CN109922084B - Key management method and device and electronic equipment - Google Patents
Key management method and device and electronic equipment Download PDFInfo
- Publication number
- CN109922084B CN109922084B CN201910287440.2A CN201910287440A CN109922084B CN 109922084 B CN109922084 B CN 109922084B CN 201910287440 A CN201910287440 A CN 201910287440A CN 109922084 B CN109922084 B CN 109922084B
- Authority
- CN
- China
- Prior art keywords
- key
- user side
- ciphertext
- private key
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The application provides a key management method, a key management device and electronic equipment, relates to the technical field of data management, and can solve the technical problem that a private key stored at a user side is difficult to find after being lost, and further inconvenient use of the private key by a user. The method comprises the following steps: combining a public key of a provider server and a private key of a user side through a public key encryption algorithm to generate a first key, and symmetrically encrypting the private key of the user side by using the first key to obtain a first ciphertext; combining a public key of a third-party server and a private key of the user side through a public key encryption algorithm to generate a second key, and symmetrically encrypting the private key of the user side by using the second key to obtain a second ciphertext; and sending the first ciphertext to the third-party server, and sending the second ciphertext to the provider server.
Description
Technical Field
The present application relates to the field of data management technologies, and in particular, to a key management method and apparatus, and an electronic device.
Background
A key is a parameter that is input in an algorithm that converts plaintext into ciphertext or converts ciphertext into plaintext.
The encryption process of the key is divided into symmetric key encryption (symmetric encryption) and asymmetric key encryption (asymmetric encryption). Symmetric key encryption means that the sender and the receiver of information use the same key to encrypt and decrypt data, i.e. symmetric encryption uses the same key in encryption and decryption. Asymmetric key encryption means that information needs two keys for encryption and decryption, wherein the two keys are a public key (public key) and a private key (private key) respectively.
Currently, the private key of the user is generally stored at the user end and is stored by the user. However, in the case of this storage method, if the private key stored at the user side is lost, it is difficult to retrieve the private key, and further, it is inconvenient for the user to use the private key.
Disclosure of Invention
In view of this, an object of the present application is to provide a method and an apparatus for managing a secret key, and an electronic device, so as to solve the technical problem that a secret key stored at a user side is difficult to retrieve after being lost, which is inconvenient for a user to use the secret key in the prior art.
In a first aspect, an embodiment of the present application provides a key management method, applied to a user side, including:
combining a public key of a provider server and a private key of a user side through a public key encryption algorithm to generate a first key, and symmetrically encrypting the private key of the user side by using the first key to obtain a first ciphertext;
combining a public key of a third-party server and a private key of the user side through a public key encryption algorithm to generate a second key, and symmetrically encrypting the private key of the user side by using the second key to obtain a second ciphertext;
and sending the first ciphertext to the third-party server, and sending the second ciphertext to the provider server.
With reference to the first aspect, an embodiment of the present application provides a first possible implementation manner of the first aspect, where the method further includes:
if the user side receives a private key retrieving instruction, a first request is sent to the provider server, and a second request is sent to the third-party server;
receiving the second ciphertext sent by the provider server according to the first request;
receiving a third key sent by the third-party server according to the second request, wherein the third key is generated by combining a private key of the third-party server and a public key of the user side through a public key encryption algorithm, and the third key is the same as the second key;
and decrypting the second ciphertext by using the third key to obtain a private key of the user side.
With reference to the first aspect, an embodiment of the present application provides a second possible implementation manner of the first aspect, where the method further includes:
if the user side receives a private key retrieving instruction, a third request is sent to the third-party server, and a fourth request is sent to the provider server;
receiving the first ciphertext sent by the third-party server according to the third request;
receiving a fourth secret key sent by the provider server according to the fourth request, wherein the fourth secret key is generated by combining a private key of the provider server and a public key of the user side through a public secret key encryption algorithm, and the fourth secret key is the same as the first secret key;
and decrypting the first ciphertext by using the fourth key to obtain a private key of the user side.
With reference to the first aspect, an embodiment of the present application provides a third possible implementation manner of the first aspect, where the first key and the second key are both symmetric keys.
In a second aspect, an embodiment of the present application further provides a key management device, applied to a user side, including:
the first generation module is used for combining a public key of a provider server and a private key of the user side through a public key encryption algorithm to generate a first key, and symmetrically encrypting the private key of the user side by using the first key to obtain a first ciphertext;
the second generation module is used for combining a public key of a third-party server and a private key of the user side through a public key encryption algorithm to generate a second key, and symmetrically encrypting the private key of the user side by using the second key to obtain a second ciphertext;
and the sending module is used for sending the first ciphertext to the third-party server and sending the second ciphertext to the provider server.
With reference to the second aspect, an embodiment of the present application provides a first possible implementation manner of the second aspect, where the apparatus further includes a first obtaining module, specifically configured to:
if the user side receives a private key retrieving instruction, a first request is sent to the provider server, and a second request is sent to the third-party server;
receiving the second ciphertext sent by the provider server according to the first request;
receiving a third key sent by the third-party server according to the second request, wherein the third key is generated by combining a private key of the third-party server and a public key of the user side through a public key encryption algorithm, and the third key is the same as the second key;
and decrypting the second ciphertext by using the third key to obtain a private key of the user side.
With reference to the second aspect, an embodiment of the present application provides a second possible implementation manner of the second aspect, where the apparatus further includes a second obtaining module, specifically configured to:
if the user side receives a private key retrieving instruction, a third request is sent to the third-party server, and a fourth request is sent to the provider server;
receiving the first ciphertext sent by the third-party server according to the third request;
receiving a fourth secret key sent by the provider server according to the fourth request, wherein the fourth secret key is generated by combining a private key of the provider server and a public key of the user side through a public secret key encryption algorithm, and the fourth secret key is the same as the first secret key;
and decrypting the first ciphertext by using the fourth key to obtain a private key of the user side.
With reference to the second aspect, an embodiment of the present application provides a third possible implementation manner of the second aspect, where the first key and the second key are both symmetric keys.
In a third aspect, an embodiment of the present application further provides an electronic device, which includes a memory and a processor, where the memory stores a computer program that is executable on the processor, and the processor implements the steps of the method according to the first aspect when executing the computer program.
In a fourth aspect, embodiments of the present application further provide a computer-readable medium having non-volatile program code executable by a processor, the program code causing the processor to perform the method according to the first aspect.
The technical scheme provided by the embodiment of the application has the following beneficial effects that: in the scheme, the encrypted private keys of the user side are respectively sent to the provider server and the third-party server and are stored by the two servers, so that the private keys of the user side can be obtained by the two servers even if the private keys stored by the user side are lost. Moreover, because the private key of the user side sent to the provider server by the user side is encrypted, and the encrypted private key is formed by combining the public key of the third-party server and the private key of the user side, the provider server cannot separate from the third-party server to obtain the private key of the user side independently. Similarly, the third-party server cannot get away from the provider server to obtain the private key of the user side independently, and the security of the private key of the user side is further ensured.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the application. The objectives and other advantages of the application will be realized and attained by the structure particularly pointed out in the written description and drawings.
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the detailed description of the present application or the technical solutions in the prior art, the drawings needed to be used in the detailed description of the present application or the prior art description will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart illustrating a key management method according to an embodiment of the present application;
fig. 2 shows a flowchart of a key management method provided in the second embodiment of the present application;
fig. 3 is a schematic structural diagram of a key management device according to a third embodiment of the present application;
fig. 4 shows a schematic structural diagram of an electronic device according to a fourth embodiment of the present application.
Detailed Description
Features and exemplary embodiments of various aspects of the present invention will be described in detail below. In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the present invention. It will be apparent, however, to one skilled in the art that the present invention may be practiced without some of these specific details. The following description of the embodiments is merely intended to provide a better understanding of the present invention by illustrating examples of the present invention. The present invention is in no way limited to any specific configuration and algorithm set forth below, but rather covers any modification, replacement or improvement of elements, components or algorithms without departing from the spirit of the invention. In the drawings and the following description, well-known structures and techniques are not shown in order to avoid unnecessarily obscuring the present invention.
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
Furthermore, the terms "comprising" and "having" and any variations thereof as referred to in the description of the invention are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements but may alternatively include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Currently, the private key of the user is generally stored at the user end and is stored by the user. However, in the case of this storage method, if the private key stored at the user side is lost, it is difficult to retrieve the private key, and further, it is inconvenient for the user to use the private key. Based on this, the key management method, the key management device and the electronic device provided by the embodiment of the application can solve the technical problem that the private key stored at the user side is difficult to retrieve after being lost in the prior art, and further the private key is inconvenient for the user to use.
To facilitate understanding of the present embodiment, a detailed description is first given of a key management method, a key management apparatus, and an electronic device disclosed in the embodiments of the present application.
The first embodiment is as follows:
the key management method provided in the embodiment of the present application is applied to a user side, and as shown in fig. 1, includes:
s11: the public key of the provider server and the private key of the user side are combined through a public key encryption algorithm to generate a first key, and the private key of the user side is symmetrically encrypted by the first key to obtain a first ciphertext.
In this embodiment, the provider server, the user side, and the third-party server respectively have a public-private key pair, that is, a public key and a private key. Wherein the third party server may be a server of a third party credit agency. As a preferred scheme, the user end firstly sends the public key of the user end to the provider server and the third party server.
In this step, the user combines the public key of the provider server and the private key of the user into a first key (provider server public key + user private key) by using a public key encryption algorithm.
It should be noted that public-key encryption algorithm (public-key encryption) is a type of cryptographic algorithm, and common public-key encryption algorithms include: a knapsack algorithm, an Elliptic Curve Cryptography (ECC), a public key Cryptography in Diffie-Hellman key exchange protocol. In this embodiment, a public key encryption algorithm in a diffie-hellman key exchange protocol is used to combine a public key of a provider server and a private key of a user side, so as to combine a first key.
Then, the user side symmetrically encrypts the user side private key by using the first key (provider server public key + user side private key) to obtain a first ciphertext (M1). Specifically, the first key (provider server public key + user side private key) is used as a key to be encrypted, the user side private key is used as a text to be encrypted, and the text to be encrypted is symmetrically encrypted by using the key to be encrypted, so that a first ciphertext (M1) is obtained.
S12: and combining the public key of the third-party server and the private key of the user side through a public key encryption algorithm to generate a second key, and symmetrically encrypting the private key of the user side by using the second key to obtain a second ciphertext.
In this step, the user combines the public key of the third-party server and the private key of the user into a second key (the public key of the third-party server + the private key of the user) through a public key encryption algorithm.
Then, the user side symmetrically encrypts the user side private key by using the second key (the third party server public key + the user side private key) to obtain a second ciphertext (M2). Specifically, the second key (the third-party server public key + the user-side private key) is used as a key to be encrypted, the user-side private key is used as a text to be encrypted, and the text to be encrypted is symmetrically encrypted by using the key to be encrypted, so that a second ciphertext (M2) is obtained.
S13: and sending the first ciphertext to a third-party server, and sending the second ciphertext to a provider server.
In practical application, the user terminal sends the first ciphertext (M1) to the third-party server for storage, and sends the second ciphertext (M2) to the provider server for storage.
For the prior art, the key of the digital wallet application is stored by the user at the client, and once the key of the user is lost, the key cannot be retrieved. This greatly increases the user asset security risk. Therefore, the current user key storage scheme has certain disadvantages. But if stored on the application provider's server, the provider will have absolute control over the user's account, which is clearly not the user's desire.
By storing the user key in the provider server and the third-party credit agency server in an encrypted manner, the private key of the user side can be retrieved through the two servers even if the private key stored at the user side is lost. Because the private key of the user end sent to the provider server by the user end is encrypted and the encrypted private key is formed by combining the public key of the third-party server and the private key of the user end, the provider server cannot be separated from the third-party server to obtain the private key of the user end independently. Similarly, the third-party server cannot get away from the provider server to obtain the private key of the user side alone, so that any one of the provider server and the third-party server cannot decrypt the user key, and even if data of one of the provider server and the third-party server is leaked, the user key cannot be decrypted, and the security of the private key of the user side is further ensured.
Moreover, the key can be updated by the key management method provided by the embodiment of the application. And the user side encrypts the new modified user key and sends the encrypted user key to the provider server and the third-party credit agency server so as to replace the old user key in the provider server and the third-party credit agency server. The modified new user key is stored in the provider server and the third-party credit agency server in an encrypted manner, and the modified new private key stored in the user side can be retrieved through the two servers even if the modified new private key stored in the user side is lost. Because the new private key of the user end sent to the provider server by the user end is encrypted and the encrypted private key is formed by combining the public key of the third-party server and the private key of the user end, the provider server cannot be separated from the third-party server to obtain the new private key of the user end independently. Similarly, the third-party server cannot get away from the provider server to obtain the new private key of the user side alone, so that any one of the provider server and the third-party server cannot decrypt the new private key modified by the user, and even if data of one of the provider server and the third-party server is leaked, the new private key of the user cannot be decrypted, so that the security of the private key of the user side is ensured.
Example two:
an embodiment of the present application provides a key management method, applied to a user side, as shown in fig. 2, including:
s21: the public key of the provider server and the private key of the user side are combined through a public key encryption algorithm to generate a first key, and the private key of the user side is symmetrically encrypted by the first key to obtain a first ciphertext.
S22: and combining the public key of the third-party server and the private key of the user side through a public key encryption algorithm to generate a second key, and symmetrically encrypting the private key of the user side by using the second key to obtain a second ciphertext.
Wherein, the first key and the second key are both symmetric keys.
S23: and sending the first ciphertext to a third-party server, and sending the second ciphertext to a provider server.
S24: and when the user side receives the private key recovery instruction, the first request is sent to the provider server, and the second request is sent to the third-party server.
The user side has a copy of the private key of the user, and when the private key is needed for initiating operations such as transaction and signature, the private key can be directly read from the local. If the user's private key is inadvertently lost, a request to retrieve the key may be initiated to the provider server and the third party server.
Specifically, the user side requests the provider server for the second ciphertext (M2), and the user side requests the third party server for a third key, where the third key is generated by the third party server combining a private key of the third party server and a public key of the user side through a public key encryption algorithm.
S25: and receiving a second ciphertext transmitted by the provider server according to the first request.
After the provider server passes the authentication of the user end, the provider server sends a second ciphertext (M2) to the user end according to the first request, and the user end receives the second ciphertext sent by the provider server.
S26: and receiving a third secret key sent by the third-party server according to the second request, wherein the third secret key is generated by combining a private key of the third-party server and a public key of the user side through a public secret key encryption algorithm, and is the same as the second secret key.
The third party server combines the private key of the third party server and the public key of the user side through a public key encryption algorithm, and then a third key (the private key of the third party server and the public key of the user side) is generated. And the third-party server sends the third secret key (the private key of the third-party server and the public key of the user side) to the user side according to the second request. And the user side receives the third key sent by the third-party server. The third key is also a symmetric key.
Based on diffie-hellman key exchange protocol in public key encryption algorithm, the third key (third party server private key + user side public key) and the second key (third party server public key + user side private key) are equal. In the diffie-hellman key exchange protocol, the key generated by combining the public key of the party a with the private key of the party B is the same as the key generated by combining the public key of the party B with the private key of the party a.
For example, a key generated by combining the public key of the party a and the private key of the party B is a first shared key, and a key generated by combining the public key of the party B and the private key of the party a is a second shared key, where the contents of the first shared key and the second shared key are the same. Thus, after each party generates A, B a public/private key pair, the public key is distributed, and after obtaining a true copy of each other's public key, a and B can compute the same shared key offline. In this embodiment, this shared key (i.e., the third key and the second key with the same content) is used as a key of the symmetric cipher to symmetrically encrypt the private key of the user side.
S27: and decrypting the second ciphertext by using the third key to obtain the private key of the user side.
Because the third key and the second key have the same content, the user side can decrypt the second ciphertext by using the third key. Specifically, the user side uses the third key (the third-party server private key and the user-side public key) to symmetrically encrypt the second ciphertext (M2), that is, the user-side private key is obtained by the second key (the third-party server public key and the user-side private key), and then the ciphertext is decrypted, so that the user private key can be obtained.
As another implementation manner of this embodiment, if the user side receives the private key retrieving instruction, the following steps may be further performed:
the user sends a third request to the third-party server and a fourth request to the provider server. And then, the user side receives a first ciphertext sent by the third-party server according to the third request, and the user side receives a fourth secret key sent by the provider server according to a fourth request, wherein the fourth secret key is generated by combining a private key of the provider server and a public key of the user side through a public secret key encryption algorithm, and similarly, the fourth secret key is the same as the first secret key. And finally, the user side decrypts the first ciphertext by using the fourth secret key to obtain the private key of the user side.
In this embodiment, the update key may also be modified by using steps S21 to S23, specifically:
the provider authenticates the user side first. The user end uploads the new public key of the user end to the provider server, and then replaces the old public key of the user end stored in the provider server. The same method updates the old public key of the user terminal stored on the third-party server and replaces the old public key of the user terminal with the new public key of the user terminal.
And the user side combines the public key of the provider server and the new private key of the user side through a public key encryption algorithm to generate a fifth key, and symmetrically encrypts the new private key of the user side by using the fifth key to obtain a third ciphertext.
And the user side combines the public key of the third-party server and the new private key of the user side through a public key encryption algorithm to generate a sixth key, and symmetrically encrypts the new private key of the user side by using the sixth key to obtain a fourth ciphertext.
And finally, the user side sends the third ciphertext to the third-party server to replace the old first ciphertext, and sends the fourth ciphertext to the provider server to replace the old second ciphertext, so that the key can be updated.
Example three:
an embodiment of the present application provides a key management apparatus, which is applied to a user side, and as shown in fig. 3, the key management apparatus 3 includes: a first generation module 31, a second generation module 32 and a transmission module 33.
The first generation module is used for combining a public key of the provider server and a private key of the user side through a public key encryption algorithm to generate a first key, and symmetrically encrypting the private key of the user side through the first key to obtain a first ciphertext.
The second generation module is used for combining the public key of the third-party server and the private key of the user side through a public key encryption algorithm to generate a second key, and symmetrically encrypting the private key of the user side through the second key to obtain a second ciphertext. Wherein, the first key and the second key are both symmetric keys.
As a preferred implementation of this embodiment, the sending module is configured to send the first ciphertext to the third-party server, and send the second ciphertext to the provider server.
The key management device further includes a first obtaining module, specifically configured to: if the user side receives the private key retrieving instruction, a first request is sent to the provider server, and a second request is sent to the third-party server; receiving a second ciphertext transmitted by the provider server according to the first request; receiving a third key sent by the third-party server according to the second request, wherein the third key is generated by combining a private key of the third-party server and a public key of the user side through a public key encryption algorithm, and is the same as the second key; and decrypting the second ciphertext by using the third key to obtain the private key of the user side.
The key management apparatus further includes a second obtaining module, specifically configured to: if the user side receives the private key retrieving instruction, a third request is sent to the third-party server, and a fourth request is sent to the provider server; receiving a first ciphertext sent by the third-party server according to the third request; receiving a fourth secret key sent by the provider server according to the fourth request, wherein the fourth secret key is generated by combining a private key of the provider server and a public key of the user side through a public secret key encryption algorithm, and is the same as the first secret key; and decrypting the first ciphertext by using the fourth key to obtain the private key of the user side.
The key management device provided by the embodiment of the application has the same technical characteristics as the key management method provided by the embodiment, so that the same technical problems can be solved, and the same technical effects can be achieved.
Example four:
as shown in fig. 4, the electronic device 4 provided in the embodiment of the present application includes a memory 41 and a processor 42, where the memory stores a computer program that can run on the processor, and the processor executes the computer program to implement the steps of the method provided in the first embodiment or the second embodiment.
Referring to fig. 4, the electronic device further includes: a bus 43 and a communication interface 44, the processor 42, the communication interface 44 and the memory 41 being connected by the bus 43; the processor 42 is for executing executable modules, such as computer programs, stored in the memory 41.
The Memory 41 may include a high-speed Random Access Memory (RAM) and may also include a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. The communication connection between the network element of the system and at least one other network element is realized through at least one communication interface 44 (which may be wired or wireless), and the internet, a wide area network, a local network, a metropolitan area network, and the like can be used.
The bus 43 may be an ISA bus, a PCI bus, an EISA bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 4, but that does not indicate only one bus or one type of bus.
The memory 41 is used for storing a program, and the processor 42 executes the program after receiving an execution instruction, and the method performed by the apparatus defined by the process disclosed in any of the foregoing embodiments of the present application may be applied to the processor 42, or implemented by the processor 42.
The processor 42 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by instructions in the form of hardware, integrated logic circuits, or software in the processor 42. The Processor 42 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the device can also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field-Programmable Gate Array (FPGA), or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory 41, and a processor 42 reads information in the memory 41 and performs the steps of the method in combination with hardware thereof.
Example five:
the computer-readable medium provided by the embodiment of the present application has a non-volatile program code executable by a processor, where the program code causes the processor to execute the method provided by the first embodiment or the second embodiment.
Unless specifically stated otherwise, the relative steps, numerical expressions, and values of the components and steps set forth in these embodiments do not limit the scope of the present application.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the system and the apparatus described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In all examples shown and described herein, any particular value should be construed as merely exemplary, and not as a limitation, and thus other examples of example embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The computer-readable medium having the processor-executable nonvolatile program code provided in the embodiments of the present application has the same technical features as the key management method, the key management apparatus, and the electronic device provided in the embodiments, so that the same technical problems can be solved, and the same technical effects can be achieved.
Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
The computer program product for performing the key management method provided in the embodiment of the present application includes a computer-readable storage medium storing a nonvolatile program code executable by a processor, where instructions included in the program code may be used to execute the method described in the foregoing method embodiment, and specific implementation may refer to the method embodiment, which is not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present application, and are used for illustrating the technical solutions of the present application, but not limiting the same, and the scope of the present application is not limited thereto, and although the present application is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope disclosed in the present application; such modifications, changes or substitutions do not depart from the spirit and scope of the exemplary embodiments of the present application, and are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (8)
1. A key management method is applied to a user side and is characterized by comprising the following steps:
combining a public key of a provider server and a private key of a user side through a public key encryption algorithm in a Diffie-Hellman key exchange protocol to generate a first key, and symmetrically encrypting the private key of the user side by using the first key to obtain a first ciphertext;
combining a public key of a third-party server and a private key of the user side through a public key encryption algorithm in a Diffie-Hellman key exchange protocol to generate a second key, and symmetrically encrypting the private key of the user side by using the second key to obtain a second ciphertext;
sending the first ciphertext to the third-party server, and sending the second ciphertext to the provider server;
the method further comprises the following steps:
if the user side receives a private key retrieving instruction, a first request is sent to the provider server, and a second request is sent to the third-party server;
receiving the second ciphertext sent by the provider server according to the first request;
receiving a third key sent by the third-party server according to the second request, wherein the third key is generated by combining a private key of the third-party server and a public key of the user side through a public key encryption algorithm, and the third key is the same as the second key;
and decrypting the second ciphertext by using the third key to obtain a private key of the user side.
2. The method of claim 1, further comprising:
if the user side receives a private key retrieving instruction, a third request is sent to the third-party server, and a fourth request is sent to the provider server;
receiving the first ciphertext sent by the third-party server according to the third request;
receiving a fourth secret key sent by the provider server according to the fourth request, wherein the fourth secret key is generated by combining a private key of the provider server and a public key of the user side through a public secret key encryption algorithm, and the fourth secret key is the same as the first secret key;
and decrypting the first ciphertext by using the fourth key to obtain a private key of the user side.
3. The method of claim 1, wherein the first key and the second key are both symmetric keys.
4. A key management device applied to a user side comprises:
the first generation module is used for combining a public key of a provider server and a private key of the user side through a public key encryption algorithm in a Diffie-Hellman key exchange protocol to generate a first key, and symmetrically encrypting the private key of the user side by using the first key to obtain a first ciphertext;
the second generation module is used for combining a public key of a third-party server and a private key of the user side through a public key encryption algorithm in a diffie-hellman key exchange protocol to generate a second key, and symmetrically encrypting the private key of the user side by using the second key to obtain a second ciphertext;
the sending module is used for sending the first ciphertext to the third-party server and sending the second ciphertext to the provider server;
the device further comprises a first obtaining module, specifically configured to:
if the user side receives a private key retrieving instruction, a first request is sent to the provider server, and a second request is sent to the third-party server;
receiving the second ciphertext sent by the provider server according to the first request;
receiving a third key sent by the third-party server according to the second request, wherein the third key is generated by combining a private key of the third-party server and a public key of the user side through a public key encryption algorithm, and the third key is the same as the second key;
and decrypting the second ciphertext by using the third key to obtain a private key of the user side.
5. The apparatus according to claim 4, wherein the apparatus further comprises a second obtaining module, specifically configured to:
if the user side receives a private key retrieving instruction, a third request is sent to the third-party server, and a fourth request is sent to the provider server;
receiving the first ciphertext sent by the third-party server according to the third request;
receiving a fourth secret key sent by the provider server according to the fourth request, wherein the fourth secret key is generated by combining a private key of the provider server and a public key of the user side through a public secret key encryption algorithm, and the fourth secret key is the same as the first secret key;
and decrypting the first ciphertext by using the fourth key to obtain a private key of the user side.
6. The apparatus of claim 4, wherein the first key and the second key are both symmetric keys.
7. An electronic device comprising a memory and a processor, wherein the memory stores a computer program operable on the processor, and wherein the processor implements the steps of the method of any of claims 1 to 3 when executing the computer program.
8. A computer-readable medium having non-volatile program code executable by a processor, wherein the program code causes the processor to perform the method of any of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910287440.2A CN109922084B (en) | 2019-04-10 | 2019-04-10 | Key management method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910287440.2A CN109922084B (en) | 2019-04-10 | 2019-04-10 | Key management method and device and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109922084A CN109922084A (en) | 2019-06-21 |
| CN109922084B true CN109922084B (en) | 2021-08-03 |
Family
ID=66969434
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910287440.2A Active CN109922084B (en) | 2019-04-10 | 2019-04-10 | Key management method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109922084B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020258336A1 (en) * | 2019-06-28 | 2020-12-30 | Oppo广东移动通信有限公司 | Method and device for resource configuration, and storage medium |
| CN110417553B (en) * | 2019-08-07 | 2022-12-27 | 北京阿尔山区块链联盟科技有限公司 | Multi-party secret communication method and device and user terminal |
| CN111327605B (en) * | 2020-01-23 | 2022-09-13 | 北京无限光场科技有限公司 | Method, terminal, server and system for transmitting private information |
| CN113497778B (en) * | 2020-03-18 | 2023-05-12 | 北京同邦卓益科技有限公司 | Data transmission method and device |
| CN111953484A (en) * | 2020-08-03 | 2020-11-17 | 上海移远通信技术股份有限公司 | Communication method, device and client |
| CN112740212B (en) * | 2020-12-24 | 2022-08-09 | 华为技术有限公司 | Key writing method and device |
| CN112637230B (en) * | 2020-12-29 | 2022-07-12 | 北京天融信网络安全技术有限公司 | Instant messaging method and system |
| CN114050897B (en) * | 2021-08-20 | 2023-10-03 | 北卡科技有限公司 | SM 9-based asynchronous key negotiation method and device |
| CN114401102A (en) * | 2021-11-29 | 2022-04-26 | 南威软件股份有限公司 | HTTP request parameter encryption scheme based on cryptographic algorithm |
| CN116527261A (en) * | 2023-07-03 | 2023-08-01 | 浙江大华技术股份有限公司 | Key recovery method, electronic device and storage medium |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7541920B2 (en) * | 2006-09-29 | 2009-06-02 | Rockwell Automation Technologies, Inc. | Alarm/event encryption in an industrial environment |
| SE532406C2 (en) * | 2008-05-05 | 2010-01-12 | Paysystem Sweden Ab | Electronic payments in a mobile communication system |
| EP2629227B1 (en) * | 2012-02-15 | 2016-04-27 | BlackBerry Limited | Key management on device for perimeters |
| WO2017097344A1 (en) * | 2015-12-08 | 2017-06-15 | Nec Europe Ltd. | Method for re-keying an encrypted data file |
| CN107528688B (en) * | 2017-09-30 | 2020-04-21 | 矩阵元技术(深圳)有限公司 | Block chain key keeping and recovering method and device based on encryption delegation technology |
| CN109510820A (en) * | 2018-11-01 | 2019-03-22 | 浙江仙草世家生物科技有限公司 | A kind of block chain cryptographic methods that decentralization can customize |
-
2019
- 2019-04-10 CN CN201910287440.2A patent/CN109922084B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN109922084A (en) | 2019-06-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109922084B (en) | Key management method and device and electronic equipment | |
| US10785019B2 (en) | Data transmission method and apparatus | |
| US11784801B2 (en) | Key management method and related device | |
| JP6363032B2 (en) | Key change direction control system and key change direction control method | |
| US10735186B2 (en) | Revocable stream ciphers for upgrading encryption in a shared resource environment | |
| US8452015B2 (en) | Propagating keys from servers to clients | |
| US10313119B2 (en) | Data management device, system, re-encryption device, data sharing device, and storage medium | |
| CN111294203B (en) | Information transmission method | |
| JP2014175970A (en) | Information distribution system, information processing device, and program | |
| US20190238523A1 (en) | Communication terminals, server devices, and programs | |
| US20240097894A1 (en) | Threshold key exchange | |
| CN112865957A (en) | Data encryption transmission method and device, computer target equipment and storage medium | |
| WO2023226308A1 (en) | File sharing methods, file sharing system, electronic device and readable storage medium | |
| WO2021098152A1 (en) | Blockchain-based data processing method, device, and computer apparatus | |
| JP2017108237A (en) | System, terminal device, control method and program | |
| KR101793528B1 (en) | Certificateless public key encryption system and receiving terminal | |
| KR102282788B1 (en) | Blockchain system for supporting change of plain text data included in transaction | |
| KR101595056B1 (en) | System and method for data sharing of intercloud enviroment | |
| KR101599996B1 (en) | Server and system for revocable identity based encryption | |
| Srinadh et al. | Data Security And Recovery Approach Using Elliptic Curve Cryptography | |
| JP2014017763A (en) | Encryption update system, encryption update request device, encryption update device, decryption device, encryption update method, and computer program | |
| CN113852469B (en) | Method, device, equipment and readable storage medium for transmitting data between block chain nodes | |
| CN113141249B (en) | Threshold decryption method, system and readable storage medium | |
| KR101936955B1 (en) | The method of backing up and restoring secret information utilizing asymmetric application of Diffie-Hellman and elliptic curve Diffie-Hellman algorithm | |
| JP6108012B2 (en) | Information distribution system, information processing apparatus, and program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |