CN108418679B - Method and device for processing secret key under multiple data centers and electronic equipment - Google Patents
Method and device for processing secret key under multiple data centers and electronic equipment Download PDFInfo
- Publication number
- CN108418679B CN108418679B CN201710074091.7A CN201710074091A CN108418679B CN 108418679 B CN108418679 B CN 108418679B CN 201710074091 A CN201710074091 A CN 201710074091A CN 108418679 B CN108418679 B CN 108418679B
- Authority
- CN
- China
- Prior art keywords
- key
- information
- function
- parameter
- temporary
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
Abstract
A method, a device and an electronic device for processing a key under multiple data centers are disclosed. The method for processing the key under the multiple data centers is applied to the data centers and comprises the following steps: receiving a request message for acquiring a temporary key by a terminal user; performing first function operation on a root key and a first parameter to generate an encryption key, and generating a temporary key according to the encryption key and the first parameter; the temporary key comprises a key identifier and key content, the key identifier carries information of the first parameter, and the key content is generated by performing second function operation on the key identifier and the encryption key; returning the temporary key to the end user. The technical scheme can realize that the key generated by one data center is quickly identified by other data centers without depending on key synchronization between the data centers.
Description
Technical Field
The present invention relates to communications technologies, and in particular, to a method, an apparatus, and an electronic device for processing a key in multiple data centers.
Background
Cloud computing technologies and service providers (e.g., Aliskiu) may open various cloud services to cloud customers leasing computing resources by distributing keys. Keys distributed to users by cloud computing technologies and service providers include long-term keys and temporary keys. The long-term key is typically used by a server side (administrator) of the cloud client, and the temporary key is typically used by a client side (end user) of the cloud client. Cloud computing technology and service providers typically provide cloud customers with multiple data centers, which may be distributed in different regions.
As shown in fig. 1, when an end user obtains a temporary key from one data center (e.g., a data center located in china) and wants to use the temporary key to access another data center (e.g., a data center located in the united states), it is required that the temporary key just generated at one data center must be synchronized to the other data centers immediately, and if the temporary key is not synchronized in time, the end user may fail to access the other data centers. Before sending an access request to a data center, a terminal user firstly uses the key content of a temporary key to digitally sign sent plaintext information, and then carries the digital signature and the key identification of the temporary key in the access request. After a data center receives an access request of an end user, if a temporary secret key of the end user is not generated by the data center, a secret key identifier and secret key content of the temporary secret key are required to be obtained from other data centers through data synchronization between the data centers, then corresponding secret key content is found according to the received secret key identifier, digital signature is carried out on plaintext information in the received access request again through the secret key content, if the regenerated digital signature is consistent with the received digital signature, the end user is judged to be a legal user, and if the regenerated digital signature is inconsistent with the received digital signature, the end user is judged to be an illegal user.
Due to the geographical dispersion of the data centers, the key synchronization between the data centers may have a delay phenomenon and is highly dependent on the reliability and stability of the network, so that the temporary key generated by one data center may not be recognized by other data centers, and thus, the access of the user to other data centers is affected.
Disclosure of Invention
The application provides a method and a device for processing a key under multiple data centers and electronic equipment, which can realize that the key generated by one data center is rapidly identified by other data centers without depending on key synchronization among the data centers.
The technical scheme is as follows:
the embodiment of the application provides a method for processing a key under multiple data centers, which is applied to the data centers and comprises the following steps:
receiving a request message for acquiring a temporary key by a terminal user;
performing first function operation on a root key and a first parameter to generate an encryption key, and generating a temporary key according to the encryption key and the first parameter; the temporary key comprises a key identifier and key content, the key identifier carries information of the first parameter, and the key content is generated by performing second function operation on the key identifier and the encryption key;
returning the temporary key to the end user.
Optionally, the method further comprises:
receiving an access request message of a terminal user, wherein the access request message carries a key identifier of a temporary key;
and extracting a first parameter from the key identifier, performing the first function operation on a root key and the first parameter to generate an encryption key, and performing the second function operation on the key identifier and the encryption key to generate the key content of the temporary key.
Optionally, the key identifier further carries a first information ciphertext, and the first information ciphertext is spliced with the first parameter;
the first information ciphertext is generated by performing an encryption operation on the first information by the encryption key.
Optionally, after receiving an access request message of an end user, the method further includes:
extracting a first information ciphertext from the key identifier;
and carrying out decryption operation on the first information ciphertext by adopting the encryption key to obtain the first information.
Optionally, the first function is a one-way irreversible function; the second function is a one-way irreversible function; the first parameter is a random number.
Optionally, the first function is a one-way hash function; the second function is a one-way hash function.
Optionally, the first information includes: identity information of the end user, or identity information of the end user and expiration time information of the temporary key.
Optionally, the root key is stored in a hardware encryption machine of each data center, and the root keys stored in the data centers are the same.
The embodiment of the application provides a device for processing a secret key under multiple data centers, which is applied to the data centers and comprises:
the information receiving module is used for receiving a request message of a terminal user for acquiring a temporary key;
the key generation module is used for performing first function operation on a root key and a first parameter to generate an encryption key and generating a temporary key according to the encryption key and the first parameter; the temporary key comprises a key identifier and key content, the key identifier carries information of the first parameter, and the key content is generated by performing second function operation on the key identifier and the encryption key;
and the information sending module is used for returning the temporary key to the terminal user.
Optionally, the apparatus further comprises a key identification module:
the information receiving module is also used for receiving an access request message of a terminal user, wherein the access request message carries a key identifier of the temporary key;
and the key identification module is used for extracting a first parameter from the key identifier, performing the first function operation on a root key and the first parameter to generate an encryption key, and performing the second function operation on the key identifier and the encryption key to generate the key content of the temporary key.
Optionally, the key identifier further carries a first information ciphertext, and the first information ciphertext is spliced with the first parameter;
the first information ciphertext is generated by performing an encryption operation on the first information by the encryption key.
Optionally, the key identification module is further configured to extract a first information ciphertext from the key identifier; and carrying out decryption operation on the first information ciphertext by adopting the encryption key to obtain the first information.
Optionally, the first function is a one-way irreversible function; the second function is a one-way irreversible function; the first parameter is a random number.
Optionally, the first function is a one-way hash function; the second function is a one-way hash function.
Optionally, the first information includes: identity information of the end user, or identity information of the end user and expiration time information of the temporary key.
Optionally, the root key is stored in a hardware encryption machine of each data center, and the root keys stored in the data centers are the same.
An embodiment of the present application provides an electronic device for database read-write, including: a memory and a processor;
the memory is configured to store a program for processing keys in multiple data centers, which when read and executed by the processor performs the following operations:
receiving a request message for acquiring a temporary key by a terminal user;
performing first function operation on a root key and a first parameter to generate an encryption key, and generating a temporary key according to the encryption key and the first parameter; the temporary key comprises a key identifier and key content, the key identifier carries information of the first parameter, and the key content is generated by performing second function operation on the key identifier and the encryption key;
returning a temporary key to the end user.
The application includes the following advantages:
at least one embodiment of the application can realize that the key generated by one data center is quickly identified by other data centers without depending on key synchronization between the data centers.
Of course, it is not necessary for any product to achieve all of the above-described advantages at the same time for practicing the present application.
Drawings
The accompanying drawings are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the example serve to explain the principles of the invention and not to limit the invention.
FIG. 1 is a diagram illustrating key synchronization among different data centers according to the prior art;
fig. 2 is a flowchart of a method for processing a key in multiple data centers according to a first embodiment of the present invention;
FIG. 3 is a schematic diagram of a multiple data center of application example 1 of the present invention;
FIG. 4 is a flow chart of a method for a first data center to generate a temporary key for an end user under multiple data centers according to application example 1 of the present invention;
fig. 5 is a flowchart of a method for identifying a temporary key by a second data center under multiple data centers according to application example 1 of the present invention;
fig. 6 is a schematic diagram of an apparatus for processing a key under multiple data centers according to a second embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that the embodiments and features of the embodiments in the present application may be arbitrarily combined with each other without conflict.
The steps illustrated in the flow charts of the figures may be performed in a computer system such as a set of computer-executable instructions. Also, while a logical order is shown in the flow diagrams, in some cases, the steps shown or described may be performed in an order different than here.
Example one
As shown in fig. 2, a method for processing a key under multiple data centers, applied to a data center, includes:
s210, receiving a request message for acquiring a temporary key by a terminal user;
s220, performing first function operation on the root key and the first parameter to generate an encryption key, and generating a temporary key according to the encryption key and the first parameter; the temporary key comprises a key identifier and key content, the key identifier carries information of the first parameter, and the key content is generated by performing second function operation on the key identifier and the encryption key;
s230, returning a temporary key to the terminal user;
the method further comprises the following steps:
receiving an access request message of a terminal user, wherein the access request message carries a key identifier of a temporary key;
extracting a first parameter from the key identifier, performing the first function operation on a root key and the first parameter to generate an encryption key, and performing the second function operation on the key identifier and the encryption key to generate key content of the temporary key;
in this embodiment, the root key is a key known to each data center;
in one embodiment, in order to ensure the security of the root key and prevent the root key from flowing out of the data center, the root key may be stored by using a hardware encryption machine, and a hardware encryption machine storing the same root key is deployed in each data center;
in this embodiment, the first function is a one-way irreversible function; the one-way irreversible function may be, for example, a one-way hash function;
the one-way Hash function may be a Hash-based Message Authentication Code (HMAC) -Secure Hash Algorithm (SHA) function related to a key; the HMAC-SHA function may be, for example: HMAC-SHA256 functions, etc.
In this embodiment, the first parameter is a random number;
in other embodiments, the first parameter may also be other parameters for distinguishing different end users;
in this embodiment, the key identifier further carries a first information ciphertext, and the first information ciphertext is spliced with the first parameter;
the first information ciphertext is generated by performing an encryption operation on the first information by the encryption key.
Wherein the first information comprises: identity information of the end user, or identity information of the end user and expiration time information of the temporary key.
The identity information of the terminal user can be a cloud client identity of the terminal user;
in this embodiment, the second function is a one-way irreversible function; the one-way irreversible function may be, for example, a one-way hash function;
wherein the one-way hash function may be an HMAC-SHA function; the HMAC-SHA function may be, for example: HMAC-SHA256 functions, etc.
In this embodiment, after receiving the access request message from the end user, the method further includes:
extracting a first information ciphertext from the key identifier; carrying out decryption operation on the first information ciphertext by adopting the encryption key to obtain the first information;
after the first information is obtained, if the first information contains the expiration time of the temporary secret key, whether the received temporary secret key of the terminal user is expired or not can be judged according to the expiration time;
after the first information is obtained, corresponding cloud service can be provided for the terminal user according to the cloud customer identity of the terminal user contained in the first information.
The present embodiment is described below using an example (application example 1). As shown in fig. 3, in this example, it is assumed that XX company is a customer of a cloud computing technology and service provider (e.g., alisma), and that the client of the company is an individual end user. The cloud services that the company needs to use are deployed on a plurality of data centers, different data centers may be distributed in different regions, and the different data centers are schematically represented by a first data center and a second data center in fig. 3.
As shown in fig. 4, assuming that an end user requests a first data center to obtain a temporary key, the method for the first data center to generate the temporary key for the end user includes the following steps S401 to S406:
step S401, a first data center receives a request message of a terminal user for acquiring a temporary key;
step S402, the first data center obtains a root key from a hardware encryption machine, and performs first function operation on the root key and a first parameter to generate an encryption key;
the method comprises the following steps that a hardware encryption machine which stores the same root key is deployed in each data center;
wherein the first function is an HMAC-SHA256 function, the first parameter is a Random number, the Random number is represented by Random, the RootKey is represented by root key, and the encryption key EncKey is generated by the HMAC-SHA256 function as shown in the following formula (1-1)
EncKey=HMAC_SHA256(Random,RootKey)(1-1)
Step S403, the first data center uses the encryption key to perform encryption operation on the first information to generate a first information ciphertext;
wherein the first information may include: identity information of the terminal user and expiration time information of the temporary secret key;
the identity information of the terminal user can be a cloud client identity of the terminal user;
the UserID represents the identity information of the end user, the Expires represents the expiration time information of the temporary key, and the mode of splicing the identity information of the end user and the expiration time information of the temporary key together to generate the first information Msg can be shown in the following formula (1-2)
Msg=UserID||Expires (1-2)
In the above formula, "|" indicates that two fields are spliced together;
the encryption key is represented by EncKey, "Encrypt ()" is an encryption function, and the way of generating the first message ciphertext Enc _ Msg by performing an encryption operation on the first message Msg using the encryption key can be described as the following formula (1-3)
Enc_Msg=Encrypt(EncKey,Msg) (1-3)
Step S404, the first data center splices the first parameter and the first information ciphertext together to generate a key identifier of a temporary key;
the mode of generating the key identifier AccessKeyID of the temporary key by splicing the first parameter and the first information ciphertext together and using the Random number Random to represent the first parameter and Enc _ Msg to represent the first information ciphertext can be shown in the following formula (1-4)
AccessKeyID=Random||Enc_Msg (1-4)
Step S405, the first data center performs a second function operation on the key identifier and the encryption key to generate key content of a temporary key;
wherein, EncKey is used to represent the encryption key, Access KeyID is used to represent the key identification of the temporary key, the second function is HMAC-SHA256 function, and the mode of using HMAC-SHA256 function to generate the key content of the temporary key can be seen in the following formula (1-5)
AccessKeySecret=HMAC_SHA256(EncKey,AccessKeyID) (1-5)
Step S406, the first data center sends a temporary key to the terminal user, wherein the temporary key comprises a key identifier and key content;
as shown in fig. 5, assuming that the end user has already acquired the temporary key allocated by the first data center and wants to access the second data center by using the temporary key, the method for the second data center to identify the temporary key of the end user includes the following steps S501 to S507:
step S501, a second data center receives an access request of a terminal user, and acquires a first parameter and a first information ciphertext from a key identifier of a temporary key carried by the access request;
the key identification AccessKeyID of the temporary key is generated by splicing the first parameter and the first information ciphertext together in a way of the formula (1-4); the first information ciphertext is generated by performing encryption operation on the first information by using the encryption key in the way of the formula (1-3); the first information is generated by splicing the identity information of the user and the expiration time information of the temporary key together in the mode of the formula (1-2);
wherein the first parameter is a random number;
the identity information of the user can be a cloud client identity of the terminal user;
step S502, the second data center obtains a root key from a hardware encryption machine, and performs first function operation on the root key and a first parameter to generate an encryption key;
the method comprises the following steps that a hardware encryption machine which stores the same root key is deployed in each data center;
wherein the first function is an HMAC-SHA256 function, the first parameter is a Random number, the Random number is represented by Random, the RootKey is represented by root key, and the encryption key EncKey is generated by the HMAC-SHA256 function as shown in the following formula (2-1)
EncKey=HMAC_SHA256(Random,RootKey) (2-1)
Step S503, the second data center performs the second function operation on the key identifier and the encryption key to generate the key content of the temporary key;
wherein, EncKey is used to represent the encryption key, Access KeyID is used to represent the key identification of the temporary key, the second function is HMAC-SHA256 function, and the mode of using HMAC-SHA256 function to generate the key content of the temporary key can be seen in the following formula (2-2)
AccessKeySecret=HMAC_SHA256(EncKey,AccessKeyID) (2-2)
Step S504, the second data center adopts the encryption key to carry out decryption operation on the first information ciphertext to obtain the first information;
wherein, using EncKey to represent encryption key, "Decrypt ()" is decryption function, and the way of using the encryption key to Decrypt the first information ciphertext EncKey to generate the first information Msg can be shown in the following formula (2-3)
Msg=Decrypt(EncKey,Enc_Msg) (2-3)
Step S505, the second data center extracts the identity information of the user and the expiration time information of the temporary key from the first information;
the second data center can judge whether the received temporary key of the terminal user is expired according to the expiration time; the second data center can provide corresponding cloud service for the end user according to the cloud client identity of the end user contained in the first information.
Example two
As shown in fig. 6, an apparatus for processing a key under multiple data centers, applied to a data center, includes:
an information receiving module 601, configured to receive a request message for a terminal user to obtain a temporary key;
a key generation module 602, configured to perform a first function operation on a root key and a first parameter to generate an encryption key, and generate a temporary key according to the encryption key and the first parameter; the temporary key comprises a key identifier and key content, the key identifier carries information of the first parameter, and the key content is generated by performing second function operation on the key identifier and the encryption key;
an information sending module 603, configured to return the temporary key to the end user.
In one embodiment, in order to ensure the security of the root key and prevent the root key from flowing out of the data center, the root key may be stored by using a hardware encryption machine, and a hardware encryption machine storing the same root key is deployed in each data center;
in one embodiment, the apparatus further comprises a key identification module 604:
the information receiving module is also used for receiving an access request message of a terminal user, wherein the access request message carries a key identifier of the temporary key;
and the key identification module is used for extracting a first parameter from the key identifier, performing the first function operation on a root key and the first parameter to generate an encryption key, and performing the second function operation on the key identifier and the encryption key to generate the key content of the temporary key.
In one embodiment, the key identifier further carries a first information ciphertext, and the first information ciphertext is spliced with the first parameter;
the first information ciphertext is generated by performing an encryption operation on the first information by the encryption key.
The key identification module is also used for extracting a first information ciphertext from the key identifier; and carrying out decryption operation on the first information ciphertext by adopting the encryption key to obtain the first information.
In this embodiment, the first function is a one-way irreversible function; the one-way irreversible function may be, for example, a one-way hash function;
in this embodiment, the second function is a one-way irreversible function; the one-way irreversible function may be, for example, a one-way hash function;
in this embodiment, the first parameter is a random number.
In other embodiments, the first parameter may also be other parameters for distinguishing different end users;
wherein the one-way hash function may be an HMAC-SHA function; the HMAC-SHA function may be, for example: HMAC-SHA256 functions, etc.
In this embodiment, the first information includes: identity information of the end user, or identity information of the end user and expiration time information of the temporary key.
The identity information of the terminal user can be a cloud client identity of the terminal user;
after the first information is obtained, if the first information contains the expiration time of the temporary secret key, whether the received temporary secret key of the terminal user is expired or not can be judged according to the expiration time;
after the first information is obtained, corresponding cloud service can be provided for the terminal user according to the cloud customer identity of the terminal user contained in the first information.
EXAMPLE III
An electronic device for handling keys under multiple data centers, comprising: a memory and a processor;
the memory is configured to store a program for processing keys in multiple data centers, which when read and executed by the processor performs the following operations:
receiving a request message for acquiring a temporary key by a terminal user;
performing first function operation on a root key and a first parameter to generate an encryption key, and generating a temporary key according to the encryption key and the first parameter; the temporary key comprises a key identifier and key content, the key identifier carries information of the first parameter, and the key content is generated by performing second function operation on the key identifier and the encryption key;
returning a temporary key to the end user.
When the program for processing the key in multiple data centers in this embodiment is read and executed by the processor, the operations performed correspond to steps S210 to S230 in the first embodiment; for further details of the operations performed by the program, reference may be made to embodiment one.
Although the embodiments of the present invention have been described above, the above description is only for the convenience of understanding the present invention, and is not intended to limit the present invention. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (15)
1. A method for processing keys under multiple data centers, comprising:
a first data center receives a request message for acquiring a temporary key by a terminal user; performing first function operation on a root key and a first parameter to generate an encryption key, and generating a temporary key according to the encryption key and the first parameter; the temporary key comprises a key identifier and key content, the key identifier carries information of the first parameter, and the key content is generated by performing second function operation on the key identifier and the encryption key; returning the temporary key to the end user;
a second data center receives an access request message of a terminal user, wherein the access request message carries a key identifier of a temporary key; extracting a first parameter from the key identifier, performing the first function operation on a root key and the first parameter to generate an encryption key, and performing the second function operation on the key identifier and the encryption key to generate key content of the temporary key;
wherein the root key used by the first data center is the same as the root key used by the second data center.
2. The method of claim 1, wherein:
the key identification also carries a first information ciphertext, and the first information ciphertext is spliced with the first parameter;
the first information ciphertext is generated by performing an encryption operation on the first information by the encryption key.
3. The method of claim 2, wherein after the second data center receives the access request message from the end user, the method further comprises:
extracting a first information ciphertext from the key identifier;
and carrying out decryption operation on the first information ciphertext by adopting the encryption key to obtain the first information.
4. The method according to any one of claims 1-3, wherein:
the first function is a one-way irreversible function; the second function is a one-way irreversible function; the first parameter is a random number.
5. The method of claim 4, wherein:
the first function is a one-way hash function; the second function is a one-way hash function.
6. A method according to claim 2 or 3, characterized in that:
the first information includes: identity information of the end user, or identity information of the end user and expiration time information of the temporary key.
7. The method according to any one of claims 1-3, wherein:
the root key is stored in a hardware encryption machine of each data center, and the root keys stored in the data centers are the same.
8. An apparatus for processing keys under multiple data centers, comprising:
the first data center information receiving module is used for receiving a request message of a terminal user for acquiring a temporary key;
the first data center key generation module is used for performing first function operation on a root key and a first parameter to generate an encryption key and generating a temporary key according to the encryption key and the first parameter; the temporary key comprises a key identifier and key content, the key identifier carries information of the first parameter, and the key content is generated by performing second function operation on the key identifier and the encryption key;
the first data center information sending module is used for returning the temporary secret key to the terminal user;
the second data center information receiving module is used for receiving an access request message of a terminal user, wherein the access request message carries a key identifier of a temporary key;
the second data center key identification module is used for extracting a first parameter from the key identifier, performing the first function operation on a root key and the first parameter to generate an encryption key, and performing the second function operation on the key identifier and the encryption key to generate the key content of the temporary key;
wherein the root key used by the first data center is the same as the root key used by the second data center.
9. The apparatus of claim 8, wherein:
the key identification also carries a first information ciphertext, and the first information ciphertext is spliced with the first parameter;
the first information ciphertext is generated by performing an encryption operation on the first information by the encryption key.
10. The apparatus of claim 9, wherein:
the second data center key identification module is also used for extracting a first information ciphertext from the key identifier; and carrying out decryption operation on the first information ciphertext by adopting the encryption key to obtain the first information.
11. The apparatus according to any one of claims 8-10, wherein:
the first function is a one-way irreversible function; the second function is a one-way irreversible function; the first parameter is a random number.
12. The apparatus of claim 11, wherein:
the first function is a one-way hash function; the second function is a one-way hash function.
13. The apparatus of claim 9 or 10, wherein:
the first information includes: identity information of the end user, or identity information of the end user and expiration time information of the temporary key.
14. The apparatus according to any one of claims 8-10, wherein:
the root key is stored in a hardware encryption machine of each data center, and the root keys stored in the data centers are the same.
15. An electronic device for database reads and writes, comprising: a memory and a processor;
the method is characterized in that:
the memory is configured to store a program for processing keys in multiple data centers, which when read and executed by the processor performs the steps of the method for processing keys in multiple data centers as recited in any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710074091.7A CN108418679B (en) | 2017-02-10 | 2017-02-10 | Method and device for processing secret key under multiple data centers and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710074091.7A CN108418679B (en) | 2017-02-10 | 2017-02-10 | Method and device for processing secret key under multiple data centers and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108418679A CN108418679A (en) | 2018-08-17 |
| CN108418679B true CN108418679B (en) | 2021-06-29 |
Family
ID=63125141
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710074091.7A Active CN108418679B (en) | 2017-02-10 | 2017-02-10 | Method and device for processing secret key under multiple data centers and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108418679B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111130784B (en) * | 2019-12-25 | 2023-08-08 | 成都海光集成电路设计有限公司 | Key generation method and device, CPU chip and server |
| CN112187460A (en) * | 2020-10-27 | 2021-01-05 | 清创网御(合肥)科技有限公司 | Master-slave network-oriented root key hidden symmetric encryption algorithm |
| CN116743461B (en) * | 2023-06-15 | 2023-12-22 | 上海银满仓数字科技有限公司 | Commodity data encryption method and device based on time stamp |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1658549A (en) * | 2004-02-17 | 2005-08-24 | 国际商业机器公司 | Server equipment and server method |
| CN1975777A (en) * | 2006-12-22 | 2007-06-06 | 中国建设银行股份有限公司 | Distributing data center logic unity realizing method and system |
| CN103178949A (en) * | 2011-09-20 | 2013-06-26 | 王正伟 | Relative synchronization authentication method, synchronization parameter update method, authentication system and device |
| CN103229450A (en) * | 2010-08-11 | 2013-07-31 | 安全第一公司 | Systems and methods for secure multi-enant data storage |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060072747A1 (en) * | 2001-03-30 | 2006-04-06 | Wood Matthew D | Enhancing entropy in pseudo-random number generators using remote sources |
| US8532303B2 (en) * | 2007-12-14 | 2013-09-10 | Intel Corporation | Symmetric key distribution framework for the internet |
| CN101511084B (en) * | 2008-02-15 | 2011-05-04 | 中国移动通信集团公司 | Authentication and cipher key negotiation method of mobile communication system |
| WO2013006785A2 (en) * | 2011-07-07 | 2013-01-10 | Meng-Day Yu | Cryptographic security using fuzzy credentials for device and server communications |
| WO2014069783A1 (en) * | 2012-10-31 | 2014-05-08 | 삼성에스디에스 주식회사 | Password-based authentication method, and apparatus for performing same |
| CN104852891B (en) * | 2014-02-19 | 2018-07-20 | 华为技术有限公司 | A kind of method, equipment and system that key generates |
| CN104092551B (en) * | 2014-07-24 | 2017-04-12 | 福建升腾资讯有限公司 | Safe secret key transmission method based on RSA algorithm |
-
2017
- 2017-02-10 CN CN201710074091.7A patent/CN108418679B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1658549A (en) * | 2004-02-17 | 2005-08-24 | 国际商业机器公司 | Server equipment and server method |
| CN1975777A (en) * | 2006-12-22 | 2007-06-06 | 中国建设银行股份有限公司 | Distributing data center logic unity realizing method and system |
| CN103229450A (en) * | 2010-08-11 | 2013-07-31 | 安全第一公司 | Systems and methods for secure multi-enant data storage |
| CN103178949A (en) * | 2011-09-20 | 2013-06-26 | 王正伟 | Relative synchronization authentication method, synchronization parameter update method, authentication system and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108418679A (en) | 2018-08-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10880732B2 (en) | Authentication of phone caller identity | |
| CN108123800B (en) | Key management method, key management device, computer equipment and storage medium | |
| CN106790156B (en) | Intelligent device binding method and device | |
| CN111131416A (en) | Business service providing method and device, storage medium and electronic device | |
| CN113032357A (en) | File storage method and device and server | |
| CN113872932B (en) | SGX-based micro-service interface authentication method, system, terminal and storage medium | |
| CN104836784A (en) | Information processing method, client, and server | |
| CN108418679B (en) | Method and device for processing secret key under multiple data centers and electronic equipment | |
| CN113656713B (en) | Network resource processing method, device and system | |
| CN115150821A (en) | Offline package transmission and storage method and device | |
| EP2947815A1 (en) | Method for discovering user of equipment, and user equipment | |
| CN114239072A (en) | Block chain node management method and block chain network | |
| KR101680536B1 (en) | Method for Service Security of Mobile Business Data for Enterprise and System thereof | |
| CN110955909B (en) | Personal data protection method and block link point | |
| CN109842554B (en) | Routing method, device, equipment and storage medium of equipment service | |
| KR101329789B1 (en) | Encryption Method of Database of Mobile Communication Device | |
| CN111049787B (en) | Information association method, device, system and computer readable storage medium | |
| CN113034140A (en) | Method, system, equipment and storage medium for realizing intelligent contract encryption | |
| CN113452513A (en) | Key distribution method, device and system | |
| CN111404901A (en) | Information verification method and device | |
| CN112242976A (en) | Identity authentication method and device | |
| CN116827691B (en) | Method and system for data transmission | |
| CN112559825B (en) | Service processing method, device, computing equipment and medium | |
| CN113783847B (en) | Message interaction method, device, computer equipment and storage medium | |
| CN113342763B (en) | Distributed data synchronization method, equipment and medium based on IPFS |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |