CN108471423B - Method and system for obtaining private key - Google Patents

Method and system for obtaining private key Download PDF

Info

Publication number
CN108471423B
CN108471423B CN201810281665.2A CN201810281665A CN108471423B CN 108471423 B CN108471423 B CN 108471423B CN 201810281665 A CN201810281665 A CN 201810281665A CN 108471423 B CN108471423 B CN 108471423B
Authority
CN
China
Prior art keywords
private key
algorithm
server
identifier
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810281665.2A
Other languages
Chinese (zh)
Other versions
CN108471423A (en
Inventor
丁浩
吴岩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing QIYI Century Science and Technology Co Ltd
Original Assignee
Beijing QIYI Century Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing QIYI Century Science and Technology Co Ltd filed Critical Beijing QIYI Century Science and Technology Co Ltd
Priority to CN201810281665.2A priority Critical patent/CN108471423B/en
Publication of CN108471423A publication Critical patent/CN108471423A/en
Application granted granted Critical
Publication of CN108471423B publication Critical patent/CN108471423B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Abstract

The invention provides a method and a system for acquiring a private key, which are applied to a target server, a private key storage server and an algorithm query server, wherein the method for acquiring the private key comprises the following steps: when an acquisition request of a private key of a target server is received, acquiring an encrypted private key corresponding to the target server; determining request parameters associated with the cryptographic private key, the request parameters including: a digital certificate name, a first identifier and a second identifier; determining an encryption algorithm of the encryption private key corresponding to the request parameter according to the request parameter; and decrypting the encrypted private key according to the encryption algorithm to obtain the plaintext of the encrypted private key. According to the method, the encryption algorithms of the private keys are different, the private keys can be obtained only by verifying among different servers, and the problem that the security of the whole network is threatened because the private keys can be cracked only by one private key or by encrypting the private keys on the same server as long as computing resources are enough is solved.

Description

Method and system for obtaining private key
Technical Field
The present invention relates to the field of network communications, and in particular, to a method and a system for obtaining a private key.
Background
HTTPs (hyper Text Transfer Protocol over Secure Socket layer), which is an HTTP channel targeted for security, is a Secure version of HTTP. In the HTTPS protocol, the most important component is the digital certificate of HTTPS. The digital certificate of HTTPS consists of two parts: one private key and one public key. The private key is the most important part and is the most important certificate for a website to prove the identity of the website; once stolen, the security of HTTPS is no longer present. For a website with tens of thousands of video servers, the currently adopted method for storing the private key is to copy the private key, store one copy for each video server, and directly obtain the private key from the video server when a user needs to obtain the private key.
The existing private key obtaining process has great potential safety hazard, when the server is lost, damaged or scrapped, the information of the private key obtained on the server can be leaked, and because only one private key is used, the information of the private key is obtained, so that the ten thousand servers of the whole website are not safe any more. Even if the private key is encrypted by using a certain encryption algorithm on the server, the encrypted private key can be cracked as long as the computing resources are enough, and the security of the whole network is threatened.
Disclosure of Invention
In view of this, the present invention provides a method and a system for obtaining a private key, so as to solve the problem in the prior art that only one private key or the same server is used for encryption, and the security of the whole network is threatened by cracking the private key as long as sufficient computing resources are available. The specific scheme is as follows:
a method for obtaining a private key is applied to a target server, a private key storage server and an algorithm query server, and comprises the following steps:
when an obtaining request of a private key of the target server is received, obtaining an encrypted private key corresponding to the target server from the private key storage server;
sending the encrypted private key to the target server, and sending an algorithm query request to the algorithm query server when receiving a first sending completion instruction;
when a second sending completion instruction is received, acquiring request parameters of the encrypted private key according to the algorithm query request, and sending the request parameters to the private key storage server;
when a third sending completion instruction is received, determining an encryption algorithm corresponding to the request parameter according to the request parameter, and sending the name of the encryption algorithm to the algorithm query server;
when a fourth sending completion instruction is received, sending the name of the encryption algorithm to the target server;
and when a fifth sending completion instruction is received, decrypting the encrypted private key according to the name of the encryption algorithm to obtain a plaintext of the encrypted private key.
Optionally, in the method, when receiving an obtaining request for a private key of a target server, obtaining, in the private key storage server, an encrypted private key corresponding to the target server includes:
analyzing the information to be verified contained in the acquisition request;
and judging whether the source IP address in the information to be verified exists in a preset white list, if so, verifying whether the first identifier in the information to be verified is correct, and if so, encrypting a private key corresponding to the name of the digital certificate in the information to be verified in the private key storage server to obtain an encrypted private key corresponding to the target server.
Optionally, in the method, the encrypting, in the private key storage server, the private key corresponding to the digital certificate name in the information to be verified to obtain the encrypted private key corresponding to the target server includes:
searching a private key corresponding to the name of the digital certificate in the private key storage server;
and selecting a first encryption algorithm from a preset algorithm database, and encrypting the private key corresponding to the digital certificate name according to the first encryption algorithm to obtain an encrypted private key corresponding to the target server.
Optionally, in the method, the obtaining the request parameter of the encrypted private key according to the algorithm query request includes:
analyzing each parameter contained in the algorithm query request;
acquiring a second identifier, the digital certificate name and the first identifier contained in the algorithm query request;
wherein the request parameters of the encryption private key include: the second identifier, the digital certificate name and the first identifier, wherein the first identifier is used for distinguishing different private key storage servers, and the second identifier is used for distinguishing different encryption algorithms.
Optionally, in the method, determining, according to the request parameter, an encryption algorithm corresponding to the request parameter includes:
judging whether a first identifier in the information to be verified is the same as a default identifier of the private key storage server or not;
if yes, searching an encryption algorithm corresponding to the name of the digital certificate in the information to be verified in the private key storage server, wherein the number of the encryption algorithms is at least one;
and determining an encryption algorithm corresponding to the request parameter according to the second identifier.
A private key acquisition system is applied to a target server, a private key storage server and an algorithm query server, and comprises the following components:
the acquisition module is used for acquiring an encrypted private key corresponding to the target server from the private key storage server when an acquisition request of the private key of the target server is received;
the first sending module is used for sending the encrypted private key to the target server and sending an algorithm query request to the algorithm query server when receiving a first sending completion instruction;
the first determining module is used for acquiring request parameters of the encrypted private key according to the algorithm query request when a second sending completion instruction is received, and sending the request parameters to the private key storage server;
the second determining module is used for determining an encryption algorithm corresponding to the request parameter according to the request parameter when a third sending completion instruction is received, and sending the name of the encryption algorithm to the algorithm query server;
the second sending module is used for sending the name of the encryption algorithm to the target server when a fourth sending completion instruction is received;
and the decryption module is used for decrypting the encrypted private key according to the name of the encryption algorithm when a fifth sending completion instruction is received, so as to obtain a plaintext of the encrypted private key.
In the above system, optionally, the obtaining module includes:
the first analysis unit is used for analyzing the information to be verified contained in the acquisition request;
the first judging unit is used for judging whether the source IP address in the information to be verified exists in a preset white list or not, if so, verifying whether the first identification in the information to be verified is correct or not, and if so, encrypting the private key corresponding to the digital certificate name in the information to be verified in the private key storage server to obtain the encrypted private key corresponding to the target server.
In the above system, optionally, the judging unit includes:
the searching subunit is used for searching the private key corresponding to the name of the digital certificate in the private key storage server;
and the encryption subunit is used for selecting a first encryption algorithm from a preset algorithm database, and encrypting the private key corresponding to the digital certificate name according to the first encryption algorithm to obtain the encrypted private key corresponding to the target server.
The above system, optionally, the first determining module includes:
the second analysis unit is used for analyzing each parameter contained in the algorithm query request;
an obtaining unit, configured to obtain a second identifier, the digital certificate name, and the first identifier included in the algorithm query request;
wherein the request parameters of the encryption private key include: the second identifier, the digital certificate name and the first identifier, wherein the first identifier is used for distinguishing different private key storage servers, and the second identifier is used for distinguishing different encryption algorithms.
The above system, optionally, the second determining module includes:
the second judging unit is used for judging whether the first identifier in the information to be verified is the same as the default identifier of the private key storage server or not;
the searching unit is used for searching the encryption algorithm corresponding to the digital certificate name in the information to be verified in the private key storage server if the information to be verified is in the private key storage server, and the number of the encryption algorithms is at least one;
and the determining unit is used for determining the encryption algorithm corresponding to the request parameter according to the second identifier.
Compared with the prior art, the invention has the following advantages:
the invention provides a method for acquiring a private key, which is applied to a target server, a private key storage server and an algorithm query server, and comprises the following steps: when an acquisition request of a private key of a target server is received, acquiring an encrypted private key corresponding to the target server; determining request parameters associated with the cryptographic private key, the request parameters including: determining an encryption algorithm of the encryption private key corresponding to the request parameter according to the request parameter by using the digital certificate name of the target server, the first identifier of the target server and the second identifier of the target server; and decrypting the encrypted private key according to the encryption algorithm to obtain the plaintext of the encrypted private key. According to the method, the encryption algorithms of the private keys are different, the private keys can be obtained only by verifying among different servers, and the problem that the security of the whole network is threatened because the private keys can be cracked only by one private key or by encrypting the private keys on the same server as long as computing resources are enough is solved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a method for obtaining a private key disclosed in an embodiment of the present application;
fig. 2 is a flowchart of another method for obtaining a private key according to an embodiment of the present disclosure;
fig. 3 is a flowchart of another method for acquiring a private key disclosed in the embodiment of the present application;
fig. 4 is a flowchart of another method for acquiring a private key disclosed in the embodiment of the present application;
fig. 5 is a schematic network architecture diagram of a private key obtaining method disclosed in the embodiment of the present application;
fig. 6 is a block diagram of a system for acquiring a private key according to an embodiment of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
The invention provides a method for acquiring a private key, which is applied to the starting process of a target server, wherein the execution main body of the method can be a processor or a control platform and the like. The acquiring method is applied to a target server, a private key storage server and an algorithm query server, the flow of the acquiring method is shown in figure 1, and the acquiring method comprises the following steps:
s101, when an obtaining request of a private key of the target server is received, obtaining an encrypted private key corresponding to the target server from the private key storage server;
in the embodiment of the present invention, the target server is a web application server, preferably a niginx server, operated by a video server, a mail server, a file server, or other preferred server. And the private key storage server encrypts the private key corresponding to the target server by using a certain encryption method to obtain an encrypted private key.
S102, sending the encrypted private key to the target server, and sending an algorithm query request to the algorithm query server when receiving a first sending completion instruction;
in the embodiment of the invention, when the target server receives the encrypted private key sent by the private key storage server, a query request of an encryption algorithm adopted by the encrypted private key is sent to the algorithm query server.
S103, when a second sending completion instruction is received, acquiring a request parameter of the encrypted private key according to the algorithm query request, and sending the request parameter to the private key storage server;
in the embodiment of the present invention, each parameter included in the algorithm query request is analyzed, and the second identifier, the digital certificate name, and the first identifier included in the algorithm query request are obtained. Preferably, the first identifier is a token, and the second identifier is a 32-bit random number.
S104, when a third sending completion instruction is received, determining an encryption algorithm corresponding to the request parameter according to the request parameter, and sending the name of the encryption algorithm to the algorithm query server;
in the embodiment of the invention, the source IP address of the target server is verified in the private key storage server, when the verification is successful, the name of the encryption algorithm used by the encryption private key is determined according to the name of the digital certificate, the first identifier and the second identifier, and the name of the encryption algorithm is transmitted to the algorithm query server.
S105, when a fourth sending completion instruction is received, sending the name of the encryption algorithm to the target server;
and S106, when a fifth sending completion instruction is received, decrypting the encrypted private key according to the name of the encryption algorithm to obtain a plaintext of the encrypted private key.
In the embodiment of the invention, the corresponding encryption algorithm is searched according to the name of the encryption algorithm, the encryption key associated with the encryption private key is determined according to the encryption algorithm, and the encryption private key is decrypted to obtain the plaintext of the encryption private key.
In the embodiment of the invention, the private key storage server issues the first identifier to the target server in advance in a secure manner, and the secure manner is preferably an https manner.
In the embodiment of the present invention, the encryption algorithm used by the encryption private key is a symmetric encryption algorithm, and the symmetric encryption algorithm may be one of DES algorithm, 3DES algorithm, TDEA algorithm, Blowfish algorithm, RC5 algorithm, and IEDA algorithm, or other preferable encryption algorithms.
The invention provides a method for acquiring a private key, which is applied to a target server, a private key storage server and an algorithm query server, and comprises the following steps: when an acquisition request of a private key of a target server is received, acquiring an encrypted private key corresponding to the target server; determining request parameters associated with the cryptographic private key, the request parameters including: determining an encryption algorithm of the encryption private key corresponding to the request parameter according to the request parameter by using the digital certificate name of the target server, the first identifier of the target server and the second identifier of the target server; and decrypting the encrypted private key according to the encryption algorithm to obtain the plaintext of the encrypted private key. According to the method, the encryption algorithms of the private keys are different, the private keys can be obtained only by verifying among different servers, and the problem that the security of the whole network is threatened because the private keys can be cracked only by one private key or by encrypting the private keys on the same server as long as computing resources are enough is solved.
In the embodiment of the present invention, when receiving an obtaining request for a private key of a target server, a flow of a method for obtaining an encrypted private key corresponding to the target server in the private key storage server is shown in fig. 2, and includes the steps of:
s201, analyzing to-be-verified information contained in the acquisition request;
in the embodiment of the present invention, the information to be verified includes: the digital certificate name of the target server, the source IP address of the target server, and the first identification of the target server. The name of the digital certificate is an identifier corresponding to the private key, and the names of the digital certificates corresponding to different servers are different, so that the private keys corresponding to different servers are also different. The first identifier is issued to the target server by the private key storage server in advance. And determining a corresponding private key storage server according to the first identifier.
S202, judging whether a source IP address in the information to be verified exists in a preset white list, if so, verifying whether a first identifier in the information to be verified is correct, and if so, encrypting a private key corresponding to a digital certificate name in the information to be verified in the private key storage server to obtain an encrypted private key corresponding to the target server.
In the embodiment of the present invention, when the source IP address does not exist in the preset white list, the judgment information is returned or information indicating that the request fails is returned, and subsequent encryption operation is not performed.
In the embodiment of the present invention, a flow of a method for encrypting a private key corresponding to the digital certificate name in the private key storage server to obtain an encrypted private key corresponding to the target server is shown in fig. 3, and includes the steps of:
s301, searching a private key corresponding to the name of the digital certificate in the private key storage server;
in the embodiment of the invention, the digital certificate name is an identifier for distinguishing each private key in the private key storage server, and the digital certificate name and the private key have a one-to-one correspondence relationship.
S302, selecting a first encryption algorithm from a preset algorithm database, and encrypting the private key corresponding to the digital certificate name according to the first encryption algorithm to obtain an encrypted private key corresponding to the target server.
In the embodiment of the invention, a plurality of first encryption algorithms are stored in the algorithm database, and the selection principle is as follows: the encryption algorithm can be selected sequentially, randomly or in other preferable selection modes, and the encryption algorithm of two adjacent selections is different.
In the embodiment of the present invention, when the private key corresponding to the digital certificate is encrypted in the private key storage server, once the private key is selected, a second identifier is generated while encryption is completed, preferably, the second identifier is a 32-bit random number, and the 32-bit random numbers generated during each encryption are different. And the second identification is respectively distributed to a current encryption algorithm and an encryption private key encrypted according to the current encryption algorithm.
When a second sending completion instruction is received, determining request parameters associated with the encryption private key, wherein the request parameters comprise: and sending the request parameter to the private key storage server by using the digital certificate name of the target server, the first identifier of the target server and the second identifier of the target server, wherein the digital certificate name, the source IP address and the first identifier are obtained from the information to be verified, and the second identifier is obtained from the parameter which has an association relationship with the encrypted private key.
In the embodiment of the present invention, a flow of determining an encryption algorithm corresponding to the request parameter according to the request parameter is shown in fig. 4, and includes the steps of:
s401, judging whether a first identifier in the information to be verified is the same as a default identifier of the private key storage server or not;
in the embodiment of the present invention, each private key storage server corresponds to a default identifier, and before determining the encryption algorithm corresponding to the request parameter, it is required to verify whether the first identifier is the same as the default identifier.
S402, if yes, searching at least one encryption algorithm corresponding to the digital certificate name in the information to be verified in the private key storage server;
in the embodiment of the invention, the digital certificate names correspond to the private keys one by one, but the same private key can be encrypted by adopting different encryption algorithms, so that the condition that one digital certificate corresponds to a plurality of encryption algorithms exists, each algorithm corresponds to one algorithm identification, the algorithm identifications are generated in the encryption process of the private key, and the algorithm identifications are determined according to second identifications generated in the encryption process.
S403, determining an encryption algorithm corresponding to the request parameter according to the second identifier.
In the embodiment of the invention, an encryption algorithm is determined according to the second identifier, and an algorithm identifier which is the same as the second identifier is searched, wherein the encryption algorithm corresponding to the algorithm identifier is the encryption algorithm corresponding to the request parameter.
In the embodiment of the present invention, a network architecture of the method for obtaining the private key is shown in fig. 5, and when the method accesses among the video server, the private key storage server, and the algorithm query server, a secure access mode, preferably an https access mode, is adopted.
In the embodiment of the present invention, corresponding to the above private key obtaining method, the present invention further provides a private key obtaining system, where the private key obtaining system is applied to a target server, a private key storage server, and an algorithm query server, and a structural block diagram of the private key obtaining system is shown in fig. 6, and the private key obtaining system includes:
an obtaining module 501, a first sending module 502, a first determining module 503, a second determining module 504, a second sending module 505, and a decrypting module 506.
Wherein the content of the first and second substances,
the obtaining module 501 is configured to, when receiving an obtaining request for a private key of the target server, obtain, in the private key storage server, an encrypted private key corresponding to the target server;
the first sending module 502 is configured to send the encrypted private key to the target server, and send an algorithm query request to the algorithm query server when receiving a first sending completion instruction;
the first determining module 503 is configured to, when a second sending completion instruction is received, obtain a request parameter of the encrypted private key according to the algorithm query request, and send the request parameter to the private key storage server;
the second determining module 504 is configured to determine, according to the request parameter, an encryption algorithm corresponding to the request parameter when a third sending completion instruction is received, and send a name of the encryption algorithm to the algorithm query server;
the second sending module 505 is configured to send the name of the encryption algorithm to the target server when receiving a fourth sending completion instruction;
the decryption module 506 is configured to decrypt the encrypted private key according to the name of the encryption algorithm when receiving a fifth sending completion instruction, so as to obtain a plaintext of the encrypted private key.
The invention provides a system for acquiring a private key, which is applied to a target server, a private key storage server and an algorithm query server, and the method for acquiring the private key comprises the following steps: when an acquisition request of a private key of a target server is received, acquiring an encrypted private key corresponding to the target server; determining request parameters associated with the cryptographic private key, the request parameters including: determining an encryption algorithm of the encryption private key corresponding to the request parameter according to the request parameter by using the digital certificate name of the target server, the first identifier of the target server and the second identifier of the target server; and decrypting the encrypted private key according to the encryption algorithm to obtain the plaintext of the encrypted private key. According to the system, the encryption algorithms of the private keys are different, the private keys can be obtained only by verifying among different servers, and the problem that the security of the whole network is threatened because the private keys can be cracked only by one private key or by encrypting the private keys on the same server as long as computing resources are enough is solved.
In this embodiment of the present invention, the obtaining module 501 includes:
a first analysis unit 507 and a first judgment unit 508.
The first analyzing unit 507 is configured to analyze the to-be-verified information included in the acquisition request;
the first determining unit 508 is configured to determine whether a source IP address in the to-be-verified information exists in a preset white list, if so, verify whether a first identifier in the to-be-verified information is correct, and if so, encrypt a private key corresponding to a digital certificate name in the to-be-verified information in the private key storage server to obtain an encrypted private key corresponding to the target server.
In this embodiment of the present invention, the determining unit 508 includes:
a lookup sub-unit 509 and an encryption sub-unit 510.
Wherein the content of the first and second substances,
the searching subunit 509 is configured to search, in the private key storage server, a private key corresponding to the name of the digital certificate;
the encrypting subunit 510 is configured to select a first encryption algorithm from a preset algorithm database, and encrypt a private key corresponding to the digital certificate name according to the first encryption algorithm to obtain an encrypted private key corresponding to the target server.
In this embodiment of the present invention, the first determining module 503 includes:
a second parsing unit 511 and an acquisition unit 512.
Wherein the content of the first and second substances,
the second parsing unit 511 is configured to parse each parameter included in the algorithm query request;
the obtaining unit 512 is configured to obtain the second identifier, the digital certificate name, and the first identifier included in the algorithm query request;
wherein the request parameters of the encryption private key include: the second identifier, the digital certificate name and the first identifier, wherein the first identifier is used for distinguishing different private key storage servers, and the second identifier is used for distinguishing different encryption algorithms.
In this embodiment of the present invention, the second determining module 504 includes:
a second decision unit 513, a look-up unit 514 and a determination unit 515.
Wherein the content of the first and second substances,
the second determining unit 513 is configured to determine whether the first identifier in the information to be verified is the same as the default identifier of the private key storage server;
the searching unit 514 is configured to search, if yes, at least one encryption algorithm corresponding to the name of the digital certificate in the to-be-verified information in the private key storage server;
the determining unit 515 is configured to determine, according to the second identifier, an encryption algorithm corresponding to the request parameter.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. For the device-like embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
Finally, it should be further noted that, in the present application, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functions of the units may be implemented in the same software and/or hardware or in a plurality of software and/or hardware when implementing the invention.
From the above description of the embodiments, it is clear to those skilled in the art that the present invention can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which may be stored in a storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The method and the system for obtaining the private key provided by the invention are described in detail above, and the principle and the implementation mode of the invention are explained by applying specific embodiments in the text, and the description of the embodiments is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.

Claims (10)

1. A method for obtaining a private key is applied to a target server, a private key storage server and an algorithm query server, and comprises the following steps:
when a private key storage server receives an acquisition request of a private key of the target server, acquiring an encrypted private key corresponding to the target server from the private key storage server;
sending the encrypted private key to the target server, and sending an algorithm query request to the algorithm query server when the target server receives a first sending completion instruction;
when the algorithm query server receives a second sending completion instruction, acquiring request parameters of the encrypted private key according to the algorithm query request, and sending the request parameters to the private key storage server;
when the private key storage server receives a third sending completion instruction, determining an encryption algorithm corresponding to the request parameter according to the request parameter, and sending the name of the encryption algorithm to the algorithm query server;
when the algorithm query server receives a fourth sending completion instruction, sending the name of the encryption algorithm to the target server;
and when the target server receives a fifth sending completion instruction, decrypting the encrypted private key according to the name of the encryption algorithm to obtain a plaintext of the encrypted private key.
2. The method of claim 1, wherein when receiving an obtaining request for a private key of a target server, obtaining an encrypted private key corresponding to the target server in the private key storage server comprises:
analyzing the information to be verified contained in the acquisition request;
and judging whether the source IP address in the information to be verified exists in a preset white list, if so, verifying whether the first identifier in the information to be verified is correct, and if so, encrypting a private key corresponding to the name of the digital certificate in the information to be verified in the private key storage server to obtain an encrypted private key corresponding to the target server.
3. The method according to claim 2, wherein the encrypting, in the private key storage server, the private key corresponding to the digital certificate name in the information to be verified to obtain the encrypted private key corresponding to the target server comprises:
searching a private key corresponding to the name of the digital certificate in the private key storage server;
and selecting a first encryption algorithm from a preset algorithm database, and encrypting the private key corresponding to the digital certificate name according to the first encryption algorithm to obtain an encrypted private key corresponding to the target server.
4. The method of claim 2, wherein the obtaining the request parameters of the encrypted private key according to the algorithm query request comprises:
analyzing each parameter contained in the algorithm query request;
acquiring a second identifier, the digital certificate name and the first identifier contained in the algorithm query request;
wherein the request parameters of the encryption private key include: the second identifier, the digital certificate name and the first identifier, wherein the first identifier is used for distinguishing different private key storage servers, and the second identifier is used for distinguishing different encryption algorithms.
5. The method of claim 4, wherein determining the encryption algorithm corresponding to the request parameter according to the request parameter comprises:
judging whether a first identifier in the information to be verified is the same as a default identifier of the private key storage server or not;
if yes, searching an encryption algorithm corresponding to the name of the digital certificate in the information to be verified in the private key storage server, wherein the number of the encryption algorithms is at least one;
and determining an encryption algorithm corresponding to the request parameter according to the second identifier.
6. A system for acquiring a private key is applied to a target server, a private key storage server and an algorithm query server, and comprises:
the acquisition module is used for acquiring an encrypted private key corresponding to the target server from the private key storage server when the private key storage server receives an acquisition request of the private key of the target server;
the first sending module is used for sending the encrypted private key to the target server, and sending an algorithm query request to the algorithm query server when the target server receives a first sending completion instruction;
the first determining module is used for acquiring request parameters of the encrypted private key according to the algorithm query request and sending the request parameters to the private key storage server when the algorithm query server receives a second sending completion instruction;
the second determining module is used for determining an encryption algorithm corresponding to the request parameter according to the request parameter when the private key storage server receives a third sending completion instruction, and sending the name of the encryption algorithm to the algorithm query server;
the second sending module is used for sending the name of the encryption algorithm to the target server when the algorithm query server receives a fourth sending completion instruction;
and the decryption module is used for decrypting the encrypted private key according to the name of the encryption algorithm when the target server receives a fifth sending completion instruction to obtain a plaintext of the encrypted private key.
7. The system of claim 6, wherein the acquisition module comprises:
the first analysis unit is used for analyzing the information to be verified contained in the acquisition request;
the first judging unit is used for judging whether the source IP address in the information to be verified exists in a preset white list or not, if so, verifying whether the first identification in the information to be verified is correct or not, and if so, encrypting the private key corresponding to the digital certificate name in the information to be verified in the private key storage server to obtain the encrypted private key corresponding to the target server.
8. The system according to claim 7, wherein the judging unit includes:
the searching subunit is used for searching the private key corresponding to the name of the digital certificate in the private key storage server;
and the encryption subunit is used for selecting a first encryption algorithm from a preset algorithm database, and encrypting the private key corresponding to the digital certificate name according to the first encryption algorithm to obtain the encrypted private key corresponding to the target server.
9. The system of claim 7, wherein the first determining module comprises:
the second analysis unit is used for analyzing each parameter contained in the algorithm query request;
an obtaining unit, configured to obtain a second identifier, the digital certificate name, and the first identifier included in the algorithm query request;
wherein the request parameters of the encryption private key include: the second identifier, the digital certificate name and the first identifier, wherein the first identifier is used for distinguishing different private key storage servers, and the second identifier is used for distinguishing different encryption algorithms.
10. The system of claim 9, wherein the second determining module comprises:
the second judging unit is used for judging whether the first identifier in the information to be verified is the same as the default identifier of the private key storage server or not;
the searching unit is used for searching the encryption algorithm corresponding to the digital certificate name in the information to be verified in the private key storage server if the information to be verified is in the private key storage server, and the number of the encryption algorithms is at least one;
and the determining unit is used for determining the encryption algorithm corresponding to the request parameter according to the second identifier.
CN201810281665.2A 2018-04-02 2018-04-02 Method and system for obtaining private key Active CN108471423B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810281665.2A CN108471423B (en) 2018-04-02 2018-04-02 Method and system for obtaining private key

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810281665.2A CN108471423B (en) 2018-04-02 2018-04-02 Method and system for obtaining private key

Publications (2)

Publication Number Publication Date
CN108471423A CN108471423A (en) 2018-08-31
CN108471423B true CN108471423B (en) 2021-03-09

Family

ID=63262330

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810281665.2A Active CN108471423B (en) 2018-04-02 2018-04-02 Method and system for obtaining private key

Country Status (1)

Country Link
CN (1) CN108471423B (en)

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101917710A (en) * 2010-08-27 2010-12-15 中兴通讯股份有限公司 Method, system and related device for mobile internet encryption communication
CN104166822B (en) * 2013-05-20 2017-10-13 阿里巴巴集团控股有限公司 A kind of method and apparatus of data protection
CN104023013B (en) * 2014-05-30 2017-04-12 上海帝联信息科技股份有限公司 Data transmission method, server side and client
US10355858B2 (en) * 2016-03-30 2019-07-16 Intel Corporation Authenticating a system to enable access to a diagnostic interface in a storage device
CN107360125A (en) * 2016-05-10 2017-11-17 普天信息技术有限公司 Access authentication method, WAP and user terminal
CN107104987A (en) * 2017-06-30 2017-08-29 山东开创云软件有限公司 A kind of data safe transmission method

Also Published As

Publication number Publication date
CN108471423A (en) 2018-08-31

Similar Documents

Publication Publication Date Title
JP7202688B2 (en) Authentication system, authentication method, application providing device, authentication device, and authentication program
CN113378236B (en) Evidence data online security notarization platform and security method
CN108809953B (en) Anonymous identity authentication method and device based on block chain
CN101860540B (en) Method and device for identifying legality of website service
CN105656859B (en) Tax control equipment software safety online upgrading method and system
EP1976181A1 (en) A method, apparatus and data download system for controlling the validity of the download transaction
US20030208681A1 (en) Enforcing file authorization access
CN108243176B (en) Data transmission method and device
CN108347428B (en) Registration system, method and device of application program based on block chain
CN112134708A (en) Authorization method, authorization request method and device
JP2005102163A (en) Equipment authentication system, server, method and program, terminal and storage medium
CN109981665B (en) Resource providing method and device, and resource access method, device and system
CN104283903A (en) Downloading method for files and device thereof
JP4344957B2 (en) Processing distribution system, authentication server, distributed server, and processing distribution method
CN111639357B (en) Encryption network disk system and authentication method and device thereof
CN115314321B (en) Searchable encryption method based on block chain without need of secure channel
CN115118419A (en) Data transmission method of security chip, security chip device, equipment and medium
CN108063748B (en) User authentication method, device and system
RU2698424C1 (en) Authorization control method
CN108471423B (en) Method and system for obtaining private key
JP2009199147A (en) Communication control method and communication control program
CN110995454A (en) Service verification method and system
CN113645226B (en) Data processing method, device, equipment and storage medium based on gateway layer
JP5665592B2 (en) Server apparatus, computer system, and login method thereof
CN116170164A (en) Method, device, electronic equipment and storage medium for requesting scheduling

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant