CN111339578A - Key access method, device, system, equipment and storage medium - Google Patents
Key access method, device, system, equipment and storage medium Download PDFInfo
- Publication number
- CN111339578A CN111339578A CN202010108469.2A CN202010108469A CN111339578A CN 111339578 A CN111339578 A CN 111339578A CN 202010108469 A CN202010108469 A CN 202010108469A CN 111339578 A CN111339578 A CN 111339578A
- Authority
- CN
- China
- Prior art keywords
- key
- key data
- data
- target
- application identifier
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 230000015654 memory Effects 0.000 claims abstract description 97
- 238000006243 chemical reaction Methods 0.000 claims abstract description 66
- 238000012795 verification Methods 0.000 claims description 26
- 238000012545 processing Methods 0.000 claims description 19
- 230000011218 segmentation Effects 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 11
- 238000004891 communication Methods 0.000 claims description 7
- 230000007246 mechanism Effects 0.000 claims description 4
- 238000001914 filtration Methods 0.000 claims description 3
- 230000002085 persistent effect Effects 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 6
- 238000013500 data storage Methods 0.000 description 5
- 238000007726 management method Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 239000000969 carrier Substances 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000001131 transforming effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- Databases & Information Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention discloses a key access method, a device, a system, equipment and a storage medium, when service data are received, an application identifier and key data corresponding to the service data are generated according to a preset key generation rule; and carrying out format conversion on the key data according to a set algorithm. The key data after the application identification and the format conversion are stored in a kernel memory and a set physical hard disk, so that the persistent storage of the key data is realized; and when a key acquisition request carrying a target application identifier sent by a service application program is acquired, acquiring corresponding target key data from a kernel memory. When the operating system is started, the kernel space is started before all the application programs, and the key data can be well protected from being damaged by storing the key data into the kernel memory. The method and the device have the advantages that extra hardware equipment is not needed, confidentiality and usability of the key data are guaranteed, and meanwhile the cost of security protection of the key data is reduced.
Description
Technical Field
The present invention relates to the field of data security technologies, and in particular, to a method, an apparatus, a system, a device, and a computer-readable storage medium for accessing a secret key.
Background
With the development of novel technologies such as cloud computing and big data, the security requirements on cloud hosts and servers are higher and higher. Applications on cloud hosts and servers are carriers of externally provided services, which provide users with desired services by processing various business data.
The service data contains a lot of sensitive information, and hackers can easily obtain benefits after acquiring the sensitive information. Therefore, the business data is focused by external hackers, and it is important to prevent sensitive information in the business data from leaking. The most common means for protecting sensitive information in traffic data is encryption, which includes encrypted storage and encrypted transmission. The most important aspect in encryption is key management.
In an attempt, a hacker faced with an encrypted service data is equivalent to faced with a locked gate, and cannot obtain any valuable information. If a hacker obtains the key, the key is equivalent to a key for taking the locked gate, and the gate can be opened easily to obtain any required information at will. The key management is so important that the key management system is sufficiently secure and robust. The key management method is usually designed as independent hardware, such as: a Hardware Security Module (HSM) and a hardware device (USB Key) of a USB interface; independent systems, such as: a Key Management System (KMS), a Key Management Center (KMC); or a separate chip, for example: the secure chip (TPM) is independent of the operating system of the application program, so as to achieve sufficient security.
However, in a practical production environment, the investment of some small systems is very low, and if independent hardware/system/chip is introduced, the system manufacturer cannot accept the system. In addition, the safe upgrade of some existing business systems is modified, and the operators or customers are not allowed to add additional hardware/systems/chips.
It can be seen that how to reduce the cost of security protection of key data is a problem to be solved by those skilled in the art.
Disclosure of Invention
Embodiments of the present invention provide a method, an apparatus, a system, a device, and a storage medium for accessing a key, which can reduce the cost of security protection of key data.
To solve the foregoing technical problem, an embodiment of the present invention provides a key access method, including:
when business data are received, generating an application identifier and key data corresponding to the business data according to a preset key generation rule;
carrying out format conversion on the key data according to a set algorithm;
storing the application identifier and the key data after format conversion into a kernel memory and a set physical hard disk;
and when a key acquisition request carrying a target application identifier sent by a service application program is acquired, acquiring corresponding target key data from a kernel memory.
Optionally, the storing the application identifier and the format-converted key data into a set physical hard disk includes:
carrying out segmentation processing on the key data after format conversion to obtain at least one data packet;
storing each data packet into a corresponding file; all files are arranged on the physical hard disk, and the file attributes of all files are set to be hidden.
Optionally, after storing the application identifier and the key data after the format conversion to a kernel memory and a set physical hard disk, the method further includes:
when the operating system is restarted, copying each data packet from the physical hard disk, and storing each spliced data packet to the kernel memory.
Optionally, when the key obtaining request carrying the target application identifier sent by the service application program is obtained, obtaining the corresponding target key data from the kernel memory includes:
when a key acquisition request carrying a target application identifier sent by a service application program is acquired, judging whether target key data matched with the target application identifier exists in a kernel memory;
and if so, copying the target key data to a user mode memory provided by the service application program.
Optionally, after copying the target key data to the user mode memory provided by the service application program, the method further includes:
carrying out format conversion on the target key data according to the set algorithm;
and releasing the user mode memory after completing the encryption and decryption operation on the target service data by using the target key data after format conversion.
Optionally, after acquiring the key acquisition request carrying the target application identifier sent by the service application program, before acquiring the corresponding target key data from the kernel memory, the method further includes:
according to a set verification rule, performing validity verification on the key acquisition request;
and after the verification is passed, executing the step of acquiring the corresponding target key data from the kernel memory.
Optionally, the performing format conversion on the key data according to a set algorithm includes:
and performing exclusive OR processing on the key data and preset parameters, and taking a processing result as the key data after format conversion.
Optionally, the key generation rule is saved in a code obfuscation manner.
The embodiment of the invention also provides a key access device, which comprises a generating unit, a converting unit, a storing unit and an acquiring unit;
the generation unit is used for generating an application identifier and key data corresponding to the service data according to a preset key generation rule when the service data are received;
the conversion unit is used for carrying out format conversion on the key data according to a set algorithm;
the storage unit is used for storing the application identifier and the key data after format conversion into a kernel memory and a set physical hard disk;
the acquiring unit is used for acquiring corresponding target key data from the kernel memory when acquiring a key acquiring request which is sent by the service application program and carries a target application identifier.
Optionally, the storage unit comprises a segmentation subunit and a storage subunit;
the segmentation subunit is configured to perform segmentation processing on the format-converted key data to obtain at least one data packet;
the storage subunit is configured to store each data packet into a corresponding file; all files are arranged on the physical hard disk, and the file attributes of all files are set to be hidden.
Optionally, a copy unit is also included;
and the copying unit is used for copying each data packet from the physical hard disk when the operating system is restarted, and storing each spliced data packet to the kernel memory.
Optionally, the obtaining unit includes a judging subunit and a copying subunit;
the judging subunit is configured to, when a key acquisition request carrying a target application identifier sent by a service application program is acquired, judge whether target key data matching the target application identifier exists in a kernel memory; if yes, triggering the copy subunit;
and the copying subunit is configured to copy the target key data to a user mode memory provided by the service application program.
Optionally, a release unit is further included;
the conversion unit is also used for carrying out format conversion on the target key data according to the set algorithm;
and the release unit is used for releasing the user mode memory after the encryption and decryption operation on the target service data is completed by using the target key data after the format conversion.
Optionally, a verification unit is further included;
the verification unit is used for verifying the validity of the key acquisition request according to a set verification rule; and triggering the acquisition unit to execute the step of acquiring the corresponding target key data from the kernel memory after the verification is passed.
Optionally, the conversion unit is specifically configured to perform xor processing on the key data and a preset parameter, and use a processing result as the format-converted key data.
Optionally, the key generation rule is saved in a code obfuscation manner.
The embodiment of the invention also provides a key access system, which comprises a service application module and a filter driving module;
the service application module is used for generating an application identifier and key data corresponding to the service data according to a preset key generation rule when the service data are received; carrying out format conversion on the key data according to a set algorithm; establishing communication connection with the filter driving module by using a preset safety communication verification mechanism, and transmitting the application identifier and the key data after format conversion to the filter driving module; when a key acquisition instruction is acquired, sending a key acquisition request carrying a target application identifier to the filter driving module;
the filtering drive module is used for storing the application identifier and the key data after format conversion into a kernel memory and a set physical hard disk; and when a key acquisition request carrying a target application identifier sent by a service application program is acquired, acquiring corresponding target key data from a kernel memory.
An embodiment of the present invention further provides a key access device, including:
a memory for storing a computer program;
a processor for executing the computer program to implement the steps of the key access method as described in any one of the above.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the key access method are implemented as any one of the above.
According to the technical scheme, when the service data are received, the application identification and the key data corresponding to the service data are generated according to the preset key generation rule; carrying out format conversion on the key data according to a set algorithm; the presentation mode of the key data is changed through format conversion, so that the security of the key data is improved. Storing the application identifier and the key data after format conversion into a kernel memory and a set physical hard disk; and when a key acquisition request carrying a target application identifier sent by a service application program is acquired, acquiring corresponding target key data from a kernel memory. When the operating system is started, the kernel space is started before all the application programs, and the key data can be well protected from being damaged by storing the key data into the kernel memory. And in consideration of the condition that data in the system power-down kernel memory is lost, the key data can be stored in the physical hard disk at the same time, and the persistent storage of the key data is realized. According to the technical scheme, the storage of the key data only depends on the kernel memory and the physical hard disk in the operating system, and extra hardware equipment is not needed, so that the confidentiality and the usability of the key data are ensured, and the cost of performing security protection on the key data is reduced.
Drawings
In order to illustrate the embodiments of the present invention more clearly, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings can be obtained by those skilled in the art without inventive effort.
Fig. 1 is a flowchart of a key access method according to an embodiment of the present invention;
fig. 2 is a flowchart of a key data storage method according to an embodiment of the present invention;
FIG. 3 is a schematic structural diagram of a key access device according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a key access system according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a key access device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without any creative work belong to the protection scope of the present invention.
In order that those skilled in the art will better understand the disclosure, the invention will be described in further detail with reference to the accompanying drawings and specific embodiments.
Next, a key access method provided by the embodiment of the invention is described in detail. Fig. 1 is a flowchart of a key access method according to an embodiment of the present invention, where the method includes:
s101: and when the service data is received, generating an application identifier and key data corresponding to the service data according to a preset key generation rule.
The key data refers to key information that is relied upon when encryption and decryption processing is performed on the service data.
The key generation rule is used to indicate the specific way in which the key is generated. In practical application, the key data can be generated by transforming and combining the MAC address of the hardware network card, the ID of the hardware CPU, the current system time, and the currently generated random number.
In the embodiment of the present invention, the operating system generates the key data depending on the preset key generation rule, and in order to improve the security of the key generation rule, the key generation rule may be saved in a code obfuscation manner.
The key data adopted in the encryption processing of different service data are different, and in order to facilitate distinguishing different service data, in the embodiment of the present invention, corresponding application identifiers may be set for different service data. The application identification and the key data have a correspondence.
S102: and carrying out format conversion on the key data according to a set algorithm.
In order to ensure the security of the key data, after the key data is generated, the presentation format of the key data may be converted, and the key data may be converted into a data format that cannot be directly used. By converting the format of the key data, even if the key data is illegally acquired, the service data cannot be directly decrypted by using the key data.
The format conversion of the key data may be performed in various ways, for example, the key data may be subjected to a bit operation. Taking the xor operation as an example, the key data may be xor-processed with a predetermined parameter, and the processed result may be used as the format-converted key data.
S103: and storing the application identifier and the key data after format conversion into a kernel memory and a set physical hard disk.
The operating system strictly distinguishes the memories used by the kernel mode and the user mode, and the application program cannot see and use the kernel memories, so in the embodiment of the invention, the key data is stored in the kernel memories in order to ensure the security of the key data.
In consideration of the fact that data of the kernel memory is lost after the system is restarted after power failure, in order to ensure the persistent storage of the key data, the operating system can store the key data into the kernel memory and also can store the key data into a preset physical hard disk at the same time. The physical hard disk has the characteristic of not losing due to power failure, so that the persistent storage of the key data can be ensured.
S104: and when a key acquisition request carrying a target application identifier sent by a service application program is acquired, acquiring corresponding target key data from a kernel memory.
When the encrypted service data needs to be decrypted, the required key data can be acquired from the kernel memory.
When the key data is stored, the key data is stored according to the corresponding relation between the application identifier and the key data, and the application identifier corresponding to the service data is fixed, so that when the key data needs to be obtained, a key obtaining request carrying the target application identifier can be sent to the operating system.
When the operating system receives the key acquisition request, whether an application identifier which is the same as the target application identifier exists in the kernel memory can be inquired, and the key data corresponding to the application identifier which is the same as the target application identifier is the target key data required by the user.
According to the technical scheme, when the service data are received, the application identification and the key data corresponding to the service data are generated according to the preset key generation rule; carrying out format conversion on the key data according to a set algorithm; the presentation mode of the key data is changed through format conversion, so that the security of the key data is improved. Storing the application identifier and the key data after format conversion into a kernel memory and a set physical hard disk; and when a key acquisition request carrying a target application identifier sent by a service application program is acquired, acquiring corresponding target key data from a kernel memory. When the operating system is started, the kernel space is started before all the application programs, and the key data can be well protected from being damaged by storing the key data into the kernel memory. And in consideration of the condition that data in the system power-down kernel memory is lost, the key data can be stored in the physical hard disk at the same time, and the persistent storage of the key data is realized. According to the technical scheme, the storage of the key data only depends on the kernel memory and the physical hard disk in the operating system, and extra hardware equipment is not needed, so that the confidentiality and the usability of the key data are ensured, and the cost of performing security protection on the key data is reduced.
In the embodiment of the present invention, in consideration of the fact that the storage time of the key data on the physical hard disk is long, and the longer the storage time is, the higher the security risk is, in order to further improve the security of the key data storage, the key data may be divided into a plurality of data segments to be stored respectively.
Fig. 2 is a flowchart of a key data storage method according to an embodiment of the present invention, where the method includes:
s201: and when the service data is received, generating an application identifier and key data corresponding to the service data according to a preset key generation rule.
The specific implementation manner of S201 may refer to the record of S101, and is not described herein again.
S202: and carrying out format conversion on the key data according to a set algorithm.
The specific implementation manner of S202 may refer to the description of S102, and is not described herein again.
S203: and carrying out segmentation processing on the key data after format conversion to obtain at least one data packet.
In a specific implementation, a plurality of files may be set on the physical hard disk, and when the operating system obtains the format-converted key data, the format-converted key data may be segmented to obtain at least one data packet.
S204: and storing each data packet into a corresponding file.
Wherein, all files are arranged on the physical hard disk.
In the embodiment of the present invention, the number of files may be preset, and in which file each data packet is specifically stored may also be preset. For example, according to the combination sequence of the data packets, the first data packet may be stored in the first file, the second data packet may be stored in the last file, the third data packet may be stored in the second file, the fourth data packet may be stored in the penultimate file, and so on, to complete the storage of the data packets. When the number of the data packets is larger than the number of the files, polling can be performed again according to the above manner, or all the remaining data packets can be stored in the remaining last file. By disturbing the storage sequence of the data packets, the security of key data storage can be further improved.
In order to improve the security of the files, the file attributes of all files can be set to be hidden, and the operating system can intercept the access of all non-business application programs to the hidden files.
S205: and when a key acquisition request carrying a target application identifier sent by a service application program is acquired, acquiring corresponding target key data from a kernel memory.
The specific implementation manner of S205 may refer to the description of S104, and is not described herein again.
In the embodiment of the invention, the key data after format conversion is stored in segments, so that the security of the key data is effectively improved, and when a certain segment of key data is maliciously acquired by an illegal user, the illegal user cannot directly utilize the key data to execute data decryption operation because the key data acquired by the illegal user is incomplete. Even if the illegal user acquires all the data packets corresponding to the key data, the illegal user cannot directly perform the data decryption operation by using the acquired data packets because the illegal user does not know the combination sequence of all the data packets.
In consideration of the problem of system power-down data loss in the kernel memory, after the key data after application identification and format conversion is stored in the kernel memory and a set physical hard disk, when the operating system is restarted, each data packet can be automatically copied from the physical hard disk, and each spliced data packet is stored in the kernel memory, so that the operating system can acquire the key data from the kernel memory.
In practical application, when an operating system needs to acquire key data, a user mode memory can be allocated for storing the key data by calling a function, and when target key data matched with a target application identifier exists in a kernel memory, the target key data is copied to the user mode memory provided by a service application program.
Since the target key data is data after format conversion, when encrypting and decrypting the target service data, format conversion needs to be performed on the target key data according to a set algorithm, and then the encryption and decryption operations on the target service data are completed by using the target key data after format conversion.
And after the encryption and decryption operations on the target service data are completed, the user mode memory can be released.
By releasing the user mode memory, the storage time of the target key data in the user mode memory can be reduced, so that the security of the target key data is improved.
In the embodiment of the present invention, in order to prevent other non-service application programs from accessing the kernel memory, after a key acquisition request carrying a target application identifier sent by a service application program is acquired, before corresponding target key data is acquired from the kernel memory, validity verification may be performed on the key acquisition request according to a set verification rule; and after the verification is passed, executing the step of acquiring the corresponding target key data from the kernel memory.
The verification method may be various, for example, a specific character string that needs to be carried when the service application accesses the operating system to obtain the key data may be preset, and when the key obtaining request sent by the service application carries the specific character string, it is indicated that the key obtaining request belongs to the validity request.
By carrying out validity verification on the key acquisition request, the situation that the non-service application program falsely acts as the service application program to illegally acquire the key data when the application identifier of the service application program is illegally acquired by the non-service application program can be effectively reduced.
Fig. 3 is a schematic structural diagram of a key access apparatus according to an embodiment of the present invention, which includes a generating unit 31, a converting unit 32, a storing unit 33, and an obtaining unit 34;
a generating unit 31, configured to generate, when receiving the service data, an application identifier and key data corresponding to the service data according to a preset key generation rule;
a conversion unit 32, configured to perform format conversion on the key data according to a set algorithm;
a storage unit 33, configured to store the application identifier and the key data after format conversion to a kernel memory and a set physical hard disk;
the obtaining unit 34 is configured to obtain corresponding target key data from the kernel memory when a key obtaining request carrying a target application identifier sent by the service application program is obtained.
Optionally, the storage unit comprises a segmentation subunit and a storage subunit;
the segmentation subunit is used for carrying out segmentation processing on the key data after format conversion to obtain at least one data packet;
the storage subunit is used for storing each data packet into a corresponding file; all files are arranged on the physical hard disk, and the file attributes of all files are set to be hidden.
Optionally, a copy unit is also included;
and the copying unit is used for copying each data packet from the physical hard disk when the operating system is restarted, and storing each spliced data packet to the kernel memory.
Optionally, the obtaining unit includes a judging subunit and a copying subunit;
the judging subunit is used for judging whether target key data matched with the target application identifier exists in the kernel memory or not when a key acquisition request carrying the target application identifier and sent by the service application program is acquired; if yes, triggering the copy subunit;
and the copying subunit is used for copying the target key data to a user mode memory provided by the service application program.
Optionally, a release unit is further included;
the conversion unit is also used for carrying out format conversion on the target key data according to a set algorithm;
and the releasing unit is used for releasing the user mode memory after the encryption and decryption operation on the target service data is completed by using the target key data after the format conversion.
Optionally, a verification unit is further included;
the verification unit is used for verifying the validity of the key acquisition request according to a set verification rule; and after the verification is passed, triggering the acquisition unit to execute the step of acquiring the corresponding target key data from the kernel memory.
Optionally, the conversion unit is specifically configured to perform xor processing on the key data and a preset parameter, and use a processing result as the format-converted key data.
Optionally, the key generation rule is stored in a code obfuscation manner.
For the description of the features in the embodiment corresponding to fig. 3, reference may be made to the related description of the embodiments corresponding to fig. 1 and fig. 2, which is not repeated here.
According to the technical scheme, when the service data are received, the application identification and the key data corresponding to the service data are generated according to the preset key generation rule; carrying out format conversion on the key data according to a set algorithm; the presentation mode of the key data is changed through format conversion, so that the security of the key data is improved. Storing the application identifier and the key data after format conversion into a kernel memory and a set physical hard disk; and when a key acquisition request carrying a target application identifier sent by a service application program is acquired, acquiring corresponding target key data from a kernel memory. When the operating system is started, the kernel space is started before all the application programs, and the key data can be well protected from being damaged by storing the key data into the kernel memory. And in consideration of the condition that data in the system power-down kernel memory is lost, the key data can be stored in the physical hard disk at the same time, and the persistent storage of the key data is realized. According to the technical scheme, the storage of the key data only depends on the kernel memory and the physical hard disk in the operating system, and extra hardware equipment is not needed, so that the confidentiality and the usability of the key data are ensured, and the cost of performing security protection on the key data is reduced.
Fig. 4 is a schematic structural diagram of a key access system 40 according to an embodiment of the present invention, which includes a service application module 41 and a filter driver module 42;
a service application module 41, configured to generate, when service data is received, an application identifier and key data corresponding to the service data according to a preset key generation rule; carrying out format conversion on the key data according to a set algorithm; establishing communication connection with the filter driving module by using a preset safety communication verification mechanism, and transmitting the application identification and the key data after format conversion to the filter driving module; when a key acquisition instruction is acquired, sending a key acquisition request carrying a target application identifier to a filter driving module;
the filtering driver module 42 is configured to store the application identifier and the key data after format conversion into the kernel memory and the set physical hard disk; and when a key acquisition request carrying a target application identifier sent by a service application program is acquired, acquiring corresponding target key data from a kernel memory.
When the service application module 41 is started, key data is generated according to the key generation rule, and is connected to the filter driver module 42 through a preset secure communication authentication mechanism. The service application module 41 issues the application identifier and the key data to the filter driver module 42, the service application module 41 does not store the key data, and applies for obtaining the key data from the filter driver module 42 when the key needs to be used, the filter driver module 42 is integrated in the kernel of the operating system, and runs along with the operating system, and the upper layer application program cannot sense the key data, so that the security of the key data is effectively ensured.
After the filter driver module 42 is started, it is removed from the linked list of kernel modules, and any other application except the service application module 41 cannot find the filter driver module 42 and thus cannot communicate with it.
The application identifier and the key data are stored in the kernel memory of the filter driver module 42, and the key data are stored in the hidden file designated by the physical hard disk in blocks, so that the filter driver module 42 can intercept all accesses to the file storing the key data, and the security of key data storage is improved.
In the embodiment of the present invention, when the service application module 41 obtains and uses the key data, an anti-debugging technique may be adopted to prevent an illegal user from obtaining the key data dynamically allocated to the user mode memory before use by a debugging method.
Fig. 5 is a schematic structural diagram of a key access device 50 according to an embodiment of the present invention, including:
a memory 51 for storing a computer program;
a processor 52 for executing a computer program for implementing the steps of the key access method according to any one of the above embodiments.
The embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the key access method according to any one of the above embodiments.
The above detailed description describes a key access method, device, system, apparatus, and storage medium provided by the embodiments of the present invention. The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present invention.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Claims (19)
1. A method for key access, comprising:
when business data are received, generating an application identifier and key data corresponding to the business data according to a preset key generation rule;
carrying out format conversion on the key data according to a set algorithm;
storing the application identifier and the key data after format conversion into a kernel memory and a set physical hard disk;
and when a key acquisition request carrying a target application identifier sent by a service application program is acquired, acquiring corresponding target key data from a kernel memory.
2. The method according to claim 1, wherein the storing the application identifier and the format-converted key data into a set physical hard disk comprises:
carrying out segmentation processing on the key data after format conversion to obtain at least one data packet;
storing each data packet into a corresponding file; all files are arranged on the physical hard disk, and the file attributes of all files are set to be hidden.
3. The method of claim 2, wherein after storing the application identifier and the format-converted key data to a kernel memory and a configured physical hard disk, the method further comprises:
when the operating system is restarted, copying each data packet from the physical hard disk, and storing each spliced data packet to the kernel memory.
4. The method according to claim 3, wherein when acquiring the key acquisition request carrying the target application identifier sent by the service application program, acquiring the corresponding target key data from the kernel memory comprises:
when a key acquisition request carrying a target application identifier sent by a service application program is acquired, judging whether target key data matched with the target application identifier exists in a kernel memory;
and if so, copying the target key data to a user mode memory provided by the service application program.
5. The method of claim 4, further comprising, after copying the target key data into user mode memory provided by the business application:
carrying out format conversion on the target key data according to the set algorithm;
and releasing the user mode memory after completing the encryption and decryption operation on the target service data by using the target key data after format conversion.
6. The method according to claim 1, wherein after acquiring the key acquisition request carrying the target application identifier sent by the service application program, before acquiring the corresponding target key data from the kernel memory, further comprises:
according to a set verification rule, performing validity verification on the key acquisition request;
and after the verification is passed, executing the step of acquiring the corresponding target key data from the kernel memory.
7. The method of claim 1, wherein the format converting the key data according to the set algorithm comprises:
and performing exclusive OR processing on the key data and preset parameters, and taking a processing result as the key data after format conversion.
8. The method according to any of claims 1-7, wherein the key generation rules are stored in a code obfuscation manner.
9. A key access device is characterized by comprising a generating unit, a converting unit, a storing unit and an acquiring unit;
the generation unit is used for generating an application identifier and key data corresponding to the service data according to a preset key generation rule when the service data are received;
the conversion unit is used for carrying out format conversion on the key data according to a set algorithm;
the storage unit is used for storing the application identifier and the key data after format conversion into a kernel memory and a set physical hard disk;
the acquiring unit is used for acquiring corresponding target key data from the kernel memory when acquiring a key acquiring request which is sent by the service application program and carries a target application identifier.
10. The apparatus of claim 9, wherein the holding unit comprises a segmentation subunit and a storage subunit;
the segmentation subunit is configured to perform segmentation processing on the format-converted key data to obtain at least one data packet;
the storage subunit is configured to store each data packet into a corresponding file; all files are arranged on the physical hard disk, and the file attributes of all files are set to be hidden.
11. The apparatus of claim 10, further comprising a copy unit;
and the copying unit is used for copying each data packet from the physical hard disk when the operating device is restarted, and storing each spliced data packet to the kernel memory.
12. The apparatus of claim 11, wherein the obtaining unit comprises a judging subunit and a copying subunit;
the judging subunit is configured to, when a key acquisition request carrying a target application identifier sent by a service application program is acquired, judge whether target key data matching the target application identifier exists in a kernel memory; if yes, triggering the copy subunit;
and the copying subunit is configured to copy the target key data to a user mode memory provided by the service application program.
13. The apparatus of claim 12, further comprising a release unit;
the conversion unit is also used for carrying out format conversion on the target key data according to the set algorithm;
and the release unit is used for releasing the user mode memory after the encryption and decryption operation on the target service data is completed by using the target key data after the format conversion.
14. The apparatus of claim 9, further comprising a verification unit;
the verification unit is used for verifying the validity of the key acquisition request according to a set verification rule; and triggering the acquisition unit to execute the step of acquiring the corresponding target key data from the kernel memory after the verification is passed.
15. The apparatus according to claim 9, wherein the conversion unit is specifically configured to perform xor processing on the key data and a preset parameter, and use a processing result as the format-converted key data.
16. The apparatus of any one of claims 9-15, wherein the key generation rules are stored in a code obfuscation manner.
17. A key access system is characterized by comprising a service application module and a filter driving module;
the service application module is used for generating an application identifier and key data corresponding to the service data according to a preset key generation rule when the service data are received; carrying out format conversion on the key data according to a set algorithm; establishing communication connection with the filter driving module by using a preset safety communication verification mechanism, and transmitting the application identifier and the key data after format conversion to the filter driving module; when a key acquisition instruction is acquired, sending a key acquisition request carrying a target application identifier to the filter driving module;
the filtering drive module is used for storing the application identifier and the key data after format conversion into a kernel memory and a set physical hard disk; and when a key acquisition request carrying a target application identifier sent by a service application program is acquired, acquiring corresponding target key data from a kernel memory.
18. A key access device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to carry out the steps of the key access method according to any one of claims 1 to 8.
19. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the key access method according to any one of claims 1 to 8.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010108469.2A CN111339578A (en) | 2020-02-21 | 2020-02-21 | Key access method, device, system, equipment and storage medium |
| PCT/CN2020/098033 WO2021164167A1 (en) | 2020-02-21 | 2020-06-24 | Key access method, apparatus, system and device, and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010108469.2A CN111339578A (en) | 2020-02-21 | 2020-02-21 | Key access method, device, system, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111339578A true CN111339578A (en) | 2020-06-26 |
Family
ID=71184227
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010108469.2A Withdrawn CN111339578A (en) | 2020-02-21 | 2020-02-21 | Key access method, device, system, equipment and storage medium |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN111339578A (en) |
| WO (1) | WO2021164167A1 (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113849238B (en) * | 2021-09-29 | 2024-02-09 | 浪潮电子信息产业股份有限公司 | Data communication method, device, electronic equipment and readable storage medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101132275B (en) * | 2006-08-23 | 2010-05-12 | 中国科学院计算技术研究所 | Safety system for implementing use right of digital content |
| CN106789052B (en) * | 2017-03-28 | 2020-06-05 | 浙江神州量子网络科技有限公司 | Remote key issuing system based on quantum communication network and use method thereof |
| CN108959978A (en) * | 2018-06-28 | 2018-12-07 | 北京海泰方圆科技股份有限公司 | The generation of key and acquisition methods and device in equipment |
-
2020
- 2020-02-21 CN CN202010108469.2A patent/CN111339578A/en not_active Withdrawn
- 2020-06-24 WO PCT/CN2020/098033 patent/WO2021164167A1/en active Application Filing
Also Published As
| Publication number | Publication date |
|---|---|
| WO2021164167A1 (en) | 2021-08-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2021164166A1 (en) | Service data protection method, apparatus and device, and readable storage medium | |
| US20150012748A1 (en) | Method And System For Protecting Data | |
| CN202795383U (en) | Device and system for protecting data | |
| KR101729960B1 (en) | Method and Apparatus for authenticating and managing an application using trusted platform module | |
| US20140351583A1 (en) | Method of implementing a right over a content | |
| US10635826B2 (en) | System and method for securing data in a storage medium | |
| CN110543775B (en) | Data security protection method and system based on super-fusion concept | |
| CN114942729A (en) | Data safety storage and reading method for computer system | |
| KR101107056B1 (en) | Method for protecting important information of virtual machine in cloud computing environment | |
| US11082222B2 (en) | Secure data management | |
| CN111339578A (en) | Key access method, device, system, equipment and storage medium | |
| CN111475844A (en) | Data sharing method, device, equipment and computer readable storage medium | |
| CN108154037B (en) | Inter-process data transmission method and device | |
| CN114915503A (en) | Data stream splitting processing encryption method based on security chip and security chip device | |
| US10686592B1 (en) | System and method to provide a secure communication of information | |
| CN112416526A (en) | Direct storage access method, device and related equipment | |
| CN112363800A (en) | Network card memory access method, security processor, network card and electronic equipment | |
| US20160063264A1 (en) | Method for securing a plurality of contents in mobile environment, and a security file using the same | |
| KR20160102915A (en) | Security platform management device for smart work based on mobile virtualization | |
| CN115361140B (en) | Method and device for verifying security chip key | |
| KR101474744B1 (en) | Apparatus and method for managing usim data of device by using mobile trusted module | |
| KR102618922B1 (en) | Apparatus and method for Preventing SW reverse engineering of embedded system | |
| CN116566642B (en) | Privacy protection system and method based on cloud server crypto machine | |
| CN112564888B (en) | Method and equipment for deploying private cloud | |
| US11784978B2 (en) | Method for establishing remote work environment to ensure security of remote work user terminal and apparatus using the same |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20200626 |
|
| WW01 | Invention patent application withdrawn after publication |