CN111464301A - Key management method and system - Google Patents

Key management method and system Download PDF

Info

Publication number
CN111464301A
CN111464301A CN202010351744.3A CN202010351744A CN111464301A CN 111464301 A CN111464301 A CN 111464301A CN 202010351744 A CN202010351744 A CN 202010351744A CN 111464301 A CN111464301 A CN 111464301A
Authority
CN
China
Prior art keywords
key
password
client
ciphertext
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010351744.3A
Other languages
Chinese (zh)
Other versions
CN111464301B (en
Inventor
雷宗华
穆佩红
彭金辉
李鑫
周吉祥
卫志刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhengzhou Xinda Jiean Information Technology Co Ltd
Original Assignee
Zhengzhou Xinda Jiean Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhengzhou Xinda Jiean Information Technology Co Ltd filed Critical Zhengzhou Xinda Jiean Information Technology Co Ltd
Priority to CN202010351744.3A priority Critical patent/CN111464301B/en
Publication of CN111464301A publication Critical patent/CN111464301A/en
Application granted granted Critical
Publication of CN111464301B publication Critical patent/CN111464301B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a key management method, which comprises the following steps: during original initialization, encrypting a main key through a white box protection key to obtain a first ciphertext; encrypting the white box protection key through the password derived key to obtain a second ciphertext; encrypting and storing the user private key component I through the master key; when the secure channel is established, the client and the server acquire a communication key through negotiation, and establish the secure channel; during key updating, decrypting the second ciphertext through the password derivative key of the current password to obtain a white-box protection key, encrypting the white-box protection key through the password derivative key of the new password, and updating the second ciphertext through the ciphertext of the white-box protection key obtained through encryption; when the local key is decrypted, the password derivative key of the new password is used for decrypting the second ciphertext to obtain a white box protection key; decrypting the first ciphertext through the white box protection key to obtain a master key; and decrypting the ciphertext of the user key component through the master key to obtain the user key component.

Description

Key management method and system
Technical Field
The invention relates to the technical field of secure communication, in particular to a key management method and a key management system.
Background
The cryptographic technology is the basic technology of information security, and the secret key is the basic and information-based security core element of the cryptographic technology security application. With the high-speed and comprehensive development of the information industry in China, a key management system based on an asymmetric key system and a symmetric key system also enters a comprehensive construction stage, the security of the key management system depends on the security of the key, and once the key is disclosed, the key management system does not have a secret function any more. Furthermore, keys are a variable part of a cryptographic system, and a key issue to be solved when considering the design of a cryptographic system is the key management issue.
At present, the key management scheme in the prior art is as follows: on one hand, various keys are stored on the basis of the encryption card or the encryption chip hard disk, and when the encryption card or the encryption chip hard disk is used, the encryption card or the encryption chip internal operation is directly called through a related interface; on the other hand, in order to ensure the security of the private Key of the user, the private Key of the user is usually stored in special cryptographic hardware for use, such as USB Key, SmartCard, and the private Key cannot be derived from the cryptographic hardware.
However, under certain condition limitation conditions and application scenarios with higher security level requirements, when no encryption card or encryption chip is available, how to ensure the security of the key is a problem that needs to be solved urgently at present.
Disclosure of Invention
The present invention addresses the above problems, and it is desirable to provide a key management method capable of effectively ensuring the security of a key.
The first aspect of the present invention provides a key management method, where the key management method includes: the method comprises the steps of an original initialization process, a secure channel establishment process, a key updating process and a local key decryption process;
the original initialization process:
the client uses a password derivation algorithm to derive an initial password to obtain a password derivation key, and stores the HASH value of the initial password to the server;
the client acquires a first random number as a white-box protection key, acquires a second random number as a master key, encrypts the master key through the white-box protection key to obtain a first ciphertext, encrypts the white-box protection key through the password derivation key to obtain a second ciphertext, and stores the first ciphertext and the second ciphertext into a software cryptographic module;
the client generates a first user private key component, and encrypts and stores the first user private key component into the software password module through the master key; the server generates a second user private key component, and encrypts and stores the second user private key component through a hardware password module; the client and the server cooperatively generate a user public key;
the secure channel establishing process:
the client receives an initial password and initiates a connection request to the server, wherein the connection request is related to the initial password;
after receiving the connection request and verifying the initial password, the server performs key agreement with the client to obtain a communication key, and establishes a secure channel for communication between the client and the server;
the key updating process comprises the following steps:
the client receives a current password and a new password, encrypts a HASH value of the current password by using the communication key and then sends the encrypted HASH value to the server through the secure channel;
the server decrypts the encrypted HASH value of the current password by using the communication key, and compares the encrypted HASH value with the stored HASH value of the current password for verification;
after the verification is passed, the client encrypts the HASH value of the new password by using the communication key and then sends the encrypted HASH value to the server through the secure channel;
the server decrypts the encrypted HASH value of the new password by using the communication key, and updates the HASH value of the current password by using the HASH value of the new password;
the client side uses a password derivation algorithm to derive the current password and the new password to obtain a current password derived key and a new password derived key, decrypts the second ciphertext through the current password derived key to obtain a white-box protection key, encrypts the white-box protection key through the new password derived key, and updates the second ciphertext by using the ciphertext of the white-box protection key obtained through encryption;
the local key decryption process:
the client receives a new password, derives the new password by using a password derivation algorithm to obtain a new password derivation key, decrypts the second ciphertext by using the new password derivation key to obtain a white box protection key, and decrypts the first ciphertext by using the white box protection key to obtain the master key;
the client decrypts the ciphertext of the user private key component I through the master key to obtain the user private key component I;
the server side decrypts the ciphertext of the second user private key component through the hardware password module to obtain the second user private key component;
and the client and the server perform related cryptographic service through the first user private key component, the second user private key component and the user public key generated by the cooperation of the two parties.
Further, in the process of decrypting the local key, after the client decrypts the first ciphertext by using the white-box protection key to obtain the master key, the method further includes: and the client decrypts the ciphertext of the line protection key, the external authentication key and the internal authentication key through the master key to obtain the plaintext of the line protection key, the external authentication key and the internal authentication key to perform the cipher service related to the external application.
Further, the original initialization process further includes: and the client conceals and embeds the ring key after the expansion of the main key into a composite lookup table, compiles the ring key into a binary code form and makes the ring key into a white box to protect the main key.
Further, in the process of establishing the secure channel, the connection request includes the initial password and a first digest value ciphertext of the initial password; the generating process of the first digest value ciphertext of the initial password specifically includes: the server side uses a password derivation algorithm to derive the initial password to obtain a password derivation key, and encrypts the HASH value of the initial password through the password derivation key to generate a first digest value ciphertext of the initial password;
the step of verifying the initial password by the server comprises the following steps: and the server side uses a password derivation algorithm to derive the initial password to obtain a password derivation key, encrypts the stored HASH value of the initial password through the password derivation key to generate a second digest value ciphertext of the initial password, and compares the second digest value ciphertext with the received first digest value ciphertext to verify the initial password.
Further, in the process of establishing the secure channel, obtaining the communication key after the key agreement between the client and the server specifically includes:
the server encrypts the acquired random number I by using the password derivative key generated by derivation to generate a cipher text of the random number I, and sends the cipher text of the random number I and the digital certificate of the server to the client;
the client verifies the validity of the digital certificate of the server, decrypts the ciphertext of the random number I by using the password derivative key generated by derivation after the verification is passed to obtain the random number I, and then obtains a random number II and a random number III from the client;
the client calculates the random number I, the random number II and the random number III to obtain a communication key, encrypts the communication key by using the user public key and then sends the encrypted communication key to the server;
the server decrypts the ciphertext of the communication key by using the user private key component to obtain the communication key, encrypts the communication key by using the user public key and then sends the encrypted communication key to the server;
and the client and the server decrypt the ciphertext of the communication key respectively through the cooperation of the first user private key component and the second user private key component to obtain the communication key.
The invention also provides a key management system, which comprises a client and a server, wherein the client is provided with a software password module, and the server is provided with a hardware password module;
in the original initialization process:
the client is used for deriving an initial password by using a password derivation algorithm to obtain a password derivation key and storing the HASH value of the initial password to the server; the device comprises a first random number acquisition unit, a second random number acquisition unit and a first key generation unit, wherein the first random number acquisition unit is used for acquiring a first random number as a white box protection key and acquiring a second random number as a master key; the white box protection key is used for encrypting the master key to obtain a first ciphertext; the white box protection key is used for encrypting the white box protection key through the password derivative key to obtain a second ciphertext; for storing the first ciphertext and the second ciphertext into the software cryptographic module; the server side is used for generating a first user private key component and generating a user public key in cooperation with the server side; and for storing the user private key component one in the software cryptographic module encrypted by the master key;
the server is used for receiving and storing the HASH value of the initial password; the client side is used for generating a user private key component II and generating a user public key in cooperation with the client side; the hardware cryptographic module is used for encrypting and storing the second user private key component;
in the process of establishing the secure channel:
the client is used for initiating a connection request to the server after receiving an initial password, wherein the connection request is related to the initial password;
the server is used for receiving the connection request, verifying the initial password, performing key agreement with the client to obtain a communication key, and establishing a secure channel for communication between the client and the server;
in the key update process:
the client is used for receiving a current password and a new password, encrypting the HASH value of the current password by using the communication key and then sending the encrypted HASH value to the server through the secure channel;
the server is used for decrypting the encrypted HASH value of the current password by using the communication key and then comparing and verifying the encrypted HASH value with the stored HASH value of the current password;
the client is further used for encrypting the HASH value of the new password by using the communication key through the secure channel and then sending the encrypted HASH value to the server;
the server is further configured to decrypt the encrypted HASH value of the new password by using the communication key, store the HASH value of the new password, and delete the HASH value of the current password;
the client is used for deriving the current password and the new password by using a password derivation algorithm to obtain a current password derivation key and a new password derivation key; the white box protection key is obtained by decrypting the second ciphertext through the current password derived key; the white box protection key is encrypted through the new password derivative key, and the second ciphertext is updated by using the ciphertext of the white box protection key obtained through encryption;
in the local key decryption process:
the client is used for receiving a new password, deriving the new password by using a password derivation algorithm to obtain a new password derivation key, and decrypting the second ciphertext by using the new password derivation key to obtain a white-box protection key; the white-box protection key is used for decrypting the first ciphertext to obtain the master key; the master key is used for decrypting the ciphertext of the user private key component I to obtain the user private key component I;
the server side is used for decrypting the ciphertext of the second user private key component through the hardware password module to obtain the second user private key component;
and the client and the server perform related cryptographic service through the first user private key component, the second user private key component and the user public key generated by the cooperation of the two parties.
Further, in the original initialization process, the client is further configured to obtain a third random number as a line protection key, obtain a fourth random number as an internal authentication key, obtain a fifth random number as an external authentication key, encrypt the line protection key, the internal authentication key, and the external authentication key with the master key respectively, and store the encrypted line protection key, the encrypted internal authentication key, and the encrypted external authentication key in the software cryptographic module; and for generating a session key by a pseudo-random number generator internal to the software cryptographic module;
further, in the process of decrypting the local key, the client is further configured to decrypt the ciphertext of the line protection key, the external authentication key, and the internal authentication key through the master key, and obtain the plaintext of the line protection key, the external authentication key, and the internal authentication key to perform the cryptographic service related to the external application.
Further, the original initialization process further includes: and the client conceals and embeds the ring key after the expansion of the main key into a composite lookup table, compiles the ring key into a binary code form and makes the ring key into a white box to protect the main key.
The invention has prominent substantive characteristics and remarkable progress, in particular to the following steps:
(1) the invention carries out encryption protection on the main key through the white box protection key; encrypting and protecting the white box protection key by a password derived key; encrypting and protecting the first user private key component, the line protection key, the internal authentication key and the external authentication key through the master key; thereby realizing the hierarchical protection of the secret key and ensuring the safety of the secret key;
(2) in the invention, the password derived key is generated by password derivation, is not stored and is only memorized by a user, and a third party cannot directly obtain the password derived key from the software password module or a host machine of the software password module; therefore, the white box protection key is encrypted by using password derived key encryption, so that the security of the white box protection key is improved; the method has the advantages that the security of the private key component I, the line protection key, the internal authentication key and the external authentication key is improved through the encryption of the white box protection key with improved security on the master key and the encryption of the private key component I, the line protection key, the internal authentication key and the external authentication key by the master key with improved security;
(3) the client side decrypts the second ciphertext through the password derivative key of the initial password to obtain the white box protection key, encrypts the white box protection key through the new password derivative key of the new password, updates the second ciphertext through the ciphertext of the white box protection key obtained through encryption, and can ensure that only the ciphertext of the white box protection key needs to be modified after a user modifies the password each time without modifying a main key and modifying other keys encrypted by the main key;
(4) the software password module runs on the client in a software form, and respectively encrypts and stores the private key components of the user on the client and the server, so that cooperative signature and cooperative decryption are realized during application, the private key cannot completely appear on the client, and the security of the private key is improved;
(5) the main key is modified and protected by adopting a white box design scheme, so that a complete key does not appear in a memory, and the security of the key is ensured;
(6) the key management service provided by the software cryptographic module has the characteristics of strong universality, convenience in updating and the like, is suitable for various application scenes and ensures the safety;
(7) the client and the server adopt the password derived key to encrypt the related information in the password verification and communication key negotiation process, so as to obtain a communication key, establish a secure channel and realize the encryption protection of the communication information between the client and the server by adopting the communication key through the secure channel.
Additional aspects and advantages of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
Drawings
The above and/or additional aspects and advantages of the present invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
FIG. 1 is a flow chart illustrating an original initialization procedure in a key management method according to the present invention;
FIG. 2 is a flow chart of a process for establishing a secure channel in a key management method according to the present invention;
FIG. 3 is a flow chart of a key update process in a key management method of the present invention;
FIG. 4 is a flow chart illustrating a local key decryption process in a key management method of the present invention;
FIG. 5 is a diagram illustrating a key architecture in a key management system of the present invention;
fig. 6 shows a schematic block diagram of a key management system of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It will be understood that when an element is referred to as being "connected" to another element, it can be directly connected to the other element or intervening elements may also be present.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention.
The software cryptographic module can realize key safety and algorithm safety without additional hardware equipment, and can be operated on the terminal in a software form, so that the application safety of the terminal application can be greatly improved; the key storage and the cryptographic operation are all completed by the software cryptographic module, and the software cryptographic module ensures the key storage safety and the key use safety.
As shown in fig. 1, fig. 2, fig. 3, fig. 4, and fig. 5, a first aspect of the present invention provides a key management method, where the key management method includes: the method comprises the steps of an original initialization process, a secure channel establishment process, a key updating process and a local key decryption process;
the original initialization process:
the client uses a password derivation algorithm to derive an initial password to obtain a password derivation key, and stores the HASH value of the initial password to the server;
the client acquires a first random number as a white-box protection key, acquires a second random number as a master key, encrypts the master key through the white-box protection key to obtain a first ciphertext, encrypts the white-box protection key through the password derivation key to obtain a second ciphertext, and stores the first ciphertext and the second ciphertext into a software cryptographic module;
the client generates a first user private key component, and encrypts and stores the first user private key component into the software password module through the master key; the server generates a second user private key component, and encrypts and stores the second user private key component through a hardware password module; the client and the server cooperatively generate a user public key;
the secure channel establishing process:
the client receives an initial password and logs in the software password module, and then initiates a connection request to the server, wherein the connection request is related to the initial password;
after receiving the connection request and verifying the initial password, the server performs key agreement with the client to obtain a communication key, and establishes a secure channel for communication between the client and the server;
the key updating process comprises the following steps:
the client receives a current password and a new password, encrypts a HASH value of the current password by using the communication key and then sends the encrypted HASH value to the server through the secure channel;
the server decrypts the encrypted HASH value of the current password by using the communication key, and compares the encrypted HASH value with the stored HASH value of the current password for verification;
after the verification is passed, the client encrypts the HASH value of the new password by using the communication key and then sends the encrypted HASH value to the server through the secure channel;
the server decrypts the encrypted HASH value of the new password by using the communication key, and updates the HASH value of the current password by using the HASH value of the new password;
the client side uses a password derivation algorithm to derive the current password and the new password to obtain a current password derived key and a new password derived key, decrypts the second ciphertext through the current password derived key to obtain a white-box protection key, encrypts the white-box protection key through the new password derived key, and updates the second ciphertext by using the ciphertext of the white-box protection key obtained through encryption;
the local key decryption process:
the client receives a new password, derives the new password by using a password derivation algorithm to obtain a new password derivation key, decrypts the second ciphertext by using the new password derivation key to obtain a white box protection key, and decrypts the first ciphertext by using the white box protection key to obtain the master key;
the client decrypts the ciphertext of the user private key component I through the master key to obtain the user private key component I;
the server side decrypts the ciphertext of the second user private key component through the hardware password module to obtain the second user private key component;
and the client and the server perform related cryptographic service through the first user private key component, the second user private key component and the user public key generated by the cooperation of the two parties.
The key updating process can be carried out regularly or at the time of user's discretion according to user's needs, and the security performance of the key system can be ensured to be improved by dynamically updating the key.
It can be understood that: the key updating process can occur before the key using process or after the key using process; if the key is not updated between the two key using processes, when the key is used for the next time, the received current password is consistent with the current password received when the key is used for the last time; if the key is updated between the two key using processes, the current password received during the next key using process is the new password input during the key updating process.
When updating the key, if the key is updated for the first time, the initial password is the current password, and the HASH value of the initial password is the HASH value of the current password; if the key is not updated for the first time, the new password input during the last key updating is the current password, and the HASH value of the new password input during the last key updating is the HASH value of the current password.
It should be noted that the core main body of the software cryptographic module is an SDK, and provides cryptographic services to the user with the assistance of the server.
In practical application, in order to solve the problem of safe storage of a local private key of a software cryptographic module, the ideas of key difference and collaborative signature are introduced to ensure that the signature private key does not appear completely at a terminal any more; in generating the SM2 signing key pair, the client and the server each generate a private key component that cooperatively generate a public key. The client and the server do not have a complete private key and must cooperate to complete the signature.
Specifically, in the original initialization process, the method further includes: the client acquires a third random number as a line protection key, a fourth random number as an internal authentication key and a fifth random number as an external authentication key;
the client encrypts the line protection key, the internal authentication key and the external authentication key respectively by using the master key and stores the encrypted keys into the software cryptographic module; and
and the client generates a session key through a pseudo-random number generator inside the software cryptographic module.
Specifically, in the process of decrypting the local key, after the client decrypts the first ciphertext by using the white-box protection key to obtain the master key, the method further includes: and the client decrypts the ciphertext of the line protection key, the external authentication key and the internal authentication key through the master key to obtain the line protection key, the external authentication key and the internal authentication key to perform the cipher service related to the external application.
Specifically, the original initialization process further includes: and the client conceals and embeds the ring key after the expansion of the main key into a composite lookup table, compiles the ring key into a binary code form and makes the ring key into a white box to protect the main key.
It should be noted that the purpose of the white-box cipher is to protect the algorithm key information in the white-box attack environment, and to prevent an attacker from extracting the key information during the execution of the cipher software. The method is characterized in that the transformation embodied in the form of a composite lookup table is designed and introduced into each round of transformation from plaintext to ciphertext, the execution process of a cryptographic algorithm is realized through the lookup tables, the lookup tables are related to a key, the key is hidden in the lookup tables, and the security of the key is protected through the coincidence of the lookup tables. In specific practical application, based on the SM4 cryptographic algorithm, the method is modified based on the white-box cryptographic technology, and the cryptographic key does not appear in the memory of the operating environment in the operation process, so that an illegal program is prevented from acquiring the encryption and decryption cryptographic key, and the data encryption and decryption process and the data safety are ensured.
Specifically, in the process of establishing the secure channel, the connection request includes the initial password and a first digest value ciphertext of the initial password; the generating process of the first digest value ciphertext of the initial password specifically includes: the server side uses a password derivation algorithm to derive the initial password to obtain a password derivation key, and encrypts the HASH value of the initial password through the password derivation key to generate a first digest value ciphertext of the initial password;
the step of verifying the initial password by the server comprises the following steps: and the server side uses a password derivation algorithm to derive the initial password to obtain a password derivation key, encrypts the stored HASH value of the initial password through the password derivation key to generate a second digest value ciphertext of the initial password, and compares the second digest value ciphertext with the received first digest value ciphertext to verify the initial password.
Specifically, in the process of establishing the secure channel, obtaining the communication key after the key agreement between the client and the server specifically includes:
the server encrypts the acquired random number I by using the password derivative key generated by derivation to generate a cipher text of the random number I, and sends the cipher text of the random number I and the digital certificate of the server to the client;
the client verifies the validity of the digital certificate of the server, decrypts the ciphertext of the random number I by using the password derivative key generated by derivation after the verification is passed to obtain the random number I, and then obtains a random number II and a random number III from the client;
the client calculates the random number I, the random number II and the random number III to obtain a communication key, encrypts the communication key by using the user public key and then sends the encrypted communication key to the server;
the server side decrypts the ciphertext of the communication key by using the user private key component to obtain the communication key, encrypts the communication key by using the user public key and then sends the encrypted communication key to the server side;
and the client and the server decrypt the ciphertext of the communication key respectively through the cooperation of the first user private key component and the second user private key component to obtain the communication key.
It should be noted that the white box protection key, the master key, the line protection key, the internal authentication key, and the external authentication key are all generated and imported in a secure environment during initialization of the software cryptographic module and cannot be exported; the communication key is generated by negotiation with a server side when the software password module is electrified and initialized and cannot be derived; a public key in the user key supports plaintext derivation, and a private key component is forbidden to be derived; the session key supports external import in a digital envelope mode and does not support export.
The password derived key is updated when the user modifies the password; the white box protection key, the main key, the line protection key, the internal authentication key and the external authentication key do not support updating and destroying; the communication key is updated when the software cryptographic module is electrified and initialized, and the communication key is updated once when the software cryptographic module is electrified; destroying the old key component while updating the user key components (the first user private key component and the second user private key component); the session key supports one session update.
The password derived key, the white box protection key, the master key, the line protection key, the internal authentication key, the external authentication key, the communication key and the session key are all symmetric algorithm keys; the user key component is an asymmetric algorithm key.
The user key component is used for providing data encryption and decryption and data signature password services; the line protection key is used for data encryption transmission between an application program and the software cryptographic module, the external authentication key is used for authenticating external equipment by the software cryptographic module, and the internal authentication key is used for authenticating the software cryptographic module by the external equipment; the communication key is used for encrypting and decrypting communication data between the client and the server; the session key is used to provide data encryption and decryption services when a session is in progress.
The invention has the beneficial effects that: (1) the invention carries out encryption protection on the main key through the white box protection key; encrypting and protecting the white box protection key by a password derived key; encrypting and protecting the user key component, the line protection key, the internal authentication key and the external authentication key through the master key; thereby realizing the hierarchical protection of the secret key and ensuring the safety of the secret key;
(2) in the invention, the password derived key is generated by password derivation, is not stored and is only memorized by a user, and a third party cannot directly obtain the password derived key from the software password module or a host machine of the software password module; therefore, the white box protection key is encrypted by using password derived key encryption, so that the security of the white box protection key is improved; the security of the user key, the line protection key, the internal authentication key and the external authentication key is also improved by encrypting the main key with improved security by the white box protection key and encrypting the user key, the line protection key, the internal authentication key and the external authentication key by the main key with improved security;
(3) the client side decrypts the second ciphertext through the password derivative key of the initial password to obtain the white box protection key, encrypts the white box protection key through the new password derivative key of the new password to obtain a third ciphertext to replace the second ciphertext, and can ensure that only the ciphertext of the white box protection key needs to be modified after a user modifies the password each time without modifying a main key and modifying other keys encrypted by using the main key;
(4) the software password module runs on the client in a software form, and encrypts and stores the user key components on the client and the server respectively, so that cooperative signature and cooperative decryption are realized during application, a private key cannot be completely presented on the client, and the security of the key is improved;
(5) the main key is modified and protected by adopting a white box design scheme, so that a complete key does not appear in a memory, and the security of the key is ensured;
(6) the key management service provided by the software cryptographic module has the characteristics of strong universality, convenience in updating and the like, is suitable for various application scenes and ensures the safety;
(7) the client and the server adopt the password derived key to encrypt the related information in the password verification and communication key negotiation process, so as to obtain a communication key, establish a secure channel and realize the encryption protection of the communication information between the client and the server by adopting the communication key through the secure channel.
As shown in fig. 6, the present invention further provides a key management system, where the system includes a client and a server, the client is configured with a software cryptographic module, and the server is configured with a hardware cryptographic module;
in the original initialization process:
the client is used for deriving an initial password by using a password derivation algorithm to obtain a password derivation key and storing the HASH value of the initial password to the server; the device comprises a first random number acquisition unit, a second random number acquisition unit and a first key generation unit, wherein the first random number acquisition unit is used for acquiring a first random number as a white box protection key and acquiring a second random number as a master key; the white box protection key is used for encrypting the master key to obtain a first ciphertext; the white box protection key is used for encrypting the white box protection key through the password derivative key to obtain a second ciphertext; for storing the first ciphertext and the second ciphertext into the software cryptographic module; the server side is used for generating a first user private key component and generating a user public key in cooperation with the server side; and for storing the user private key component one in the software cryptographic module encrypted by the master key;
the server is used for receiving and storing the HASH value of the initial password; the client side is used for generating a user private key component II and generating a user public key in cooperation with the client side; the hardware cryptographic module is used for encrypting and storing the second user private key component;
in the process of establishing the secure channel:
the client is used for receiving an initial password and initiating a connection request to the server after logging in the software password module, wherein the connection request is related to the initial password;
the server is used for receiving the connection request, verifying the initial password, performing key agreement with the client to obtain a communication key, and establishing a secure channel for communication between the client and the server;
in the key update process:
the client is used for receiving a current password and a new password, encrypting the HASH value of the current password by using the communication key and then sending the encrypted HASH value to the server through the secure channel;
the server is used for decrypting the encrypted HASH value of the current password by using the communication key and then comparing and verifying the encrypted HASH value with the stored HASH value of the current password;
the client is further used for encrypting the HASH value of the new password by using the communication key through the secure channel and then sending the encrypted HASH value to the server;
the server is further configured to update the HASH value of the current password with the HASH value of the new password after decrypting the encrypted HASH value of the new password with the communication key;
the client is used for deriving the current password and the new password by using a password derivation algorithm to obtain a current password derivation key and a new password derivation key; the white box protection key is obtained by decrypting the second ciphertext through the current password derived key; the white box protection key is encrypted through the new password derivative key, and the second ciphertext is updated by using the ciphertext of the white box protection key obtained through encryption;
in the local key decryption process:
the client is used for receiving a new password, deriving the new password by using a password derivation algorithm to obtain a new password derivation key, and decrypting the second ciphertext by using the new password derivation key to obtain a white-box protection key; the white-box protection key is used for decrypting the first ciphertext to obtain the master key; the master key is used for decrypting the ciphertext of the user private key component I to obtain the user private key component I;
the server side is used for decrypting the ciphertext of the second user private key component through the hardware password module to obtain the second user private key component;
and the client and the server perform related cryptographic service through the first user private key component, the second user private key component and the user public key generated by the cooperation of the two parties.
Specifically, in the original initialization process, the client is further configured to obtain a third random number as a line protection key, obtain a fourth random number as an internal authentication key, obtain a fifth random number as an external authentication key, encrypt the line protection key, the internal authentication key, and the external authentication key with the master key respectively, and store the encrypted line protection key, the encrypted internal authentication key, and the encrypted external authentication key in the software cryptographic module; and for generating a session key by a pseudo-random number generator internal to the software cryptographic module;
specifically, in the process of decrypting the local key, the client is further configured to decrypt the ciphertext of the line protection key, the external authentication key, and the internal authentication key through the master key, and obtain the plaintext of the line protection key, the external authentication key, and the internal authentication key to perform the cryptographic service related to the external application.
Specifically, the original initialization process further includes: and the client conceals and embeds the ring key after the expansion of the main key into a composite lookup table, compiles the ring key into a binary code form and makes the ring key into a white box to protect the main key.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. A key management method, characterized in that the key management method comprises: the method comprises the steps of an original initialization process, a secure channel establishment process, a key updating process and a local key decryption process;
the original initialization process:
the client uses a password derivation algorithm to derive an initial password to obtain a password derivation key, and stores the HASH value of the initial password to the server;
the client acquires a first random number as a white-box protection key, acquires a second random number as a master key, encrypts the master key through the white-box protection key to obtain a first ciphertext, encrypts the white-box protection key through the password derivation key to obtain a second ciphertext, and stores the first ciphertext and the second ciphertext into a software cryptographic module;
the client generates a first user private key component, and encrypts and stores the first user private key component into the software password module through the master key; the server generates a second user private key component, and encrypts and stores the second user private key component through a hardware password module; the client and the server cooperatively generate a user public key;
the secure channel establishing process:
the client receives an initial password and logs in the software password module, and then initiates a connection request to the server, wherein the connection request is related to the initial password;
after receiving the connection request and verifying the initial password, the server performs key agreement with the client to obtain a communication key, and establishes a secure channel for communication between the client and the server;
the key updating process comprises the following steps:
the client receives a current password and a new password, encrypts a HASH value of the current password by using the communication key and then sends the encrypted HASH value to the server through the secure channel;
the server decrypts the encrypted HASH value of the current password by using the communication key, and compares the encrypted HASH value with the stored HASH value of the current password for verification;
after the verification is passed, the client encrypts the HASH value of the new password by using the communication key and then sends the encrypted HASH value to the server through the secure channel;
the server decrypts the encrypted HASH value of the new password by using the communication key, and updates the HASH value of the current password by using the HASH value of the new password;
the client side uses a password derivation algorithm to derive the current password and the new password to obtain a current password derived key and a new password derived key, decrypts the second ciphertext through the current password derived key to obtain a white-box protection key, encrypts the white-box protection key through the new password derived key, and updates the second ciphertext by using the ciphertext of the white-box protection key obtained through encryption;
the local key decryption process:
the client receives a new password, derives the current password by using a password derivation algorithm to obtain a new password derivation key, decrypts the second ciphertext by using the new password derivation key to obtain a white-box protection key, and decrypts the first ciphertext by using the white-box protection key to obtain the master key;
the client decrypts the ciphertext of the user private key component I through the master key to obtain the user private key component I;
the server side decrypts the ciphertext of the second user private key component through the hardware password module to obtain the second user private key component;
and the client and the server perform related cryptographic service through the first user private key component, the second user private key component and the user public key generated by the cooperation of the two parties.
2. The key management method of claim 1, wherein the original initialization process further comprises: the client acquires a third random number as a line protection key, a fourth random number as an internal authentication key and a fifth random number as an external authentication key;
the client encrypts the line protection key, the internal authentication key and the external authentication key respectively by using the master key and stores the encrypted keys into the software cryptographic module; and
and the client generates a session key through a pseudo-random number generator inside the software cryptographic module.
3. The key management method according to claim 2, wherein in the process of decrypting the local key, after the client decrypts the first ciphertext by using the white-box protected key to obtain the master key, the method further comprises: and the client decrypts the ciphertext of the line protection key, the external authentication key and the internal authentication key through the master key to obtain the line protection key, the external authentication key and the internal authentication key to perform the cipher service related to the external application.
4. The key management method according to any one of claims 1 to 3, wherein the original initialization process further includes: and the client conceals and embeds the ring key after the expansion of the main key into a composite lookup table, compiles the ring key into a binary code form and makes the ring key into a white box to protect the main key.
5. The key management method according to any one of claims 1 to 3, wherein in the secure channel establishment process, the connection request includes the initial password and a first digest value ciphertext of the initial password; the generating process of the first digest value ciphertext of the initial password specifically includes: the client side uses a password derivation algorithm to derive the initial password to obtain a password derivation key, and encrypts the HASH value of the initial password through the password derivation key to generate a first digest value ciphertext of the initial password;
the step of verifying the initial password by the server comprises the following steps: and the server side uses a password derivation algorithm to derive the initial password to obtain a password derivation key, encrypts the stored HASH value of the initial password through the password derivation key to generate a second digest value ciphertext of the initial password, and compares the second digest value ciphertext with the received first digest value ciphertext to verify the initial password.
6. The key management method according to claim 5, wherein, in the process of establishing the secure channel, obtaining the communication key after the key agreement between the client and the server specifically comprises:
the server encrypts the acquired random number I by using the password derivative key generated by derivation to generate a cipher text of the random number I, and sends the cipher text of the random number I and the digital certificate of the server to the client;
the client verifies the validity of the digital certificate of the server, decrypts the ciphertext of the random number I by using the password derivative key generated by derivation after the verification is passed to obtain the random number I, and then obtains a random number II and a random number III from the client;
the client calculates the random number I, the random number II and the random number III to obtain a communication key, encrypts the communication key by using the user public key and then sends the encrypted communication key to the server;
and the client and the server decrypt the ciphertext of the communication key respectively through the cooperation of the first user private key component and the second user private key component to obtain the communication key.
7. A key management system is characterized by comprising a client and a server, wherein the client is provided with a software cryptographic module, and the server is provided with a hardware cryptographic module;
in the original initialization process:
the client is used for deriving an initial password by using a password derivation algorithm to obtain a password derivation key and storing the HASH value of the initial password to the server; the device comprises a first random number acquisition unit, a second random number acquisition unit and a first key generation unit, wherein the first random number acquisition unit is used for acquiring a first random number as a white box protection key and acquiring a second random number as a master key; the white box protection key is used for encrypting the master key to obtain a first ciphertext; the white box protection key is used for encrypting the white box protection key through the password derivative key to obtain a second ciphertext; for storing the first ciphertext and the second ciphertext into the software cryptographic module; the server side is used for generating a first user private key component and generating a user public key in cooperation with the server side; and for storing the user private key component one in the software cryptographic module encrypted by the master key;
the server is used for receiving and storing the HASH value of the initial password; the client side is used for generating a user private key component II and generating a user public key in cooperation with the client side; the hardware cryptographic module is used for encrypting and storing the second user private key component;
in the process of establishing the secure channel:
the client is used for receiving an initial password and initiating a connection request to the server after logging in the software password module, wherein the connection request is related to the initial password;
the server is used for receiving the connection request, verifying the initial password, performing key agreement with the client to obtain a communication key, and establishing a secure channel for communication between the client and the server;
in the key update process:
the client is used for receiving a current password and a new password, encrypting the HASH value of the current password by using the communication key and then sending the encrypted HASH value to the server through the secure channel;
the server is used for decrypting the encrypted HASH value of the current password by using the communication key and then comparing and verifying the encrypted HASH value with the stored HASH value of the current password;
the client is further used for encrypting the HASH value of the new password by using the communication key through the secure channel and then sending the encrypted HASH value to the server;
the server is further configured to update the HASH value of the current password with the HASH value of the new password after decrypting the encrypted HASH value of the new password with the communication key;
the client is used for deriving the current password and the new password by using a password derivation algorithm to obtain a current password derivation key and a new password derivation key; the white box protection key is obtained by decrypting the second ciphertext through the current password derived key; the white box protection key is encrypted through the new password derivative key, and the second ciphertext is updated by using the ciphertext of the white box protection key obtained through encryption;
in the local key decryption process:
the client is used for receiving a new password, deriving the new password by using a password derivation algorithm to obtain a new password derivation key, and decrypting the second ciphertext by using the new password derivation key to obtain a white-box protection key; the white-box protection key is used for decrypting the first ciphertext to obtain the master key; the master key is used for decrypting the ciphertext of the user private key component I to obtain the user private key component I;
the server side is used for decrypting the ciphertext of the second user private key component through the hardware password module to obtain the second user private key component;
and the client and the server perform related cryptographic service through the first user private key component, the second user private key component and the user public key generated by the cooperation of the two parties.
8. The key management system of claim 7, wherein during the original initialization process, the client is further configured to obtain a third random number as a line protection key, obtain a fourth random number as an internal authentication key, obtain a fifth random number as an external authentication key, encrypt the line protection key, the internal authentication key, and the external authentication key using the master key respectively, and store the encrypted line protection key, the encrypted internal authentication key, and the encrypted external authentication key in the software cryptographic module; and for generating a session key by a pseudo-random number generator internal to the software cryptographic module.
9. The key management system of claim 8, wherein in the process of decrypting the local key, the client is further configured to decrypt ciphertext of the line protection key, the external authentication key, and the internal authentication key through the master key to obtain plaintext of the line protection key, the external authentication key, and the internal authentication key for performing the cryptographic service related to the external application.
10. The key management system according to any one of claims 7 to 9, wherein the original initialization process further includes: and the client conceals and embeds the ring key after the expansion of the main key into a composite lookup table, compiles the ring key into a binary code form and makes the ring key into a white box to protect the main key.
CN202010351744.3A 2020-04-28 2020-04-28 Key management method and system Active CN111464301B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010351744.3A CN111464301B (en) 2020-04-28 2020-04-28 Key management method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010351744.3A CN111464301B (en) 2020-04-28 2020-04-28 Key management method and system

Publications (2)

Publication Number Publication Date
CN111464301A true CN111464301A (en) 2020-07-28
CN111464301B CN111464301B (en) 2022-02-11

Family

ID=71678262

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010351744.3A Active CN111464301B (en) 2020-04-28 2020-04-28 Key management method and system

Country Status (1)

Country Link
CN (1) CN111464301B (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113285804A (en) * 2021-07-21 2021-08-20 苏州浪潮智能科技有限公司 Encryption and decryption method, device, equipment and storage medium for disk data of virtual machine
CN113517981A (en) * 2021-04-28 2021-10-19 河南中烟工业有限责任公司 Key management method, code version management method and device
CN113572604A (en) * 2021-07-22 2021-10-29 航天信息股份有限公司 Method, device and system for sending secret key and electronic equipment
CN114640445A (en) * 2022-03-21 2022-06-17 中国电力科学研究院有限公司 HSM key management system, method, device and storage medium
CN114765546A (en) * 2020-12-30 2022-07-19 海能达通信股份有限公司 End-to-end hard encryption method, system, encryption equipment and key management server
CN115809459A (en) * 2023-01-18 2023-03-17 成都卫士通信息产业股份有限公司 Data protection and decryption method, system, device and medium for software cryptographic module
CN116032655A (en) * 2023-02-13 2023-04-28 杭州天谷信息科技有限公司 Identity authentication method and system capable of resisting timing attack
US11644983B2 (en) 2021-03-03 2023-05-09 Samsung Electronics Co., Ltd. Storage device having encryption
CN116633529A (en) * 2023-07-25 2023-08-22 中电信量子科技有限公司 Method and equipment for enhancing white-box SM4 cryptographic algorithm by adopting derivative key
CN116939599A (en) * 2023-08-20 2023-10-24 敦和安全科技(武汉)有限公司 High-speed encryption communication method and device for low-performance equipment
US11985230B2 (en) 2022-03-16 2024-05-14 International Business Machines Corporation Concurrent masterkey changes for redundant HSMs
CN116939599B (en) * 2023-08-20 2024-06-07 敦和安全科技(武汉)有限公司 High-speed encryption communication method and device for low-performance equipment

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120082312A1 (en) * 2010-10-05 2012-04-05 Brandenburgische Technische Universitaet Cottbus Method of authentication and session key agreement for secure data transmission, a method for securely transmitting data, and an electronic data transmission system
CN103873235A (en) * 2014-03-18 2014-06-18 上海众人网络安全技术有限公司 Password protector and password protection method
CN108964922A (en) * 2018-06-19 2018-12-07 深圳市文鼎创数据科技有限公司 mobile terminal token activation method, terminal device and server
CN109413084A (en) * 2018-11-15 2019-03-01 北京信安世纪科技股份有限公司 A kind of password update method, apparatus and system
CN109714176A (en) * 2019-03-13 2019-05-03 苏州科达科技股份有限公司 Command identifying method, device and storage medium
CN110300112A (en) * 2019-07-02 2019-10-01 石家庄铁道大学 Block chain key tiered management approach
CN110855667A (en) * 2019-11-14 2020-02-28 宁夏吉虎科技有限公司 Block chain encryption method, device and system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120082312A1 (en) * 2010-10-05 2012-04-05 Brandenburgische Technische Universitaet Cottbus Method of authentication and session key agreement for secure data transmission, a method for securely transmitting data, and an electronic data transmission system
CN103873235A (en) * 2014-03-18 2014-06-18 上海众人网络安全技术有限公司 Password protector and password protection method
CN108964922A (en) * 2018-06-19 2018-12-07 深圳市文鼎创数据科技有限公司 mobile terminal token activation method, terminal device and server
CN109413084A (en) * 2018-11-15 2019-03-01 北京信安世纪科技股份有限公司 A kind of password update method, apparatus and system
CN109714176A (en) * 2019-03-13 2019-05-03 苏州科达科技股份有限公司 Command identifying method, device and storage medium
CN110300112A (en) * 2019-07-02 2019-10-01 石家庄铁道大学 Block chain key tiered management approach
CN110855667A (en) * 2019-11-14 2020-02-28 宁夏吉虎科技有限公司 Block chain encryption method, device and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
YANG CHEN;HAO ZENG;HUIJIANG LIU: "Cross-Domain Secure Sharing of Video Based on White-Box Encryption", 《2019 INTERNATIONAL CONFERENCE ON INTELLIGENT COMPUTING, AUTOMATION AND SYSTEMS (ICICAS)》 *
徐吉斌;叶震;蔡敏: "一种基于HASH函数的密钥管理方案", 《安徽师范大学学报(自然科学版)》 *

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114765546A (en) * 2020-12-30 2022-07-19 海能达通信股份有限公司 End-to-end hard encryption method, system, encryption equipment and key management server
CN114765546B (en) * 2020-12-30 2023-07-18 海能达通信股份有限公司 End-to-end hard encryption method, system, encryption equipment and key management server
US11644983B2 (en) 2021-03-03 2023-05-09 Samsung Electronics Co., Ltd. Storage device having encryption
CN113517981A (en) * 2021-04-28 2021-10-19 河南中烟工业有限责任公司 Key management method, code version management method and device
CN113517981B (en) * 2021-04-28 2023-05-23 河南中烟工业有限责任公司 Key management method, code version management method and device
WO2023000502A1 (en) * 2021-07-21 2023-01-26 苏州浪潮智能科技有限公司 Method, apparatus and device for encrypting and decrypting disk data of virtual machine, and storage medium
CN113285804A (en) * 2021-07-21 2021-08-20 苏州浪潮智能科技有限公司 Encryption and decryption method, device, equipment and storage medium for disk data of virtual machine
CN113572604A (en) * 2021-07-22 2021-10-29 航天信息股份有限公司 Method, device and system for sending secret key and electronic equipment
US11985230B2 (en) 2022-03-16 2024-05-14 International Business Machines Corporation Concurrent masterkey changes for redundant HSMs
CN114640445A (en) * 2022-03-21 2022-06-17 中国电力科学研究院有限公司 HSM key management system, method, device and storage medium
CN115809459A (en) * 2023-01-18 2023-03-17 成都卫士通信息产业股份有限公司 Data protection and decryption method, system, device and medium for software cryptographic module
CN115809459B (en) * 2023-01-18 2023-08-15 成都卫士通信息产业股份有限公司 Data protection and decryption method, system, equipment and medium of software cryptographic module
CN116032655B (en) * 2023-02-13 2023-07-25 杭州天谷信息科技有限公司 Identity authentication method and system capable of resisting timing attack
CN116032655A (en) * 2023-02-13 2023-04-28 杭州天谷信息科技有限公司 Identity authentication method and system capable of resisting timing attack
CN116633529A (en) * 2023-07-25 2023-08-22 中电信量子科技有限公司 Method and equipment for enhancing white-box SM4 cryptographic algorithm by adopting derivative key
CN116633529B (en) * 2023-07-25 2023-10-31 中电信量子科技有限公司 Method and equipment for enhancing white-box SM4 cryptographic algorithm by adopting derivative key
CN116939599A (en) * 2023-08-20 2023-10-24 敦和安全科技(武汉)有限公司 High-speed encryption communication method and device for low-performance equipment
CN116939599B (en) * 2023-08-20 2024-06-07 敦和安全科技(武汉)有限公司 High-speed encryption communication method and device for low-performance equipment

Also Published As

Publication number Publication date
CN111464301B (en) 2022-02-11

Similar Documents

Publication Publication Date Title
CN111464301B (en) Key management method and system
CN109495274B (en) Decentralized intelligent lock electronic key distribution method and system
CN108683501B (en) Multiple identity authentication system and method with timestamp as random number based on quantum communication network
CN111625791B (en) Key management method and system based on software cryptographic module
US11874935B2 (en) Protecting data from brute force attack
CN109728909A (en) Identity identifying method and system based on USBKey
CN110048849B (en) Multi-layer protection session key negotiation method
CN108650028B (en) Multiple identity authentication system and method based on quantum communication network and true random number
CN113472793B (en) Personal data protection system based on hardware password equipment
CN108881960B (en) Intelligent camera safety control and data confidentiality method based on identification password
CN108809633B (en) Identity authentication method, device and system
CN111526007B (en) Random number generation method and system
CN113452687B (en) Method and system for encrypting sent mail based on quantum security key
CN113868684A (en) Signature method, device, server, medium and signature system
CN111865579A (en) SM2 algorithm transformation-based data encryption and decryption method and device
CN114650173A (en) Encryption communication method and system
JPH0969831A (en) Cipher communication system
CN115801232A (en) Private key protection method, device, equipment and storage medium
CN112054905B (en) Secure communication method and system of mobile terminal
CN114282189A (en) Data security storage method, system, client and server
CN112422289B (en) Method and system for offline security distribution of digital certificate of NB-IoT (NB-IoT) terminal equipment
EP3185504A1 (en) Security management system for securing a communication between a remote server and an electronic device
CN114285557A (en) Communication encryption method, system and device
CN113656814A (en) Equipment key safety management method and system
CN114826620B (en) Safe method and system for binding intelligent door lock and intelligent door lock

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
PE01 Entry into force of the registration of the contract for pledge of patent right
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: A Key Management Method and System

Effective date of registration: 20230412

Granted publication date: 20220211

Pledgee: China Construction Bank Corporation Zhengzhou Jinshui sub branch

Pledgor: ZHENGZHOU XINDA JIEAN INFORMATION TECHNOLOGY Co.,Ltd.

Registration number: Y2023980037751