CN111327616A - Key management method, device, equipment and computer readable storage medium - Google Patents

Key management method, device, equipment and computer readable storage medium Download PDF

Info

Publication number
CN111327616A
CN111327616A CN202010115406.XA CN202010115406A CN111327616A CN 111327616 A CN111327616 A CN 111327616A CN 202010115406 A CN202010115406 A CN 202010115406A CN 111327616 A CN111327616 A CN 111327616A
Authority
CN
China
Prior art keywords
key
user
ciphertext
service system
key management
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010115406.XA
Other languages
Chinese (zh)
Inventor
杨周龙
易德强
肖广明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Dongpu Software Co Ltd
Original Assignee
Dongpu Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Dongpu Software Co Ltd filed Critical Dongpu Software Co Ltd
Priority to CN202010115406.XA priority Critical patent/CN111327616A/en
Publication of CN111327616A publication Critical patent/CN111327616A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to the field of information security, and discloses a key management method, a key management device, key management equipment and a computer-readable storage medium, which are used for improving the security of key management. The method comprises the following steps: receiving a key creating instruction sent by a service system; creating a user ID according to the key creation instruction, and randomly generating a first key and a second key corresponding to the user ID, wherein the first key is used for encrypting service data in a service system; encrypting the first key through a second key and a preset symmetric encryption algorithm to obtain a key ciphertext; and returning the user ID and the second key to the service system, associating the user ID, the second key and the key ciphertext, and storing the user ID, the second key and the key ciphertext into a preset key management database.

Description

Key management method, device, equipment and computer readable storage medium
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a method, an apparatus, a device, and a computer-readable storage medium for key management.
Background
With the development of modern society and the continuous innovation of internet technology, the demand of people for goods transportation is gradually increasing, and especially, the safety of freight order information is higher.
In the existing freight platform, after a user fills in all complete information on a freight order, the name, telephone, address, consignment, freight transportation condition and other information of the user can be inquired through the order number, the information belongs to privacy information of the user, and in order to prevent the privacy information of the user from being leaked, the freight platform generally needs to encrypt and store the sensitive service data. The prior freight platform generally uses a symmetric encryption algorithm to encrypt sensitive service data, the symmetric encryption algorithm has the characteristics of small calculated amount, high encryption speed and high encryption efficiency, and is suitable for encrypting massive sensitive service data.
At present, a key of a symmetric encryption algorithm is generally stored in a configuration file of a service system, and is easily obtained by a developer, and once the service system is attacked by a hacker, the key and user information are also easily leaked, so that the security of the existing key management still needs to be improved.
Disclosure of Invention
The invention mainly aims to provide a key management method, a key management device, key management equipment and a computer readable storage medium, aiming at improving the security of key management.
A first aspect of the present invention provides a key management method, where the key management method includes:
receiving a key creating instruction sent by a service system;
creating a user ID according to the key creation instruction, and randomly generating a first key and a second key corresponding to the user ID, wherein the first key is used for encrypting sensitive service data in the service system;
encrypting the first key through the second key and a preset symmetric encryption algorithm to obtain a key ciphertext;
and returning the user ID and the second key to the service system, associating the user ID, the second key and the key ciphertext, and storing the user ID, the second key and the key ciphertext into a preset key management database.
Optionally, in a first implementation manner of the first aspect of the present invention, after the step of returning the user ID and the second key to the service system, and storing the user ID, the second key, and the key ciphertext in a preset key management database after associating the user ID, the second key, and the key ciphertext, the method further includes:
receiving a service data encryption request sent by the service system, and acquiring the user ID and the second secret key carried in the service data encryption request;
inquiring the key management database according to the obtained user ID and the second key to obtain a corresponding key ciphertext;
decrypting the key ciphertext through the second key and a preset symmetric decryption algorithm to obtain the first key;
and returning the first key obtained by decryption to the service system.
Optionally, in a second implementation manner of the first aspect of the present invention, after the step of returning the user ID and the second key to the service system, and storing the user ID, the second key, and the key ciphertext in a preset key management database after associating the user ID, the second key, and the key ciphertext, the method further includes:
triggering a key updating instruction according to a preset rule;
randomly generating a third key according to the key updating instruction, and encrypting the first key through the third key and the preset symmetric encryption algorithm to obtain a new key ciphertext;
and returning the user ID and the third key to the service system, associating the user ID, the third key and the new key ciphertext, and storing the user ID, the third key and the new key ciphertext into the key management database to replace the second key and the key ciphertext originally stored in the key management database.
Optionally, in a third implementation manner of the first aspect of the present invention, the step of triggering the key update instruction according to the preset rule includes:
when a key updating request sent by the service system is received, a key updating instruction is triggered;
or triggering the key updating instruction according to a preset key updating frequency.
Optionally, in a fourth implementation manner of the first aspect of the present invention, the symmetric encryption algorithm is an advanced encryption standard AES encryption algorithm or a data encryption standard DES encryption algorithm.
A second aspect of the present invention provides a key management apparatus comprising:
the receiving module is used for receiving a key creating instruction sent by the service system;
the creating module is used for creating a user ID according to the key creating instruction and randomly generating a first key and a second key corresponding to the user ID, wherein the first key is used for encrypting the sensitive service data in the service system;
the encryption module is used for encrypting the first key through the second key and a preset symmetric encryption algorithm to obtain a key ciphertext;
and the storage module is used for returning the user ID and the second key to the service system, associating the user ID, the second key and the key ciphertext and storing the user ID, the second key and the key ciphertext into a preset key management database.
Optionally, in a first implementation manner of the second aspect of the present invention, the key management apparatus further includes:
an obtaining module, configured to receive a service data encryption request sent by the service system, and obtain the user ID and the second key that are carried in the service data encryption request;
the query module is used for querying the key management database according to the obtained user ID and the second key to obtain a corresponding key ciphertext;
the first decryption module is used for decrypting the key ciphertext through the second key and a preset symmetric decryption algorithm to obtain the first key;
and the returning module is used for returning the first key obtained by decryption to the service system.
Optionally, in a second implementation manner of the second aspect of the present invention, the key management apparatus further includes:
the triggering module is used for triggering a key updating instruction according to a preset rule;
the second decryption module is used for acquiring the user ID, the second key and the key ciphertext stored in the key management database according to the key updating instruction, and decrypting the key ciphertext through the second key and a preset symmetric decryption algorithm to obtain the first key;
the updating module is used for randomly generating a third key and encrypting the first key through the third key and the preset symmetric encryption algorithm to obtain a new key ciphertext;
and the replacing module is used for returning the user ID and the third key to the service system, associating the user ID, the third key and the new key ciphertext and storing the user ID, the third key and the new key ciphertext into the key management database so as to replace the second key and the key ciphertext which are originally stored in the key management database.
Optionally, in a third implementation manner of the second aspect of the present invention, the triggering module is further configured to:
when a key updating request sent by the service system is received, a key updating instruction is triggered;
or triggering the key updating instruction according to a preset key updating frequency.
Optionally, in a fourth implementation manner of the second aspect of the present invention, the symmetric encryption algorithm is an advanced encryption standard AES encryption algorithm or a data encryption standard DES encryption algorithm.
A third aspect of the present invention provides a key management apparatus comprising: a memory having instructions stored therein and at least one processor, the memory and the at least one processor interconnected by a line; the at least one processor invokes the instructions in the memory to cause the key management device to perform the key management method described above.
A fourth aspect of the present invention provides a computer-readable storage medium having stored therein instructions, which, when run on a computer, cause the computer to execute the above-described key management method.
The invention receives a key establishing instruction sent by a service system; creating a user ID according to the key creation instruction, and randomly generating a first key and a second key corresponding to the user ID, wherein the first key is used for encrypting service data in a service system; encrypting the first key through a second key and a preset symmetric encryption algorithm to obtain a key ciphertext; and returning the user ID and the second key to the service system, associating the user ID, the second key and the key ciphertext, and storing the user ID, the second key and the key ciphertext into a preset key management database. By the method, the key used for encrypting the sensitive service data is not stored anywhere, so that the key is prevented from being stolen, and the security of key management is improved.
Drawings
FIG. 1 is a flow chart illustrating a key management method according to an embodiment of the present invention;
FIG. 2 is a diagram illustrating a first key being encrypted by a second key according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating decryption of a key ciphertext by a second key in an embodiment of the invention;
FIG. 4 is a block diagram of a key management device according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a key management device according to an embodiment of the present invention.
Detailed Description
Embodiments of the present invention provide a key management method, an apparatus, a device, and a computer-readable storage medium, which implement that a key used for encrypting sensitive service data is not stored anywhere, thereby avoiding the key from being stolen and improving the security of key management.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims, as well as in the drawings, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," or "having," and any variations thereof, are intended to cover non-exclusive inclusions, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
For ease of understanding, the following describes a specific flow of an embodiment of the key management method of the present invention.
Referring to fig. 1, fig. 1 is a schematic flowchart of an embodiment of a key management method of the present invention, where the method includes:
step 101, receiving a key creation instruction sent by a service system;
it is to be understood that the executing subject of the present invention may be a key management device, and may also be a terminal or a server, which is not limited herein. The embodiment of the present invention is described by taking a server as an execution subject.
In this embodiment, the key management method may be specifically implemented by a key management service or a key management system mounted on a server, where the key management service or the key management system is used to perform unified management on keys required for encrypting data of a service system. The business system can be a freight platform system, a shopping platform system or other systems which need to encrypt and store sensitive business data (such as user name, telephone, address, purchased goods and the like). Since the service system generates massive service data every day, and the symmetric encryption algorithm has the characteristics of small calculation amount, high encryption speed and high encryption efficiency compared with the asymmetric encryption algorithm, the service system in the embodiment adopts the symmetric encryption algorithm to encrypt the sensitive service data.
Firstly, when a service system end user wants to encrypt sensitive service data in a service system by using a key, a key creation instruction can be triggered on the service system at first, the service system sends the key creation instruction to a server, and the server receives the key creation instruction sent by the service system.
Step 102, creating a user ID according to a key creation instruction, and randomly generating a first key and a second key corresponding to the user ID, wherein the first key is used for encrypting sensitive service data in a service system;
in the step, the server creates a user ID according to a received key creation instruction, and randomly generates a first key and a second key corresponding to the user ID, wherein the first key and the second key are both keys of a preset symmetric encryption algorithm, the first key is used for subsequently encrypting sensitive service data in a service system, and the second key is used for encrypting the first key.
103, encrypting the first key through a second key and a preset symmetric encryption algorithm to obtain a key ciphertext;
referring to fig. 2, fig. 2 is a schematic diagram illustrating that a first key is encrypted by a second key in the embodiment of the present invention. The server encrypts the first key through the generated second key and a preset symmetric encryption algorithm to obtain a key ciphertext, wherein the symmetric encryption algorithm may be an Advanced Encryption Standard (AES) encryption algorithm or a Data Encryption Standard (DES) encryption algorithm in the prior art, or may be other symmetric encryption algorithms, and may be flexibly set in specific implementation.
And step 104, returning the user ID and the second key to the service system, associating the user ID, the second key and the key ciphertext, and storing the user ID, the second key and the key ciphertext into a preset key management database.
After encrypting the first key, the server returns the generated user ID and the second key to the service system, and stores the user ID, the second key and the generated key ciphertext into a preset key management database after associating the user ID, the second key and the generated key ciphertext. Therefore, even if a lawbreaker invades the service system, the obtained second key is only the second key irrelevant to the encryption of the sensitive service data, and the first key really used for encrypting the sensitive service data is not stored in the service system or the server, so that the security of the key is ensured. The corresponding security application scenario may include:
scene 1, a small programmer A is responsible for encrypting sensitive service data in a service system, but the small programmer A can only obtain a second secret key disclosed in the service system and cannot obtain a first secret key for encrypting the sensitive service data, so that a service data ciphertext cannot be decrypted;
scene 2, an operation and maintenance staff member B is responsible for operation and maintenance work of the business system, generally does not know that a second key in the business system has no direct relation with encrypted data, and can search a pile of key ciphertexts in a key management database even if the second key and the encrypted data are known, but the second key, the key ciphertexts and the business data ciphertexts cannot be decrypted because the second key, the key ciphertexts and the business data ciphertexts do not know the corresponding relation;
scene 3, a hacker C attacks the service system and obtains the second key and the service data ciphertext, but the second key and the service data ciphertext have no direct relationship, so that the service data ciphertext cannot be decrypted.
In this embodiment, a server receives a key creation instruction sent by a service system; creating a user ID according to the key creation instruction, and randomly generating a first key and a second key corresponding to the user ID, wherein the first key is used for encrypting service data in a service system; encrypting the first key through a second key and a preset symmetric encryption algorithm to obtain a key ciphertext; and returning the user ID and the second key to the service system, associating the user ID, the second key and the key ciphertext, and storing the user ID, the second key and the key ciphertext into a preset key management database. By the method, the key used for encrypting the sensitive service data is not stored anywhere, so that the key is prevented from being stolen, and the security of key management is improved.
Further, based on the first embodiment of the key management method of the present invention, a second embodiment of the key management method of the present invention is proposed.
In this embodiment, after the step 104, the method may further include: receiving a service data encryption request sent by a service system, and acquiring a user ID and a second secret key carried in the service data encryption request; inquiring a key management database according to the obtained user ID and the second key to obtain a corresponding key ciphertext; decrypting the key ciphertext through a second key and a preset symmetric decryption algorithm to obtain a first key; and returning the first key obtained by decryption to the service system.
Specifically, when the service system needs to encrypt the sensitive service data, a service data encryption request may be sent to the server; when a server receives a service data encryption request sent by a service system, acquiring a user ID and a second key carried in the service data encryption request, then inquiring a preset key management database according to the acquired user ID, and judging whether the user ID exists in the key management database; if the user ID exists in the key management database, further inquiring the key management database according to the user ID and the second key so as to obtain a corresponding key ciphertext; if the user ID does not exist in the key management database, the server judges that the user ID is illegal, and at the moment, the service data encryption request of the service system is refused. The query mode realizes the rapid and accurate identification of illegal service data encryption requests.
Referring to fig. 3, fig. 3 is a schematic diagram illustrating that a key ciphertext is decrypted by using a second key in the embodiment of the present invention. Because the same key is used for encryption and decryption of the symmetric encryption algorithm, after the server queries the key ciphertext corresponding to the acquired user ID and the second key, the server decrypts the key ciphertext through the second key and the preset symmetric decryption algorithm, and then the first key can be obtained. It should be noted that the symmetric decryption algorithm used here corresponds to the symmetric encryption algorithm, for example, if the AES encryption algorithm is used to encrypt the first key to obtain the key ciphertext, the AES decryption algorithm is used to decrypt the key ciphertext to obtain the first key.
The server returns the first key obtained by decryption to the service system, the service system encrypts the sensitive service data through the first key, and then stores the encrypted service data ciphertext, so that the sensitive service data are encrypted, and the leakage of user privacy information is prevented.
Further, a third embodiment of the key management method of the present invention is proposed based on the first embodiment of the key management method of the present invention.
In this embodiment, after the step 104, the method may further include: triggering a key updating instruction according to a preset rule; acquiring a user ID, a second key and a key ciphertext stored in a key management database according to the key updating instruction, and decrypting the key ciphertext through the second key and a preset symmetric decryption algorithm to obtain a first key; randomly generating a third key, and encrypting the first key through the third key and a preset symmetric encryption algorithm to obtain a new key ciphertext; and returning the user ID and the third key to the service system, associating the user ID, the third key and the new key ciphertext, and storing the user ID, the third key and the new key ciphertext into the key management database to replace the second key and the key ciphertext which are originally stored in the key management database.
The step of triggering the key update instruction according to the preset rule may specifically include: when a key updating request sent by a service system is received, a key updating instruction is triggered; or triggering the key updating instruction according to a preset key updating frequency.
In this embodiment, the server may periodically update the second key and the key ciphertext stored in the key management database. Specifically, the server may trigger the key update instruction when receiving a key update request sent by the service system, or trigger the key update instruction according to a preset key update frequency, where the specific key update frequency may be flexibly set; when a server triggers a key updating instruction, acquiring a user ID, a second key and a key ciphertext which are stored in a key management database according to the key updating instruction, decrypting the key ciphertext through the second key and a preset symmetric decryption algorithm to obtain a first key, randomly generating a third key by the server, and encrypting the decrypted first key through the third key and a preset symmetric encryption algorithm to obtain a new key ciphertext; and then, the server returns the user ID and the third key to the service system, associates the user ID, the third key and the new key ciphertext and stores the user ID, the third key and the new key ciphertext into the key management database so as to replace the second key and the key ciphertext which are originally stored in the key management database and correspond to the user ID.
The security of key management is further improved by periodically updating the second key and the key ciphertext stored in the key management database.
The embodiment of the invention also provides a key management device.
Referring to fig. 4, fig. 4 is a block diagram of a key management device according to an embodiment of the present invention. In this embodiment, the key management apparatus includes:
a receiving module 401, configured to receive a key creation instruction sent by a service system;
a creating module 402, configured to create a user ID according to a key creating instruction, and randomly generate a first key and a second key corresponding to the user ID, where the first key is used to encrypt sensitive service data in a service system;
the encryption module 403 is configured to encrypt the first key through the second key and a preset symmetric encryption algorithm to obtain a key ciphertext;
the storage module 404 is configured to return the user ID and the second key to the service system, and store the user ID, the second key, and the key ciphertext in a preset key management database after associating the user ID, the second key, and the key ciphertext.
Optionally, in a first implementation manner of the second aspect of the present invention, the key management apparatus further includes:
the acquisition module is used for receiving a service data encryption request sent by a service system and acquiring a user ID and a second secret key carried in the service data encryption request;
the query module is used for querying the key management database according to the obtained user ID and the second key to obtain a corresponding key ciphertext;
the first decryption module is used for decrypting the key ciphertext through the second key and a preset symmetric decryption algorithm to obtain a first key;
and the returning module is used for returning the first key obtained by decryption to the service system.
Optionally, in a second implementation manner of the second aspect of the present invention, the key management apparatus further includes:
the triggering module is used for triggering a key updating instruction according to a preset rule;
the second decryption module is used for acquiring the user ID, the second key and the key ciphertext stored in the key management database according to the key updating instruction, and decrypting the key ciphertext through the second key and a preset symmetric decryption algorithm to obtain the first key;
the updating module is used for randomly generating a third key and encrypting the first key through the third key and the preset symmetric encryption algorithm to obtain a new key ciphertext;
and the replacing module is used for returning the user ID and the third key to the service system, associating the user ID, the third key and the new key ciphertext and storing the user ID, the third key and the new key ciphertext into the key management database so as to replace the second key and the key ciphertext which are originally stored in the key management database.
Optionally, in a third implementation manner of the second aspect of the present invention, the triggering module is further configured to:
when a key updating request sent by a service system is received, a key updating instruction is triggered;
or triggering the key updating instruction according to a preset key updating frequency.
Optionally, in a fourth implementation manner of the second aspect of the present invention, the symmetric encryption algorithm is an advanced encryption standard AES encryption algorithm or a data encryption standard DES encryption algorithm.
The function implementation and beneficial effects of each module in the key management device correspond to those of each step in the key management method embodiment, and are not described herein again.
The key management device in the embodiment of the present invention is described in detail from the perspective of the modular functional entity, and the key management apparatus in the embodiment of the present invention is described in detail from the perspective of hardware processing.
Referring to fig. 5, fig. 5 is a schematic structural diagram of a key management device according to an embodiment of the present invention. The key management apparatus 500 may vary significantly depending on configuration or performance, and may include one or more processors (CPUs) 510 (e.g., one or more processors) and memory 520, one or more storage media 530 (e.g., one or more mass storage devices) storing applications 533 or data 532. Memory 520 and storage media 530 may be, among other things, transient or persistent storage. The program stored on the storage medium 530 may include one or more modules (not shown), each of which may include a series of instructions operating on the key management device 500. Still further, the processor 510 may be configured to communicate with the storage medium 530 to execute a series of instruction operations in the storage medium 530 on the key management device 500.
The key management apparatus 500 may also include one or more power supplies 540, one or more wired or wireless network interfaces 550, one or more input-output interfaces 560, and/or one or more operating systems 531, such as Windows Server, Mac OS X, Unix, Linux, FreeBSD, and so forth. Those skilled in the art will appreciate that the key management device configuration shown in fig. 5 does not constitute a limitation of the key management device and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
The present invention also provides a computer-readable storage medium, which may be a non-volatile computer-readable storage medium or a volatile computer-readable storage medium, and the computer-readable storage medium stores a key management program, and the key management program implements the steps of the key management method when executed by a processor.
The method and the beneficial effects of the key management program executed on the processor can refer to the embodiments of the key management method of the present invention, and are not described herein again.
It will be appreciated by those skilled in the art that the above-described integrated modules or units, if implemented as software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. A key management method, characterized in that the key management method comprises the steps of:
receiving a key creating instruction sent by a service system;
creating a user ID according to the key creation instruction, and randomly generating a first key and a second key corresponding to the user ID, wherein the first key is used for encrypting sensitive service data in the service system;
encrypting the first key through the second key and a preset symmetric encryption algorithm to obtain a key ciphertext;
and returning the user ID and the second key to the service system, associating the user ID, the second key and the key ciphertext, and storing the user ID, the second key and the key ciphertext into a preset key management database.
2. The key management method according to claim 1, wherein after the step of returning the user ID and the second key to the service system, and storing the user ID, the second key, and the key ciphertext in a preset key management database after associating them, the method further comprises:
receiving a service data encryption request sent by the service system, and acquiring the user ID and the second secret key carried in the service data encryption request;
inquiring the key management database according to the obtained user ID and the second key to obtain a corresponding key ciphertext;
decrypting the key ciphertext through the second key and a preset symmetric decryption algorithm to obtain the first key;
and returning the first key obtained by decryption to the service system.
3. The key management method according to claim 1, wherein after the step of returning the user ID and the second key to the service system, and storing the user ID, the second key, and the key ciphertext in a preset key management database after associating them, the method further comprises:
triggering a key updating instruction according to a preset rule;
acquiring the user ID, the second key and the key ciphertext stored in the key management database according to the key updating instruction, and decrypting the key ciphertext through the second key and a preset symmetric decryption algorithm to obtain the first key;
randomly generating a third key, and encrypting the first key through the third key and the preset symmetric encryption algorithm to obtain a new key ciphertext;
and returning the user ID and the third key to the service system, associating the user ID, the third key and the new key ciphertext, and storing the user ID, the third key and the new key ciphertext into the key management database to replace the second key and the key ciphertext originally stored in the key management database.
4. The key management method of claim 3, wherein the step of triggering the key update instruction according to the preset rule comprises:
when a key updating request sent by the service system is received, a key updating instruction is triggered;
or triggering the key updating instruction according to a preset key updating frequency.
5. The key management method according to any one of claims 1-4, wherein the symmetric encryption algorithm is an Advanced Encryption Standard (AES) encryption algorithm, or a Data Encryption Standard (DES) encryption algorithm.
6. A key management apparatus, characterized in that the key management apparatus comprises:
the receiving module is used for receiving a key creating instruction sent by the service system;
the creating module is used for creating a user ID according to the key creating instruction and randomly generating a first key and a second key corresponding to the user ID, wherein the first key is used for encrypting the sensitive service data in the service system;
the encryption module is used for encrypting the first key through the second key and a preset symmetric encryption algorithm to obtain a key ciphertext;
and the storage module is used for returning the user ID and the second key to the service system, associating the user ID, the second key and the key ciphertext and storing the user ID, the second key and the key ciphertext into a preset key management database.
7. The key management apparatus of claim 6, wherein the key management apparatus further comprises:
an obtaining module, configured to receive a service data encryption request sent by the service system, and obtain the user ID and the second key that are carried in the service data encryption request;
the query module is used for querying the key management database according to the obtained user ID and the second key to obtain a corresponding key ciphertext;
the first decryption module is used for decrypting the key ciphertext through the second key and a preset symmetric decryption algorithm to obtain the first key;
and the returning module is used for returning the first key obtained by decryption to the service system.
8. The key management apparatus of claim 6, wherein the key management apparatus further comprises:
the triggering module is used for triggering a key updating instruction according to a preset rule;
the second decryption module is used for acquiring the user ID, the second key and the key ciphertext stored in the key management database according to the key updating instruction, and decrypting the key ciphertext through the second key and a preset symmetric decryption algorithm to obtain the first key;
the updating module is used for randomly generating a third key and encrypting the first key through the third key and the preset symmetric encryption algorithm to obtain a new key ciphertext;
and the replacing module is used for returning the user ID and the third key to the service system, associating the user ID, the third key and the new key ciphertext and storing the user ID, the third key and the new key ciphertext into the key management database so as to replace the second key and the key ciphertext which are originally stored in the key management database.
9. A key management device, characterized in that the key management device comprises: a memory having instructions stored therein and at least one processor, the memory and the at least one processor interconnected by a line;
the at least one processor invokes the instructions in the memory to cause the key management device to perform the key management method of any of claims 1-5.
10. A computer-readable storage medium, having stored thereon a computer program, wherein the computer program, when executed by a processor, implements a key management method according to any one of claims 1-5.
CN202010115406.XA 2020-02-25 2020-02-25 Key management method, device, equipment and computer readable storage medium Pending CN111327616A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010115406.XA CN111327616A (en) 2020-02-25 2020-02-25 Key management method, device, equipment and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010115406.XA CN111327616A (en) 2020-02-25 2020-02-25 Key management method, device, equipment and computer readable storage medium

Publications (1)

Publication Number Publication Date
CN111327616A true CN111327616A (en) 2020-06-23

Family

ID=71167196

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010115406.XA Pending CN111327616A (en) 2020-02-25 2020-02-25 Key management method, device, equipment and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN111327616A (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111538977A (en) * 2020-06-23 2020-08-14 腾讯科技(深圳)有限公司 Cloud API key management method, cloud platform access method, cloud API key management device, cloud platform access device and server
CN112597521A (en) * 2020-12-30 2021-04-02 厦门市美亚柏科信息股份有限公司 Business data storage method and computer readable storage medium
CN113162763A (en) * 2021-04-20 2021-07-23 平安消费金融有限公司 Data encryption and storage method and device, electronic equipment and storage medium
CN113364589A (en) * 2021-08-10 2021-09-07 深圳致星科技有限公司 Key management system, method and storage medium for federal learning security audit
CN113779598A (en) * 2021-08-27 2021-12-10 北京达佳互联信息技术有限公司 Data processing method, device, server and storage medium
CN114244508A (en) * 2021-12-15 2022-03-25 平安科技(深圳)有限公司 Data encryption method, device, equipment and storage medium
CN114362934A (en) * 2021-12-20 2022-04-15 卓尔智联(武汉)研究院有限公司 Key generation method and device, electronic equipment and storage medium
CN115119202A (en) * 2022-06-30 2022-09-27 长城汽车股份有限公司 Method and device for generating secret key, storage medium and vehicle
CN115169848A (en) * 2022-06-28 2022-10-11 上海东普信息科技有限公司 Statistical analysis method, device, equipment and storage medium for logistics business data
CN115208560A (en) * 2022-06-01 2022-10-18 北京握奇智能科技有限公司 Key management method and system
CN115459910A (en) * 2022-09-02 2022-12-09 海尔优家智能科技(北京)有限公司 Data encryption method, device and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101510888A (en) * 2009-03-19 2009-08-19 阿里巴巴集团控股有限公司 Method, device and system for improving data security for SaaS application
CN101771699A (en) * 2010-01-06 2010-07-07 华南理工大学 Method and system for improving SaaS application security
CN104506483A (en) * 2014-10-21 2015-04-08 中兴通讯股份有限公司 Method for encrypting and decrypting information and managing secret key as well as terminal and network server
CN107800535A (en) * 2016-09-05 2018-03-13 上海前隆金融信息服务有限公司 A kind of processing method and processing device of data safety
WO2019165707A1 (en) * 2018-02-28 2019-09-06 深圳市达仁基因科技有限公司 File sharing method, computer device and storage medium
CN110635906A (en) * 2019-11-01 2019-12-31 大唐高鸿信安(浙江)信息科技有限公司 Key management method and device for distributed block storage system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101510888A (en) * 2009-03-19 2009-08-19 阿里巴巴集团控股有限公司 Method, device and system for improving data security for SaaS application
CN101771699A (en) * 2010-01-06 2010-07-07 华南理工大学 Method and system for improving SaaS application security
CN104506483A (en) * 2014-10-21 2015-04-08 中兴通讯股份有限公司 Method for encrypting and decrypting information and managing secret key as well as terminal and network server
CN107800535A (en) * 2016-09-05 2018-03-13 上海前隆金融信息服务有限公司 A kind of processing method and processing device of data safety
WO2019165707A1 (en) * 2018-02-28 2019-09-06 深圳市达仁基因科技有限公司 File sharing method, computer device and storage medium
CN110635906A (en) * 2019-11-01 2019-12-31 大唐高鸿信安(浙江)信息科技有限公司 Key management method and device for distributed block storage system

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111538977A (en) * 2020-06-23 2020-08-14 腾讯科技(深圳)有限公司 Cloud API key management method, cloud platform access method, cloud API key management device, cloud platform access device and server
CN112597521A (en) * 2020-12-30 2021-04-02 厦门市美亚柏科信息股份有限公司 Business data storage method and computer readable storage medium
CN113162763A (en) * 2021-04-20 2021-07-23 平安消费金融有限公司 Data encryption and storage method and device, electronic equipment and storage medium
CN113364589A (en) * 2021-08-10 2021-09-07 深圳致星科技有限公司 Key management system, method and storage medium for federal learning security audit
CN113364589B (en) * 2021-08-10 2021-11-02 深圳致星科技有限公司 Key management system, method and storage medium for federal learning security audit
CN113779598A (en) * 2021-08-27 2021-12-10 北京达佳互联信息技术有限公司 Data processing method, device, server and storage medium
CN114244508A (en) * 2021-12-15 2022-03-25 平安科技(深圳)有限公司 Data encryption method, device, equipment and storage medium
CN114362934A (en) * 2021-12-20 2022-04-15 卓尔智联(武汉)研究院有限公司 Key generation method and device, electronic equipment and storage medium
CN115208560A (en) * 2022-06-01 2022-10-18 北京握奇智能科技有限公司 Key management method and system
CN115169848A (en) * 2022-06-28 2022-10-11 上海东普信息科技有限公司 Statistical analysis method, device, equipment and storage medium for logistics business data
CN115119202A (en) * 2022-06-30 2022-09-27 长城汽车股份有限公司 Method and device for generating secret key, storage medium and vehicle
CN115459910A (en) * 2022-09-02 2022-12-09 海尔优家智能科技(北京)有限公司 Data encryption method, device and storage medium

Similar Documents

Publication Publication Date Title
CN111327616A (en) Key management method, device, equipment and computer readable storage medium
US11240008B2 (en) Key management method, security chip, service server and information system
CN104052742A (en) Internet of things communication protocol capable of being encrypted dynamically
CN106992851B (en) TrustZone-based database file password encryption and decryption method and device and terminal equipment
US11606202B2 (en) Methods and systems for secure data transmission
CN109347839A (en) Centralized password management method and centralized password management, device, electronic equipment and computer storage medium
CN111884986A (en) Data encryption processing method and device
CN115422570B (en) Data processing method and system for distributed storage
CN111917711B (en) Data access method and device, computer equipment and storage medium
CN106506479A (en) The method of cipher authentication, system and client, server and smart machine
CN112182600A (en) Data encryption method, data decryption method and electronic equipment
CN111008400A (en) Data processing method, device and system
CN105721393A (en) Data security encryption method and data security encryption device
CN115694921B (en) Data storage method, device and medium
CN111651425B (en) Data extraction method, device, terminal and storage medium of data mart
Kim et al. Single tag sharing scheme for multiple-object RFID applications
CN113312650B (en) Transaction log privacy protection method and device
CN106972928B (en) Bastion machine private key management method, device and system
Ozmen et al. Forward-private dynamic searchable symmetric encryption with efficient search
CN112395633B (en) Method and device for carrying out data statistics by combining multiple parties for protecting privacy
CN114329596A (en) Firmware updating method, device and system for Internet of things equipment
Yan et al. Anti-tracking in rfid discovery service for dynamic supply chain systems
Yeh A PASS Scheme in Cloud Computing-Protecting Data Privacy by Authentication and Secret Sharing
CN116010529B (en) Data processing method and system
EP4154149B1 (en) Data storage server and client devices for securely storing data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200623

RJ01 Rejection of invention patent application after publication