CN111130773A - Key management server, client and system based on KMIP protocol - Google Patents

Key management server, client and system based on KMIP protocol Download PDF

Info

Publication number
CN111130773A
CN111130773A CN201911366522.2A CN201911366522A CN111130773A CN 111130773 A CN111130773 A CN 111130773A CN 201911366522 A CN201911366522 A CN 201911366522A CN 111130773 A CN111130773 A CN 111130773A
Authority
CN
China
Prior art keywords
key management
kmip protocol
module
kmip
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911366522.2A
Other languages
Chinese (zh)
Inventor
董坤朋
鹿淑煜
姚鑫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Sansec Technology Development Co ltd
Original Assignee
Beijing Sansec Technology Development Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Sansec Technology Development Co ltd filed Critical Beijing Sansec Technology Development Co ltd
Priority to CN201911366522.2A priority Critical patent/CN111130773A/en
Publication of CN111130773A publication Critical patent/CN111130773A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a KMIP protocol-based key management server, a KMIP protocol-based key management client and a KMIP protocol-based key management system, and relates to the field of data security of business systems. The server includes: the device comprises a first communication module, a first coding and decoding module, a processing module and a storage module, wherein the first communication module is used for acquiring KMIP protocol message information sent by a client, the first coding and decoding module is used for decoding the KMIP protocol message information to obtain a data object, the processing module is used for determining a key management request of the client according to the data object and processing the data object according to the key management request, and the storage module is used for storing a processing result. The invention realizes the management of the key by using the KMIP protocol, can solve the problem of standardized communication between a service system needing to use the key and a key management system for generating and managing the key, and can meet the key management requirements of different types of service systems.

Description

Key management server, client and system based on KMIP protocol
Technical Field
The invention relates to the field of data security of a service system, in particular to a key management server, a client and a system based on a KMIP protocol.
Background
For enterprises, in an actual production process, because each service system is independent, different and independent key management systems are usually selected for each service system according to different service purposes, different key management products usually have a set of management methods for key generation, distribution, storage and key life cycle, and there is no uniform key use interface specification among the key management products, so that it is very inconvenient to maintain different keys of different key management products, and the network security construction process of the enterprise is hindered.
Disclosure of Invention
The invention aims to solve the technical problem of providing a key management server, a client and a system based on a KMIP protocol aiming at the defects of the prior art.
The technical scheme for solving the technical problems is as follows:
a key management server based on the KMIP protocol, comprising: the device comprises a first communication module, a first coding and decoding module, a processing module and a storage module, wherein the first communication module is used for acquiring KMIP protocol message information sent by a client, the first coding and decoding module is used for decoding the KMIP protocol message information to obtain a data object, the processing module is used for determining a key management request of the client according to the data object and processing the data object according to the key management request, and the storage module is used for storing a processing result.
The invention has the beneficial effects that: the server provided by the invention realizes the management of the key by using the KMIP protocol, can solve the problem of standardized communication between a business system needing to use the key and a key management system for generating and managing the key, an enterprise can uniformly manage all business system keys in the enterprise by only purchasing one set of key management system, can meet the key management requirements of different types of business systems, does not need any butt joint of the business systems, directly realizes system calling after installation and registration, and greatly reduces the operation cost of the enterprise.
Another technical solution of the present invention for solving the above technical problems is as follows:
a key management client based on the KMIP protocol, comprising: the second communication module is used for coding a data object according to a KMIP protocol to obtain KMIP protocol message information, and the second communication module is used for sending the KMIP protocol message information to a server for key verification and management.
The client side provided by the invention can solve the problem of standardized communication between a service system needing to use the key and a key management system for generating and managing the key by sending the key management request to the server by using the KMIP protocol, an enterprise can uniformly manage all service system keys in the enterprise by only purchasing one set of key management system, the key management requirements of different types of service systems can be met, the service systems do not need any butt joint, the system calling is directly realized after installation and registration, and the enterprise operation cost is greatly reduced.
Another technical solution of the present invention for solving the above technical problems is as follows:
a key management system based on the KMIP protocol, comprising: the server and the client are described in the above technical scheme.
Advantages of additional aspects of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
Drawings
FIG. 1 is a schematic diagram of a structural framework provided by an embodiment of a KMIP protocol-based key management server of the present invention;
FIG. 2 is a schematic diagram of a structural framework provided by an embodiment of the key management client based on the KMIP protocol;
fig. 3 is a schematic structural framework diagram provided by an embodiment of the key management system based on the KMIP protocol of the present invention.
Detailed Description
The principles and features of this invention are described below in conjunction with the following drawings, which are set forth to illustrate, but are not to be construed to limit the scope of the invention.
The present invention is implemented based on KMIP (Key Management interworking Protocol), which is a communication Protocol that defines a message format for operating an encryption Key on a Key Management server. The key may be created and retrieved on the server, possibly encapsulated by other keys. KMIP also defines messages for performing cryptographic operations on servers, such as: encryption and decryption.
The KMIP is a key management specification and is mainly proposed for seeking open standards and interoperability in the field of enterprise key management to meet the increasing encryption requirements, the KMIP protocol is used for enabling the declaration period management of keys to be more standard and improving the standard and safety of the key life period management, namely, the KMIP is introduced to further ensure the safety of the management of the key life period.
Based on the key management, the KMIP specification is applied to key management of different business systems, and through the interoperability of the KMIP key management system, the business systems do not need any butt joint, and system calling is directly realized after installation and registration, so that the operation cost of enterprises is greatly reduced, and the specific implementation mode is as follows.
As shown in fig. 1, a schematic structural framework is provided for an embodiment of a key management server 1 based on the KMIP protocol, where the server 1 includes: the system comprises a first communication module 11, a first coding and decoding module 12, a processing module 13 and a storage module 14, wherein the first communication module 11 is configured to acquire KMIP protocol message information sent by the client 2, the first coding and decoding module 12 is configured to decode the KMIP protocol message information to obtain a data object, the processing module 13 is configured to determine a key management request of the client 2 according to the data object, process the data object according to the key management request, and the storage module 14 is configured to store a processing result.
For example, suppose that there are A, B, C business systems, and the client 2 wants to read the encrypted business data B of a certain product in a certain date in the B system1Then, the key request can be encoded by the encoding and decoding module storing the KMIP protocol to be encoded to be the KMIP protocol message information, and then the KMIP protocol message information is sent to the server 1 through the communication link, after the server 1 receives the KMIP protocol message information, the first encoding and decoding module 12 decodes the message according to the KMIP protocol to restore to the original data, and the processing module 13 performs the processing on the dataThe processing and calling storage module 14 returns the queried key to the client 2. Client 2 reads encrypted service data B of a product of a certain date in B system1And decrypted into plaintext data by using the key.
The server 1 provided by this embodiment implements management of keys by using a KMIP protocol, and can solve the problem of standardized communication between a service system that needs to use keys and a key management system that generates and manages the keys, an enterprise can uniformly manage all service system keys in the enterprise by only purchasing one set of key management system, and can meet the key management requirements of different types of service systems, and the service systems do not need any docking, and directly implement system invocation after installation and registration, thereby greatly reducing the enterprise operation cost.
Optionally, in some embodiments, the first codec module 12 is specifically configured to decode the KMIP protocol message information according to the TTLV coding specification of the KMIP protocol to obtain the data object.
The TTLV coding specification is a Tag-Type-Length-Value specification, where Tag is a label, Type and Length fields are fixed lengths, generally 1-4 bytes, and Value fields are variable lengths. The four parts were used as follows: tag is the key word of the whole data block, Type is the Type of the whole data block expressed by a number code, Length is the size of the Value area, generally in bytes, and Value is the data area, variable-Length byte set.
It should be understood that, after receiving the KMIP protocol message information, the server 1 cannot directly perform operations, and needs to decode the received data and convert the data into an operation object, i.e., a data object, which can be understood by the server 1, so as to facilitate subsequent acquisition of request data from the data object.
Optionally, in some embodiments, the first codec module 12 is further configured to encode the processing result according to the TTLV coding specification of the KMIP protocol, and the first communication module 11 is further configured to send the encoded processing result to the client 2.
It should be noted that the encoding and decoding are reciprocal processes, and are not described in detail.
By encoding and then transmitting the processing result, the communication process between the client 2 and the server 1 can be further normalized, and the security of data transmission can be further improved.
Optionally, in some embodiments, the processing module 13 is specifically configured to manage the key lifecycle state and the key object according to the key management request.
It should be noted that, the life cycle of the key refers to the process from generation to termination of the key, including: establishment of keys, backup/restoration of keys, replacement/renewal of keys, revocation of keys, and termination of keys.
The key object refers to a data object of the key, for example, a request of the client 2 for a write and read operation to the business system, and the like.
Optionally, in some embodiments, the processing module 13 is specifically configured to establish a communication connection between the client 2 and the corresponding service end when the processing result is that the authentication passes.
It is understood that some or all of the alternative embodiments described above may be included in some embodiments.
As shown in fig. 2, a schematic structural framework is provided for an embodiment of the key management client 2 based on the KMIP protocol, where the client 2 includes: the second communication module 21 and the second codec module 22, where the second codec module 22 is configured to encode the data object according to the KMIP protocol to obtain the KMIP protocol message information, and the second communication module 21 is configured to send the KMIP protocol message information to the server 1 for key verification and management.
The client 2 provided by the embodiment sends the key management request to the server 1 by using the KMIP protocol, so that the problem of standardized communication between a business system needing to use keys and a key management system for generating and managing the keys can be solved, an enterprise can uniformly manage all business system keys in the enterprise by only purchasing one set of key management system, the key management requirements of different types of business systems can be met, the business systems do not need any butt joint, system calling is directly realized after installation and registration, and the enterprise operation cost is greatly reduced.
Optionally, in some embodiments, the second codec module 22 is specifically configured to encode the data object according to the TTLV coding specification of the KMIP protocol to obtain the message information of the KMIP protocol.
Optionally, in some embodiments, the first communication module 11 is further configured to receive a processing result encoded according to the KMIP protocol and sent by the server 1, and the second codec module 22 is further configured to decode the encoded processing result according to the TTLV coding specification of the KMIP protocol.
Optionally, in some embodiments, the second communication module 21 is further configured to establish a communication connection with the corresponding service end when the processing result is that the verification is passed.
It is understood that some or all of the alternative embodiments described above may be included in some embodiments.
As shown in fig. 3, a schematic structural framework is provided for an embodiment of the key management system based on the KMIP protocol, and the system includes: a server 1 and a client 2 as described in any of the embodiments above.
It should be understood that the client 2 and the server 1 both store software pre-loaded with the KMIP protocol, and when one party encodes data according to the KMIP protocol, the other party decodes data according to the KMIP protocol, and at the same time, the server 1 manages the life cycle of the key.
Data transmission between the client 2 and the server 1 can be realized in a wired or wireless manner, for example, the wireless manner can be a communication manner such as 3G, 4G, 5G, and the wired manner can be realized by the internet.
It should be noted that this embodiment is a system embodiment corresponding to each previous independent product embodiment, and for the optional implementation manner and the description in this embodiment, reference may be made to the corresponding optional implementation manner and description in each product embodiment, which is not described herein again.
The reader should understand that in the description of this specification, reference to the description of the terms "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described method embodiments are merely illustrative, and for example, the division of steps into only one logical functional division may be implemented in practice in another way, for example, multiple steps may be combined or integrated into another step, or some features may be omitted, or not implemented.
While the invention has been described with reference to specific embodiments, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. A key management server based on the KMIP protocol, comprising: the device comprises a first communication module, a first coding and decoding module, a processing module and a storage module, wherein the first communication module is used for acquiring KMIP protocol message information sent by a client, the first coding and decoding module is used for decoding the KMIP protocol message information to obtain a data object, the processing module is used for determining a key management request of the client according to the data object and processing the data object according to the key management request, and the storage module is used for storing a processing result.
2. The KMIP protocol-based key management server of claim 1, wherein the first codec module is specifically configured to decode the KMIP protocol message information according to a KMIP protocol TTLV encoding specification to obtain a data object.
3. The KMIP protocol-based key management server of claim 1, wherein the first codec module is further configured to encode the processing result according to a TTLV encoding specification of a KMIP protocol, and the first communication module is further configured to transmit the encoded processing result to the client.
4. The KMIP protocol-based key management server of any one of claims 1-3, wherein the processing module is specifically configured to manage key lifecycle states and key objects according to the key management request.
5. The KMIP protocol-based key management server of claim 4, wherein the processing module is specifically configured to establish a communication connection between the client and the corresponding service end when the processing result is that the authentication is passed.
6. A key management client based on the KMIP protocol, comprising: the second communication module is used for coding a data object according to a KMIP protocol to obtain KMIP protocol message information, and the second communication module is used for sending the KMIP protocol message information to a server for key verification and management.
7. The key management client based on the KMIP protocol as claimed in claim 6, wherein the second codec module is specifically configured to encode the data object according to the TTLV coding specification of the KMIP protocol to obtain the KMIP protocol message information.
8. The KMIP protocol-based key management client of claim 6 wherein the first communication module is further configured to receive the encoded processing result sent by the server according to KMIP protocol, and the second codec module is further configured to decode the encoded processing result according to the TTLV encoding specification of KMIP protocol.
9. The KMIP protocol-based key management client according to any one of claims 6-8, wherein the second communication module is further configured to establish a communication connection with a corresponding service end when the processing result is that the authentication is passed.
10. A key management system based on the KMIP protocol, comprising: the server of any of claims 1 to 5, and the client of any of claims 6 to 9.
CN201911366522.2A 2019-12-26 2019-12-26 Key management server, client and system based on KMIP protocol Pending CN111130773A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911366522.2A CN111130773A (en) 2019-12-26 2019-12-26 Key management server, client and system based on KMIP protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911366522.2A CN111130773A (en) 2019-12-26 2019-12-26 Key management server, client and system based on KMIP protocol

Publications (1)

Publication Number Publication Date
CN111130773A true CN111130773A (en) 2020-05-08

Family

ID=70503103

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911366522.2A Pending CN111130773A (en) 2019-12-26 2019-12-26 Key management server, client and system based on KMIP protocol

Country Status (1)

Country Link
CN (1) CN111130773A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112995144A (en) * 2021-02-05 2021-06-18 杭州华橙软件技术有限公司 File processing method and system, readable storage medium and electronic device

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102123158A (en) * 2011-04-11 2011-07-13 深圳市同洲软件有限公司 Method and system for realizing network data processing
US20130044878A1 (en) * 2011-08-19 2013-02-21 International Business Machines Corporation Extending credential type to group key management interoperability protocol (KMIP) clients
US20130044882A1 (en) * 2011-08-19 2013-02-21 International Business Machines Corporation Enhancing provisioning for keygroups using key management interoperability protocol (KMIP)
US20150180656A1 (en) * 2013-12-23 2015-06-25 International Business Machines Corporation Using key material protocol services transparently
CN105208044A (en) * 2015-10-29 2015-12-30 成都卫士通信息产业股份有限公司 Key management method suitable for cloud computing
CN107943556A (en) * 2017-11-10 2018-04-20 中国电子科技集团公司第三十二研究所 KMIP and encryption card based virtualized data security method
CN108111479A (en) * 2017-11-10 2018-06-01 中国电子科技集团公司第三十二研究所 Key management method for transparent encryption and decryption of Hadoop distributed file system
CN109274646A (en) * 2018-08-22 2019-01-25 华东计算技术研究所(中国电子科技集团公司第三十二研究所) Key management client server side method, system and medium based on KMIP protocol

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102123158A (en) * 2011-04-11 2011-07-13 深圳市同洲软件有限公司 Method and system for realizing network data processing
US20130044878A1 (en) * 2011-08-19 2013-02-21 International Business Machines Corporation Extending credential type to group key management interoperability protocol (KMIP) clients
US20130044882A1 (en) * 2011-08-19 2013-02-21 International Business Machines Corporation Enhancing provisioning for keygroups using key management interoperability protocol (KMIP)
US20150180656A1 (en) * 2013-12-23 2015-06-25 International Business Machines Corporation Using key material protocol services transparently
CN105208044A (en) * 2015-10-29 2015-12-30 成都卫士通信息产业股份有限公司 Key management method suitable for cloud computing
CN107943556A (en) * 2017-11-10 2018-04-20 中国电子科技集团公司第三十二研究所 KMIP and encryption card based virtualized data security method
CN108111479A (en) * 2017-11-10 2018-06-01 中国电子科技集团公司第三十二研究所 Key management method for transparent encryption and decryption of Hadoop distributed file system
CN109274646A (en) * 2018-08-22 2019-01-25 华东计算技术研究所(中国电子科技集团公司第三十二研究所) Key management client server side method, system and medium based on KMIP protocol

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112995144A (en) * 2021-02-05 2021-06-18 杭州华橙软件技术有限公司 File processing method and system, readable storage medium and electronic device

Similar Documents

Publication Publication Date Title
CN111683069B (en) Customized communication protocol and service method based on netty framework
CN106549933B (en) Data transmission system and method of block chain
CN105681031B (en) A kind of storage encryption gateway key management system and method
HU223910B1 (en) Method of transmitting information data from a sender to a reciever via a transcoder, method of transcoding information data, method of receiving transcoded information data, sender, receiver and transcoder
CN105516962A (en) Account opening method and system based on eUICC (Embedded Universal Integrated Circuit Card)
KR20130129429A (en) Identity management method and device for mobile terminal
JP2009099151A (en) User query processing system and method by query encryption transformation in database including encrypted column
CN103516814A (en) Data exchange method for large volume of data
CN112511514A (en) HTTP encrypted transmission method and device, computer equipment and storage medium
CN209545761U (en) Display screen monitoring system
CN106603579B (en) The tele-control system and method and its wireless terminal of a kind of wireless terminal
CN112491832B (en) File transmission method and device
CN113824551B (en) Quantum key distribution method applied to secure storage system
CN100550888C (en) The method and the computer installation that are used for message coding
US20190296911A1 (en) Secure network communication method
WO2016155495A1 (en) Data exchange method, apparatus and device
CN101257358B (en) Method and system for updating user cipher key
CN113542242B (en) Equipment management method and equipment management device
CN111181920A (en) Encryption and decryption method and device
CN111130773A (en) Key management server, client and system based on KMIP protocol
CN110086789A (en) A kind of method, apparatus, equipment and the medium of data transmission
CN114154181A (en) Privacy calculation method based on distributed storage
CN107222473B (en) Method and system for encrypting and decrypting API service data at transport layer
CN112804058A (en) Conference data encryption and decryption method and device, storage medium and electronic equipment
CN102624741A (en) TLV (Threshold Limit Value) based data transmission method and system thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200508