the storage node storing the sub-key string of the target key can be selected randomly by the terminal. And in the process of self-selection by the user, the selected storage node cannot be selected for the second time.
Meanwhile, the terminal also stores: and the corresponding relation between the first identifier of the sub-key string and the second identifier of the storage node storing the sub-key string.
In step 403, the key escrow server receives n storage requests sent by the terminal.
In step 404, the key escrow server stores n sub-key strings on n storage nodes according to n storage requests.
Optionally, the key escrow server stores an IP address of each storage node, and stores n sub-key strings to the corresponding storage nodes according to the n storage requests.
In step 405, the terminal obtains a storage result fed back by the key escrow server.
Optionally, the storage result sent by the key escrow server to the terminal includes: store a success response or store a failure response.
The steps 403, 404 and 405 may be executed n times in a loop, and when the ith storage is successful, the (i + 1) th storage process is executed again.
Secondly, key retrieving;
in step 406, the terminal obtains a threshold k.
The threshold value k is used for determining the minimum number of sub-key strings for reconstructing the target key, and the sub-key strings are sub-strings obtained by segmenting the target key by the terminal.
Step 407, the terminal obtains a pre-stored corresponding relationship.
Optionally, the terminal stores the pre-stored correspondence relationship, where the correspondence relationship includes a correspondence relationship between a first identifier of the sub-key string and a second identifier of the storage node. Optionally, the correspondence includes a first identifier of each sub-key string and a second identifier of a storage node storing the sub-key string.
In step 408, the terminal determines a first identifier of the ith sub-key string to be acquired.
Optionally, the sub-key strings are obtained one by one, and when an ith sub-key string is obtained, a first identifier of the ith sub-key string to be obtained is first determined.
In step 409, the terminal queries the second identifier of the ith storage node in the corresponding relationship according to the first identifier of the ith sub-key string.
Optionally, the terminal stores a correspondence between the first identifier of the ith sub-key string and the second identifier of the storage node that stores the ith sub-key string, and queries the second identifier of the ith storage node corresponding to the ith sub-key string through the correspondence.
In step 410, the terminal sends the first authentication certificate to the key escrow server.
Optionally, the first authentication certificate includes first signature information and other information, the first signature information is encrypted by a first private key of the terminal, and the first signature information in the first authentication certificate may be decrypted by a second public key of the key escrow server, so as to ensure security of communication between the terminal and the key escrow server.
In step 411, the key escrow server authenticates the first authentication certificate.
Optionally, the key escrow server obtains a first result by performing predetermined calculation on other information in the first authentication certificate, decrypts the first signature information by using the second public key to obtain a second result, and performs an authentication success response on the first authentication certificate if the first result corresponds to the second result.
In step 412, the key escrow server sends the second authentication certificate to the terminal.
Optionally, after successfully authenticating the first authentication certificate, the key escrow server sends a second authentication certificate to the terminal, where the second authentication certificate includes second signature information and other information, the second signature information is encrypted by a second private key of the key escrow server, and the second signature information in the second authentication certificate may be decrypted by a first public key of the terminal, so as to ensure security of communication between the terminal and the key escrow server.
In step 413, the terminal receives the second certificate of authentication.
Optionally, the terminal obtains a third result by performing predetermined calculation on other information in the second certificate of authentication, decrypts the second signature information by using the first public key to obtain a fourth result, and performs a successful authentication response on the second certificate of authentication if the third result corresponds to the fourth result.
In step 414, the terminal sends the ith acquisition request to the key escrow server.
Optionally, after the terminal matches the received server identifier with the stored server identifier of the key escrow server, if the matching result is that the received server identifier is the server identifier of the key escrow server, that is, the authentication is successful, the terminal sends the ith acquisition request to the key escrow server.
Optionally, the ith acquisition request is used for requesting to acquire the ith sub-key string of the target key.
In step 415, the key escrow server receives the ith acquisition request sent by the terminal.
In step 416, the key escrow server queries the IP address of the ith storage node according to the second identifier of the ith storage node carried in the ith acquisition request.
Optionally, the key escrow server stores a correspondence between the second identifiers of all m storage nodes and the IP address of each storage node, and queries the IP address of the ith storage node by referring to the correspondence through the second identifier of the ith storage node carried in the ith acquisition request.
It should be noted that, the key escrow server receives an ith acquisition request sent by the terminal, where the acquisition request includes a first identifier of an ith sub-key string and a second identifier of the storage node, but the key escrow server does not store a corresponding relationship between the first identifier of the ith sub-key string and the second identifier of the storage node, and does not store the received corresponding relationship between the first identifier of the ith sub-key string and the second identifier of the storage node.
In step 417, the key escrow server locates the ith storage node according to the IP address, and acquires the ith sub-key string from the ith storage node according to the first identifier of the ith sub-key string carried in the ith acquisition request.
Optionally, when the key escrow server acquires the ith sub-key string from the ith storage node, the substring acquisition request is sent to the ith sub-key string, where the substring acquisition request includes a first identifier of the ith sub-key string and a tokenID, and the ith storage node confirms that the received substring acquisition request is sent by the key escrow server through the tokenID.
Optionally, the sub-key string obtaining request includes an IP address of the key escrow server, and the ith storage node sends the ith sub-key string to the key escrow server according to the IP address.
Optionally, when the ith storage node sends the ith sub-key string to the key escrow server, the token id is returned to the key escrow server, and the key escrow server confirms that the received ith sub-key string is sent by the ith storage node and corresponds to the target key according to the token id.
In step 418, the key escrow server sends the ith sub-key string to the terminal.
Optionally, the key escrow server stores a correspondence between the terminal identifier and the IP address of the terminal, obtains the IP address of the terminal according to the terminal identifier corresponding to the ith sub-key string, and sends the ith sub-key string to the terminal.
Step 419, the terminal obtains at least k sub-key strings fed back by the key escrow server.
And circularly executing the steps 414 to 418 at least k times, and when the ith acquisition is successful, executing the (i + 1) th acquisition process, namely the terminal acquires at least k sub-key strings fed back by the key escrow server. The obtained at least k sub-key strings are at least k different sub-key strings.
In step 420, the terminal reconstructs the target key according to the at least k sub-key strings.
Optionally, the terminal reconstructs the target key according to at least k sub-key strings by using a lagrangian interpolation algorithm.
Schematically, according to the step 401, a segmentation process of segmenting the target key into n sub-key strings by using a lagrangian interpolation algorithm and according to a threshold k is performed, and a process of reconstructing the target key by using the terminal through the lagrangian interpolation algorithm and according to at least k sub-key strings is as follows:
assume that the k sub-key strings are { x1,x2,…,xkK sub-keys ofIs characterized by (ID)1,x1),(ID2,x2)…(IDk,xk) Using a lagrange interpolation algorithm:
Figure BDA0001448523320000151
wherein, 1 < t < k, the sub-key points are substituted by (x, y) as variables to obtain A ═ f (0) ═ a0
It should be noted that, the steps 410 to 413 may be executed after the step 409, or may be executed at any time before the step 414, such as before the step 409, which is not limited in the embodiment of the present application.
In summary, the keys are segmented to obtain a plurality of sub-key strings, and the plurality of sub-key strings are stored in a plurality of storage nodes respectively, because there are many storage nodes for storing the sub-key strings, and the sub-key strings stored between different storage nodes are unknown to each other, when a malicious person attacks a storage node through a hacking procedure, the malicious person does not know which storage nodes have the sub-key strings stored thereon, and cannot obtain all the sub-key strings by attacking one storage node, so that the security is high;
since the key escrow server only stores the corresponding relationship between the storage node and the IP address of the storage node, but does not store the corresponding relationship between the sub-key string and the storage node storing the sub-key string, a hacker cannot obtain the storage node storing the sub-key string by breaking the key escrow server;
because the terminal and the key escrow server perform two-way certificate authentication before the terminal sends the acquisition request to the key escrow server, the identity of the terminal sending the acquisition request to the key escrow server and the identity of the key escrow server sending the sub-key string to the terminal are ensured, and the risk of successful attack of a key hacker on the key escrow server is reduced.
In an optional embodiment, the encrypted ciphertext stored in the storage node as the sub-key string is obtained by decrypting at least k encrypted ciphertexts to obtain at least k sub-key strings, and the target key is reconstructed according to the at least k sub-key strings.
Fig. 5 is a flowchart of a key recovery method according to another exemplary embodiment of the present application, where as shown in fig. 5, the key recovery method includes:
in step 501, the terminal obtains a threshold k.
The threshold k is used to determine the minimum number of sub-key strings for reconstructing the target key, where a sub-key string is a sub-string obtained by segmenting the target key by the terminal, and illustratively, the terminal includes a key segmentation interface, through the key segmentation interface, the terminal divides the target key into n segments, i.e., n sub-key strings, and determines that k is the threshold, the target key can be reconstructed at least through k sub-key strings, where k is greater than or equal to 2 and less than or equal to n.
Step 502, the terminal sends an acquisition request to the key escrow server at least k times according to a threshold k.
The acquisition request is used for acquiring a sub-key string of the target key. Optionally, the ith acquisition request is used to request to acquire an ith sub-key string of the target key, the key escrow server is connected to m storage nodes, the m storage nodes are used to store the sub-key strings of the target key, the target key is divided into n sub-key strings and stored in the n storage nodes, i is greater than or equal to 0 and less than or equal to k, and k is greater than or equal to 2 and less than or equal to n and less than or equal to m.
Optionally, the number of the storage nodes is m, the target key is divided into n sub-key strings, n is less than or equal to m, only one sub-key string of the target key can be stored in one storage node, each sub-key string is stored in the second storage node and can be selected by a user, the storage nodes storing the sub-key strings of the target key can also be randomly selected, and the selected storage nodes cannot be selected secondarily by the user in the self-selection process.
In step 503, the key escrow server receives at least k times of acquisition requests sent by the terminal.
Optionally, the terminal may send an acquisition request to the key escrow server k times to acquire k sub-key strings, or send an acquisition request to the key escrow server more than k times and less than or equal to n times to acquire k sub-key strings and less than or equal to n sub-key strings.
In step 504, the key escrow server obtains at least k encrypted ciphertexts from the n storage nodes according to the at least k obtaining requests.
Optionally, the storage node stores an encrypted ciphertext of a sub-key string of the target key, the key escrow server stores an IP address of each storage node, and the key escrow server obtains the encrypted ciphertext of the sub-key string from the corresponding storage node according to the obtaining request.
In step 505, the key escrow server sends at least k encrypted ciphertexts to the terminal.
And the key escrow server sends the received at least k encrypted ciphertexts to the terminal so as to reconstruct the target key.
In step 506, the terminal obtains the decryption key from the key server through the reserved mailbox or the client program.
Optionally, a decryption key of the encrypted ciphertext is stored in the key server, the key server sends the decryption key to the terminal through a reserved mailbox or a client program, and the encrypted ciphertext can be decrypted through the decryption key to obtain a sub-key string corresponding to the encrypted ciphertext.
In step 507, the terminal receives at least k encrypted ciphertexts fed back by the key escrow server.
And step 508, the terminal decrypts the at least k encrypted ciphertexts by the decryption key to obtain at least k sub-key strings.
Optionally, each encrypted ciphertext of the at least k encrypted ciphertexts may correspond to the same decryption key, or may correspond to multiple different decryption keys, that is, the decryption key sent by the key server to the terminal may be one decryption key, or may be a corresponding relationship between the at least k encrypted ciphertexts and the decryption key.
When the at least k encrypted ciphertexts correspond to one decryption key, decrypting the at least k encrypted ciphertexts through the decryption key to obtain at least k sub-key strings; when the decryption keys corresponding to the at least k encrypted ciphertexts are a plurality of different decryption keys, the at least k encrypted ciphertexts are decrypted through the corresponding relation between the at least k encrypted ciphertexts and the decryption keys, and at least k sub-key strings are obtained.
In step 509, the target key is reconstructed from the at least k sub-key strings.
Optionally, the terminal reconstructs the target key according to at least k sub-key strings by using a lagrangian interpolation algorithm.
In summary, the secret keys are segmented to obtain a plurality of sub-secret key strings, the plurality of sub-secret key strings are encrypted through the secret keys to obtain a plurality of encrypted ciphertexts, the plurality of encrypted ciphertexts are respectively stored in a plurality of storage nodes, and the decrypted secret keys are stored in the secret key server;
since the sub-key string is encrypted, even if a malicious person attacks the storage node through a hacker program and acquires the encrypted ciphertext of the sub-key string, the decryption key is stored in the key server and is different from the encrypted ciphertext in storage position, so that the sub-key string cannot be directly acquired and the target key cannot be reconstructed according to the sub-key string.
In a specific embodiment, taking encrypted files as outgoing streams, rar, 6 storage nodes are taken as an example for explanation, fig. 6 is a flowchart of key segment storage shown in an exemplary embodiment of the present application, and as shown in fig. 6:
in the data encryption interface 61, the file 'tour and rar' is encrypted to obtain a target key '111000111000', the target key is divided into 4 sub-key strings, and the total number of the segments displayed in the prompt box is not more than 6 because the number of the storage nodes is 6;
the user sets a threshold value to be 2, namely when the sub-key strings of 2 segments are obtained, the target key can be reconstructed;
the user clicks a virtual key of a selection Node and enters a Node selection interface 62, firstly, a storage Node of a 1 st sub-key string is selected, and after a Node2 is selected as the storage Node of the 1 st sub-key string, a storage Node of a 2 nd sub-key string is selected, wherein a Node2 for storing the 1 st sub-key string cannot be selected again; after Node5 is selected as a storage Node of the 2 nd sub-key string, selecting a storage Node of the 3 rd sub-key string, wherein Node2 for storing the 1 st sub-key string and Node5 for storing the 2 nd sub-key string cannot be selected again; after Node3 is selected as a storage Node of the 3 rd sub-key string, selecting a storage Node of the 4 th sub-key string, wherein Node2 for storing the 1 st sub-key string, Node5 for storing the 2 nd sub-key string and Node3 for storing the 2 nd sub-key string cannot be selected again; after Node1 is selected as the storage Node of the 4 th sub-key string, the encryption success interface 63 is displayed.
Corresponding to the flowchart of key segment storage in fig. 6, fig. 7 is a flowchart of key segment acquisition according to an exemplary embodiment of the present application, and taking the storage flow of the target key as the flow shown in fig. 6 as an example, as shown in fig. 7:
the virtual key of 'forgetting password' is selected on the data decryption interface 71, and the virtual key enters the sub-key string obtaining interface 72 to obtain the sub-key string, since the set threshold k is 2, 2 sub-key strings can be obtained, the keys are reconstructed, the storage nodes of the 1 st sub-key string and the 2 nd sub-key string are filled, and the key is confirmed to be obtained on the key reconstruction interface 73, and the obtained target key is '111000111000'.
It should be noted that, in the above embodiment, the obtained sub-key strings are the 1 st sub-key string and the 2 nd sub-key string as an example, in an actual operation, the obtained sub-key strings may also be the 1 st sub-key string and the 3 rd sub-key string, the 1 st sub-key string and the 4 th sub-key string, the 2 nd sub-key string and the 3 rd sub-key string, the 2 nd sub-key string and the 4 th sub-key string, or the 3 rd sub-key string and the 4 th sub-key string, which is not limited in this application. In the above embodiment, the two sub-key strings are taken as an example for explanation, and in an actual operation, three or four sub-key strings may also be obtained, that is, when the number of the sub-key strings is n, and the threshold value is k, the number of the sub-key strings is not less than k and not greater than n.
Fig. 8 is a block diagram of a key recovery apparatus according to an exemplary embodiment of the present application, where the key recovery apparatus includes, as shown in fig. 8: a first acquisition module 81, a first sending module 82 and a reconstruction module 83;
a first obtaining module 81, configured to obtain a threshold k;
a first sending module 82, configured to send an obtaining request to a key escrow server at least k times according to the threshold k, where the ith obtaining request is used to request to obtain an ith sub-key string of a target key, the key escrow server is connected to m storage nodes, the target key is divided into n sub-key strings, the n sub-key strings are respectively stored in the n storage nodes, i is greater than or equal to 0 and less than or equal to k, and k is greater than or equal to 2 and less than or equal to n and less than or equal to m;
the first obtaining module 81 is further configured to obtain at least k sub-key strings fed back by the key escrow server;
and a reconstructing module 83, configured to reconstruct the target key according to the at least k sub-key strings.
In an alternative embodiment, the first sending module 82 includes:
a first obtaining unit, configured to obtain a pre-stored correspondence relationship, where the correspondence relationship includes a correspondence relationship between a first identifier of the sub key string and a second identifier of the storage node;
the query unit is used for determining a first identifier of the ith sub-key string to be acquired, and querying a second identifier of the ith storage node in the corresponding relationship according to the first identifier of the ith sub-key string;
a first sending unit, configured to send the ith acquisition request to the key escrow server, where the ith acquisition request carries a first identifier of the ith sub-key string and a second identifier of the ith storage node.
In an optional embodiment, the reconstructing module 83 is further configured to reconstruct the target key according to the at least k sub-key strings by a lagrange interpolation algorithm.
In an optional embodiment, the obtaining module 81 includes:
a second obtaining unit, configured to obtain the decryption key from the key server through a reserved mailbox or a client program;
a receiving unit, configured to receive at least k encrypted ciphertexts fed back by the key escrow server;
and the decryption unit is used for decrypting the at least k encrypted ciphertexts through the decryption key to obtain the at least k sub-key strings.
In an alternative embodiment, the first sending module 82 is further configured to send the first authentication certificate to the key escrow server;
the first obtaining module 81 is further configured to obtain a second authentication certificate sent by the key escrow server, where the second authentication certificate is a certificate sent by the key escrow server after authenticating the first authentication certificate;
the device, still include:
and the authentication module is used for authenticating the second authentication certificate.
In an optional embodiment, the apparatus further comprises:
a dividing module, configured to divide the target key into n sub-key strings according to the threshold k, where any at least k sub-key strings in the n sub-key strings are used to reconstruct the target key;
the first sending module 82 is further configured to send n storage requests to the key hosting server, where an ith storage request is used to request that an ith sub-key string of a target key is stored in an ith storage node;
the first obtaining module 81 is further configured to obtain a storage result fed back by the key escrow server.
In an optional embodiment, the splitting module is further configured to split the target key into n sub-key strings by a lagrange interpolation algorithm.
Fig. 9 is a block diagram of a key recovery apparatus according to another exemplary embodiment of the present application, where the key recovery apparatus is connected to m storage nodes, and as shown in fig. 9, the key recovery apparatus includes: a receiving module 91, a second obtaining module 92 and a second sending module 93;
a receiving module 91, configured to receive an obtaining request sent by a terminal at least k times, where the ith obtaining request is used to request to obtain an ith sub-key string of a target key, the target key is divided into n sub-key strings and stored in the n storage nodes, i is greater than or equal to 0 and less than or equal to k, and k is greater than or equal to 2 and less than or equal to n and less than or equal to m;
a second obtaining module 92, configured to obtain at least k sub-key strings from the n storage nodes according to the at least k obtaining requests;
a second sending module 93, configured to send the at least k sub-key strings to the terminal.
In an optional embodiment, the receiving module 91 is further configured to receive an ith acquisition request sent by the terminal, where the ith acquisition request carries a first identifier of the ith sub-key string and a second identifier of the ith storage node.
In an optional embodiment, the second obtaining module 92 is further configured to obtain, according to a second identifier of the ith storage node carried in the ith obtaining request;
the second obtaining module 92 further includes:
the query unit is used for querying the IP address of the ith storage node;
the positioning unit is used for positioning the ith storage node according to the IP address of the ith storage node;
a third obtaining unit, configured to obtain, from the ith storage node, the ith sub-key string according to the first identifier of the ith sub-key string carried in the ith obtaining request.
In an optional embodiment, the second obtaining module 92 is further configured to obtain at least k encrypted ciphertexts from the n storage nodes;
the second sending module 93 is further configured to send the at least k encrypted ciphertexts to the terminal.
In an optional embodiment, the receiving module 91 is further configured to receive a first authentication certificate sent by the terminal;
the device, still include:
the authentication module is used for authenticating the first authentication certificate and generating a second authentication certificate;
the second sending module is further configured to send the second authentication certificate to the terminal.
Fig. 10 is a block diagram illustrating a structure of a terminal according to an embodiment of the present disclosure, where the terminal may include Radio Frequency (RF) circuitry 1001, a memory 1002 including one or more computer-readable storage media, an input unit 1003, a display unit 1004, a sensor 1005, audio circuitry 1006, a wireless fidelity (WiFi) module 1007, a processor 1008 including one or more processing cores, and a power supply 1009. Those skilled in the art will appreciate that the terminal structure shown in fig. 10 is not intended to be limiting and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components. Wherein:
the RF circuit 1001 may be used for receiving and transmitting signals during a message or call, and in particular, receives downlink information of a base station and then transfers it to be processed by the one or more processors 1008, and further, transmits data related to an uplink to the base station, in general, the RF circuit 1001 includes, but is not limited to, an antenna, at least one Amplifier, a tuner, one or more oscillators, a Subscriber Identity Module (SIM) card, a transceiver, a coupler, a low Noise Amplifier (L NA, &lttttransition = L & "ttt L &/t gtt neighbor Noise Amplifier, a duplexer, etc. in addition, the RF circuit 1001 may also communicate with a network and other devices through wireless communication which may use any communication standard or protocol including, but not limited to, a Global System for Mobile communication (GSM), a general packet Radio Service (gene, Radio Service), a Short Access Service (SMS), a long term evolution (GPRS), a multicast Service (Service), a long term evolution (Radio Service), a multicast Service (Radio Service (Access), a multicast Service (SMS), a long term evolution (Radio Service), a Short Access (GPRS), a multicast Service (Radio Access), a multicast, a Radio Service (WCDMA), a wireless communication network, a wireless communication System, a wireless communication network, a wireless communication System, a wireless communication network, a wireless communication System, a wireless communication.
The memory 1002 may be used to store software programs and modules, and the processor 1008 executes various functional applications and data processing by operating the software programs and modules stored in the memory 1002. The memory 1002 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, etc.) created according to the use of the terminal, etc. Further, the memory 1002 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory 1002 may also include a memory controller to provide the processor 1008 and the input unit 1003 with access to the memory 1002.
The input unit 1003 may be used to receive input numeric or character information and generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control. In particular, in one particular embodiment, input unit 1003 may include a touch-sensitive surface as well as other input devices. The touch-sensitive surface, also referred to as a touch display screen or a touch pad, may collect touch operations by a user (e.g., operations by a user on or near the touch-sensitive surface using a finger, a stylus, or any other suitable object or attachment) thereon or nearby, and drive the corresponding connection device according to a predetermined program. Alternatively, the touch sensitive surface may comprise two parts, a touch detection means and a touch controller. The touch detection device detects the touch direction of a user, detects a signal brought by touch operation and transmits the signal to the touch controller; the touch controller receives touch information from the touch sensing device, converts the touch information into touch point coordinates, sends the touch point coordinates to the processor 1008, and can receive and execute commands sent by the processor 1008. In addition, touch sensitive surfaces may be implemented using various types of resistive, capacitive, infrared, and surface acoustic waves. The input unit 1003 may include other input devices in addition to the touch-sensitive surface. In particular, other input devices may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control keys, switch keys, etc.), a trackball, a mouse, a joystick, and the like.
The display unit 1004 may include a display panel, which may be optionally configured in the form of a liquid crystal display (L CD, &lTtTtranslation = L "&tttL &lttt/T &gTtrequired CrystalDisplay), Organic light Emitting diodes (O L ED, Organic L ight-emissive Diode), and the like, further, the touch sensitive surface may cover the display panel, and when a touch operation is detected on or near the touch sensitive surface, may be communicated to the processor 1008 to determine the type of touch event, and then the processor 1008 may provide a corresponding visual output on the display panel according to the type of touch event.
The terminal may also include at least one sensor 1005, such as a light sensor, motion sensor, and other sensors. Specifically, the light sensor may include an ambient light sensor that may adjust the brightness of the display panel according to the brightness of ambient light, and a proximity sensor that may turn off the display panel and/or the backlight when the terminal is moved to the ear. As one of the motion sensors, the gravity acceleration sensor can detect the magnitude of acceleration in each direction (generally, three axes), can detect the magnitude and direction of gravity when the mobile phone is stationary, and can be used for applications of recognizing the posture of the mobile phone (such as horizontal and vertical screen switching, related games, magnetometer posture calibration), vibration recognition related functions (such as pedometer and tapping), and the like; as for other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, and an infrared sensor, which can be configured in the terminal, detailed description is omitted here.
Audio circuitry 1006, a speaker, and a microphone may provide an audio interface between the user and the terminal. The audio circuit 1006 may transmit the electrical signal converted from the received audio data to a speaker, and convert the electrical signal into a sound signal for output; on the other hand, the microphone converts a collected sound signal into an electric signal, converts the electric signal into audio data after being received by the audio circuit 1006, and then outputs the audio data to the processor 1008 for processing, and then to the RF circuit 1001 to be transmitted to, for example, another terminal, or outputs the audio data to the memory 1002 for further processing. The audio circuitry 1006 may also include an earbud jack to provide communication of peripheral headphones with the terminal.
WiFi belongs to a short-distance wireless transmission technology, and the terminal can help a user send and receive e-mails, browse webpages, access streaming media and the like through the WiFi module 1007, and provides wireless broadband internet access for the user. Although fig. 10 shows the WiFi module 1007, it is understood that it does not belong to the essential constitution of the terminal, and it can be omitted entirely as needed within the scope not changing the essence of the invention.
The processor 1008 is a control center of the terminal, connects various parts of the entire mobile phone by various interfaces and lines, and performs various functions of the terminal and processes data by operating or executing software programs and/or modules stored in the memory 1002 and calling data stored in the memory 1002, thereby integrally monitoring the mobile phone. Alternatively, processor 1008 may include one or more processing cores; preferably, the processor 1008 may integrate an application processor, which handles primarily the operating system, user interface, applications, etc., and a modem processor, which handles primarily wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 1008.
The terminal also includes a power source 1009 (e.g., a battery) for providing power to the various components, which may preferably be logically coupled to the processor 1008 via a power management system to manage charging, discharging, and power consumption via the power management system. The power supply 1009 may also include any component such as one or more dc or ac power supplies, recharging systems, power failure detection circuitry, power converters or inverters, power status indicators, and the like.
Although not shown, the terminal may further include a camera, a bluetooth module, and the like, which will not be described herein. Specifically, in this embodiment, the processor 1008 in the terminal executes one or more program instructions stored in the memory 1002, so as to implement the key recovery method provided in each of the above-described method embodiments.
Fig. 11 is a block diagram illustrating a configuration of a key escrow server provided in an embodiment of the present application, which may include Radio Frequency (RF) circuitry 1101, a memory 1102 including one or more computer-readable storage media, an input unit 1103, a display unit 1104, a sensor 1105, audio circuitry 1106, a Wireless Fidelity (WiFi) module 1107, a processor 1108 including one or more processing cores, and a power supply 1109. Those skilled in the art will appreciate that the key escrow server architecture shown in fig. 11 does not constitute a limitation on the key escrow server, and may include more or fewer components than shown, or some components in combination, or a different arrangement of components. Wherein:
the RF circuitry 1101 may be used for receiving and transmitting signals during a message or call, and in particular, for receiving downlink information from a base station for processing by one or more processors 1108 and for transmitting data related to the uplink to the base station. typically, the RF circuitry 1101 includes, but is not limited to, an antenna, at least one Amplifier, a tuner, one or more oscillators, a Subscriber Identity Module (SIM), a transceiver, a coupler, a low Noise Amplifier (L NA, &l &/T ttt transition & "" gttt L &/lttt low Noise Amplifier), a duplexer, etc. furthermore, the RF circuitry 1101 may also communicate with a network and other devices via wireless communications which may use any communication standard or protocol, including, but not limited to, the Global System for Mobile communications (GSM), general packet Radio Service (Gene, Radio Service), SMS (SMS), Long time packet Access Service (SMS), Wireless Service, Wireless Access, Wireless Service, Wireless Access, Wireless network, etc. (Telecommunications) communication), and so on message Service (CDMA) communication).
The memory 1102 may be used for storing software programs and modules, and the processor 1108 may execute various functional applications and data processing by operating the software programs and modules stored in the memory 1102. The memory 1102 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, and the like) created from use of the key escrow server, and the like. Further, the memory 1102 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory 1102 may also include a memory controller to provide the processor 1108 and the input unit 1103 with access to the memory 1102.
The input unit 1103 may be used to receive input numeric or character information and generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control. In particular, in a particular embodiment, the input unit 1103 may include a touch-sensitive surface as well as other input devices. The touch-sensitive surface, also referred to as a touch display screen or a touch pad, may collect touch operations by a user (e.g., operations by a user on or near the touch-sensitive surface using a finger, a stylus, or any other suitable object or attachment) thereon or nearby, and drive the corresponding connection device according to a predetermined program. Alternatively, the touch sensitive surface may comprise two parts, a touch detection means and a touch controller. The touch detection device detects the touch direction of a user, detects a signal brought by touch operation and transmits the signal to the touch controller; the touch controller receives touch information from the touch sensing device, converts the touch information into touch point coordinates, sends the touch point coordinates to the processor 1108, and can receive and execute commands sent by the processor 1108. In addition, touch sensitive surfaces may be implemented using various types of resistive, capacitive, infrared, and surface acoustic waves. The input unit 1103 may include other input devices in addition to the touch-sensitive surface. In particular, other input devices may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control keys, switch keys, etc.), a trackball, a mouse, a joystick, and the like.
The Display unit 1104 may be used to Display information input by or provided to a user, as well as various graphical user interfaces of the key escrow server, which may be made up of graphics, text, icons, video, and any combination thereof the Display unit 1104 may include a Display panel, optionally the Display panel may be configured in the form of a liquid crystal Display (L CD, &lTtTtranslation = L "&gTtL &lTt &gTtiQUdCrydisplay), Organic light Emitting diodes (O L ED, Organic L ight-emissive Diode), or the like, further the touch sensitive surface may overlay the Display panel, upon detection of a touch operation on or near the touch sensitive surface, communicate to the processor 1108 to determine the type of touch event, and then the processor 1108 provides a corresponding visual output on the Display panel in accordance with the type of touch event.
The key escrow server may also include at least one sensor 1105, such as light sensors, motion sensors, and other sensors. Specifically, the light sensor may include an ambient light sensor that adjusts the brightness of the display panel according to the brightness of ambient light, and a proximity sensor that turns off the display panel and/or the backlight when the key escrow server moves to the ear. As one of the motion sensors, the gravity acceleration sensor can detect the magnitude of acceleration in each direction (generally, three axes), can detect the magnitude and direction of gravity when the mobile phone is stationary, and can be used for applications of recognizing the posture of the mobile phone (such as horizontal and vertical screen switching, related games, magnetometer posture calibration), vibration recognition related functions (such as pedometer and tapping), and the like; as for other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, and an infrared sensor, which may be further configured by the key escrow server, detailed descriptions thereof are omitted.
Audio circuitry 1106, a speaker, and a microphone may provide an audio interface between the user and the key escrow server. The audio circuit 1106 may transmit the electrical signal converted from the received audio data to a speaker, and the electrical signal is converted into a sound signal by the speaker and output; on the other hand, the microphone converts the collected sound signal into an electrical signal, which is received by the audio circuit 1106 and converted into audio data, which is processed by the audio data output processor 1108, and then sent to, for example, another key escrow server via the RF circuit 1101, or output to the memory 1102 for further processing. The audio circuitry 1106 may also include an earbud jack to provide communication of peripheral headphones with the key escrow server.
WiFi belongs to short-range wireless transmission technology, and the key escrow server can help the user send and receive e-mail, browse web page, access streaming media, etc. through the WiFi module 1107, and it provides wireless broadband internet access for the user. Although fig. 11 shows the WiFi module 1107, it is understood that it does not belong to the essential constitution of the key escrow server, and may be omitted entirely as needed within the scope not changing the essence of the invention.
The processor 1108 is a control center of the key escrow server, connects various parts of the entire handset using various interfaces and lines, and performs various functions of the key escrow server and processes data by running or executing software programs and/or modules stored in the memory 1102 and calling data stored in the memory 1102, thereby performing overall monitoring of the handset. Alternatively, processor 1108 may include one or more processing cores; preferably, the processor 1108 may integrate an application processor, which primarily handles operating systems, user interfaces, application programs, etc., and a modem processor, which primarily handles wireless communications. It is to be appreciated that the modem processor described above may not be integrated into processor 1108.
The key escrow server also includes a power supply 1109 (e.g., a battery) that provides power to the various components, preferably through a power management system that is logically coupled to the processor 1108 to manage charging, discharging, and power consumption management functions. The power supply 1109 may also include any component of one or more dc or ac power sources, recharging systems, power failure detection circuitry, power converters or inverters, power status indicators, and the like.
Although not shown, the key escrow server may further include a camera, a bluetooth module, and the like, which are not described in detail herein. Specifically, in this embodiment, the processor 1108 in the key escrow server executes one or more program instructions stored in the memory 1102, so as to implement the key recovery method provided in the above-described method embodiments.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, which may be a computer readable storage medium contained in a memory of the above embodiments; or it may be a separate computer-readable storage medium not incorporated in the terminal. The computer readable storage medium has stored therein at least one instruction, at least one program, a set of codes, or a set of instructions that is loaded and executed by the processor to implement the key recovery method as described in any of fig. 1 to 7. Optionally, the computer-readable storage medium may include: a Read Only Memory (ROM), a Random Access Memory (RAM), a Solid State Drive (SSD), or an optical disc. The Random Access Memory may include a resistive Random Access Memory (ReRAM) and a Dynamic Random Access Memory (DRAM). The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the protection scope of the present application.

Claims (12)

1. A method for recovering a key, the method comprising:
dividing the target secret key into n sub-secret key strings according to a threshold value k, wherein any at least k sub-secret key strings in the n sub-secret key strings are used for reconstructing the target secret key;
sending n storage requests to a key escrow server, wherein the ith storage request is used for requesting to store an ith sub-key string of a target key to an ith storage node, the ith storage request comprises a second identifier of the ith storage node, an IP address of each storage node is stored in the key escrow server, and the key escrow server is used for storing the ith sub-key string on the ith storage node according to the second identifier of the ith storage node and the IP address of each storage node;
obtaining a storage result fed back by the key escrow server; if the storage result is successful, storing the corresponding relation between the first identifier of the ith sub-key string and the second identifier of the ith storage node;
acquiring the threshold k;
sending an obtaining request to the key escrow server at least k times according to the threshold k, wherein the ith obtaining request is used for requesting to obtain an ith sub-key string of the target key, the key escrow server is connected with m storage nodes, the target key is divided into n sub-key strings which are respectively stored in the n storage nodes, i is more than or equal to 0 and less than or equal to k, and k is more than or equal to 2 and less than or equal to n and less than or equal to m;
acquiring at least k sub-key strings fed back by the key escrow server;
reconstructing the target secret key according to the at least k sub-secret key strings;
the sending, according to the threshold k, at least k times an acquisition request to a key escrow server includes:
acquiring a pre-stored corresponding relationship, wherein the corresponding relationship comprises a corresponding relationship between a first identifier of the sub key string and a second identifier of the storage node;
determining a first identifier of the ith sub-key string to be acquired, and querying a second identifier of the ith storage node in the corresponding relationship according to the first identifier of the ith sub-key string;
and sending the ith acquisition request to the key hosting server, wherein the ith acquisition request carries the first identifier of the ith sub-key string and the second identifier of the ith storage node.
2. The method of claim 1, wherein reconstructing the target key from the at least k sub-key strings comprises:
and reconstructing the target secret key according to the at least k sub secret key strings by a Lagrange interpolation algorithm.
3. The method according to any one of claims 1 to 2, wherein the obtaining of the at least k sub-key strings fed back by the key escrow server comprises:
acquiring a decryption key from a key server through a reserved mailbox or a client program;
receiving at least k encrypted ciphertexts fed back by the key escrow server;
and decrypting the at least k encrypted ciphertexts by using the decryption secret key to obtain the at least k sub-secret key strings.
4. The method according to any one of claims 1 to 2, further comprising:
sending a first authentication certificate to the key escrow server;
acquiring a second authentication certificate sent by the key escrow server, wherein the second authentication certificate is a certificate sent by the key escrow server after the first authentication certificate is successfully authenticated;
and authenticating the second authentication certificate.
5. The method of claim 1, wherein the partitioning the target key into n sub-key strings comprises:
and dividing the target key into n sub-key strings by a Lagrange interpolation algorithm.
6. A key recovery method, applied to a key escrow server, the key escrow server being connected to m storage nodes, the method comprising:
receiving n storage requests sent by a terminal, wherein the ith storage request is used for requesting to store an ith sub-key string of a target key to an ith storage node, and the ith storage request comprises a second identifier of the ith storage node; the key escrow server stores the IP address of each storage node;
storing the ith sub-key string on the ith storage node according to the second identifier of the ith storage node and the IP address of each storage node;
feeding back a storage result to the terminal; the terminal is configured to store a corresponding relationship between a first identifier of the ith sub-key string and a second identifier of the ith storage node if the storage result is that the storage is successful;
receiving at least k times of acquisition requests sent by the terminal, wherein the ith acquisition request is used for requesting to acquire an ith sub-key string of a target key, the target key is divided into n sub-key strings according to a threshold k and is respectively stored in n storage nodes, i is greater than or equal to 0 and less than or equal to k, k is greater than or equal to 2 and less than or equal to n and less than or equal to m, and any at least k sub-key strings in the n sub-key strings are used for reconstructing the target key;
acquiring at least k sub key strings from the n storage nodes according to the at least k acquisition requests;
sending the at least k sub-key strings to the terminal;
the receiving of the at least k times acquisition request sent by the terminal includes:
and receiving an ith acquisition request sent by a terminal, wherein the ith acquisition request carries a first identifier of the ith sub-key string and a second identifier of the ith storage node.
7. A key recovery apparatus, comprising:
the device is used for dividing the target key into n sub-key strings according to a threshold value k, wherein any at least k sub-key strings in the n sub-key strings are used for reconstructing the target key; sending n storage requests to a key escrow server, wherein the ith storage request is used for requesting to store an ith sub-key string of a target key to an ith storage node, and the ith storage request comprises a second identifier of the ith storage node; the key escrow server is used for storing the ith sub-key string on the ith storage node according to the second identifier of the ith storage node and the IP address of each storage node; the device acquires a storage result fed back by the key escrow server; if the storage result is successful, storing the corresponding relation between the first identifier of the ith sub-key string and the second identifier of the ith storage node;
a first obtaining module, configured to obtain the threshold k;
the first sending module is used for obtaining a pre-stored corresponding relationship, wherein the corresponding relationship comprises a corresponding relationship between a first identifier of a sub key string and a second identifier of a storage node; determining a first identifier of an ith sub-key string to be acquired, and querying a second identifier of an ith storage node in the corresponding relationship according to the first identifier of the ith sub-key string; according to the threshold k, an ith acquisition request is sent to the key escrow server, the ith acquisition request carries a first identifier of the ith sub-key string and a second identifier of the ith storage node, the ith acquisition request is used for requesting to acquire the ith sub-key string of the target key, the key escrow server is connected with m storage nodes, the target key is divided into n sub-key strings which are respectively stored in the n storage nodes, i is greater than or equal to 0 and less than or equal to k, and k is greater than or equal to 2 and less than or equal to n and less than or equal to m;
the first obtaining module is further configured to obtain at least k sub-key strings fed back by the key escrow server;
and the reconstruction module is used for reconstructing the target key according to the at least k sub-key strings.
8. A key recovery apparatus, wherein the key recovery apparatus is connected to m storage nodes, the apparatus comprising:
the device is used for receiving n storage requests sent by a terminal, wherein the ith storage request is used for requesting to store an ith sub-key string of a target key to an ith storage node, and the ith storage request comprises a second identifier of the ith storage node; the device stores the IP address of each storage node; the device stores the ith sub-key string on the ith storage node according to the second identifier of the ith storage node and the IP address of each storage node; the device feeds back a storage result to the terminal; the terminal is configured to store a corresponding relationship between a first identifier of the ith sub-key string and a second identifier of the ith storage node if the storage result is that the storage is successful;
a receiving module, configured to receive an ith acquisition request sent by the terminal, where the ith acquisition request carries a first identifier of an ith sub-key string and a second identifier of an ith storage node, the ith acquisition request is used to request to acquire the ith sub-key string of a target key, the target key is divided into n sub-key strings according to a threshold k and stored in the n storage nodes, i is greater than or equal to 0 and less than or equal to k, k is greater than or equal to 2 and less than or equal to n and less than or equal to m, and any at least k sub-key strings in the n sub-key strings are used to reconstruct the target key;
a second obtaining module, configured to obtain at least k sub-key strings from the n storage nodes according to at least k times of obtaining requests;
a second sending module, configured to send the at least k sub-key strings to the terminal.
9. A terminal, characterized in that the terminal comprises a processor and a memory, wherein the memory has stored therein at least one instruction, at least one program, a set of codes, or a set of instructions, which is loaded and executed by the processor to implement the key recovery method according to any one of claims 1 to 5.
10. A key escrow server comprising a processor and a memory, the memory having stored therein at least one instruction, at least one program, a set of codes, or a set of instructions, the at least one instruction, the at least one program, the set of codes, or the set of instructions being loaded and executed by the processor to implement the key recovery method of claim 6.
11. A computer readable storage medium having stored therein at least one instruction, at least one program, a set of codes, or a set of instructions, which is loaded and executed by a processor to implement a key recovery method according to any one of claims 1 to 5.
12. A computer readable storage medium having stored therein at least one instruction, at least one program, a set of codes, or a set of instructions, which is loaded and executed by a processor to implement the key recovery method of claim 6.
CN201711026657.5A 2017-10-27 2017-10-27 Key retrieving method, device, terminal, key escrow server and readable medium Active CN107979461B (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN202010455600.2A CN111600710B (en) 2017-10-27 2017-10-27 Key storage method, device, terminal, server and readable medium
CN201711026657.5A CN107979461B (en) 2017-10-27 2017-10-27 Key retrieving method, device, terminal, key escrow server and readable medium
CN202010455890.0A CN111585760B (en) 2017-10-27 2017-10-27 Key retrieving method, device, terminal and readable medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711026657.5A CN107979461B (en) 2017-10-27 2017-10-27 Key retrieving method, device, terminal, key escrow server and readable medium

Related Child Applications (2)

Application Number Title Priority Date Filing Date
CN202010455890.0A Division CN111585760B (en) 2017-10-27 2017-10-27 Key retrieving method, device, terminal and readable medium
CN202010455600.2A Division CN111600710B (en) 2017-10-27 2017-10-27 Key storage method, device, terminal, server and readable medium

Publications (2)

Publication Number Publication Date
CN107979461A CN107979461A (en) 2018-05-01
CN107979461B true CN107979461B (en) 2020-07-17

Family

ID=62012744

Family Applications (3)

Application Number Title Priority Date Filing Date
CN202010455600.2A Active CN111600710B (en) 2017-10-27 2017-10-27 Key storage method, device, terminal, server and readable medium
CN201711026657.5A Active CN107979461B (en) 2017-10-27 2017-10-27 Key retrieving method, device, terminal, key escrow server and readable medium
CN202010455890.0A Active CN111585760B (en) 2017-10-27 2017-10-27 Key retrieving method, device, terminal and readable medium

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN202010455600.2A Active CN111600710B (en) 2017-10-27 2017-10-27 Key storage method, device, terminal, server and readable medium

Family Applications After (1)

Application Number Title Priority Date Filing Date
CN202010455890.0A Active CN111585760B (en) 2017-10-27 2017-10-27 Key retrieving method, device, terminal and readable medium

Country Status (1)

Country Link
CN (3) CN111600710B (en)

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108737105B (en) * 2018-05-07 2021-09-28 中钞信用卡产业发展有限公司杭州区块链技术研究院 Method and device for retrieving private key, private key equipment and medium
CN109302400B (en) * 2018-10-17 2021-09-03 成都安恒信息技术有限公司 Asset password exporting method for operation and maintenance auditing system
WO2020168544A1 (en) * 2019-02-22 2020-08-27 云图有限公司 Data processing method and device
CN109787762B (en) * 2019-02-28 2021-09-21 矩阵元技术(深圳)有限公司 Key management method for server to generate key components respectively and electronic equipment
CN109981591B (en) * 2019-02-28 2021-09-21 矩阵元技术(深圳)有限公司 Key management method for generating private key by single client and electronic equipment
CN110430042B (en) * 2019-06-28 2022-11-22 中国人民解放军战略支援部队信息工程大学 Device and method for storing secret key in heterogeneous redundant system
CN110830242A (en) * 2019-10-16 2020-02-21 聚好看科技股份有限公司 Key generation and management method and server
CN111861741A (en) * 2020-06-23 2020-10-30 广东贝莱蔻生物科技有限公司 Supply chain creditor transfer and tracing method and system based on block chain
CN112235104B (en) * 2020-10-23 2022-12-23 苏州浪潮智能科技有限公司 Data encryption transmission method, system, terminal and storage medium
CN112600833A (en) * 2020-12-09 2021-04-02 上海文广科技(集团)有限公司 Cloud distributed storage system and method for private key of DCP (digital data processing) playing equipment of video-on-demand movie theatre
CN113190833B (en) * 2021-06-01 2022-11-18 浙江大华技术股份有限公司 Authority processing method and device, storage medium and electronic device
CN115102708B (en) * 2022-05-05 2024-04-09 阿里巴巴(中国)有限公司 Data processing method and device
CN116170142B (en) * 2023-04-20 2023-07-18 北京信安世纪科技股份有限公司 Distributed collaborative decryption method, device and storage medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2680486A1 (en) * 2012-06-29 2014-01-01 Orange Key management

Family Cites Families (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3656688B2 (en) * 1997-03-31 2005-06-08 栄司 岡本 Cryptographic data recovery method and key registration system
US6182214B1 (en) * 1999-01-08 2001-01-30 Bay Networks, Inc. Exchanging a secret over an unreliable network
CN100536393C (en) * 2005-01-14 2009-09-02 中兴通讯股份有限公司 Secret shared key mechanism based user management method
CN101064599A (en) * 2006-04-26 2007-10-31 华为技术有限公司 Method and system for optical network authentication, cipher key negotiation method and system and optical line terminal and optical network unit
CN101621375A (en) * 2009-07-28 2010-01-06 成都市华为赛门铁克科技有限公司 Method, device and system for managing key
CN102957534B (en) * 2011-08-19 2016-02-03 国民技术股份有限公司 The method and system of a kind of multiple terminals unified identity authentication
CN102523086B (en) * 2011-12-07 2014-12-24 上海交通大学 Key recovery method in privacy protection cloud storage system
CN102857339B (en) * 2012-09-12 2015-06-03 无锡科技职业学院 Secret distribution sharing and recovery recombining method based on sequences
CN105897409B (en) * 2014-05-13 2019-05-10 无锡科技职业学院 A method of the management of the key based on crypto chip
CN104503708B (en) * 2014-12-29 2018-05-22 成都极驰科技有限公司 The method and device of data hash storage
US9413735B1 (en) * 2015-01-20 2016-08-09 Ca, Inc. Managing distribution and retrieval of security key fragments among proxy storage devices
CN105871538B (en) * 2015-01-22 2019-04-12 阿里巴巴集团控股有限公司 Quantum key distribution system, quantum key delivering method and device
CN104917609B (en) * 2015-05-19 2017-11-10 华中科技大学 A kind of highly effective and safe data duplicate removal method and system perceived based on user
US10177907B2 (en) * 2015-07-20 2019-01-08 Sony Corporation Distributed object routing
CN106911469A (en) * 2015-12-23 2017-06-30 北京奇虎科技有限公司 Key read method and device
CN106548345B (en) * 2016-12-07 2020-08-21 北京信任度科技有限公司 Method and system for realizing block chain private key protection based on key partitioning
CN106686008B (en) * 2017-03-03 2019-01-11 腾讯科技(深圳)有限公司 Information storage means and device

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2680486A1 (en) * 2012-06-29 2014-01-01 Orange Key management

Also Published As

Publication number Publication date
CN111600710A (en) 2020-08-28
CN111600710B (en) 2023-01-13
CN111585760A (en) 2020-08-25
CN107979461A (en) 2018-05-01
CN111585760B (en) 2023-04-18

Similar Documents

Publication Publication Date Title
CN107979461B (en) Key retrieving method, device, terminal, key escrow server and readable medium
CN106686008B (en) Information storage means and device
US20210336780A1 (en) Key updating method, apparatus, and system
CN106850220B (en) Data encryption method, data decryption method and device
US10880746B2 (en) Network connection method, apparatus, storage medium and terminal
CN108809906B (en) Data processing method, system and device
CN110417543B (en) Data encryption method, device and storage medium
CN107154935B (en) Service request method and device
CN104821937A (en) Token acquisition method, device and system
CN108011879B (en) File encryption and decryption method, device, equipment and storage medium
CN104836664A (en) Method for executing business processing, device for executing business processing and system for executing business processing
US20210250171A1 (en) Data processing method and device
US10454905B2 (en) Method and apparatus for encrypting and decrypting picture, and device
CN111475832B (en) Data management method and related device
CN107872315B (en) Data processing method and intelligent terminal
CN114039726B (en) Key generation method, key acquisition method, related device and medium
CN113434905B (en) Data transmission method and device, computer equipment and storage medium
CN109639706A (en) A kind of request processing method, server, user terminal and system
CN108880787B (en) Information key processing method and related equipment
CN114553612A (en) Data encryption and decryption method and device, storage medium and electronic equipment
CN113434904A (en) Data processing method and device, computer equipment and storage medium
CN114389825B (en) Data communication method based on block chain and related device
CN111090894B (en) Method and device for reconstructing data of lock card
CN106209736B (en) Streaming media data playing method, terminal and streaming media server
CN105306505A (en) Data updating methods, terminal and server

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant