CN111538977A - Cloud API key management method, cloud platform access method, cloud API key management device, cloud platform access device and server - Google Patents
Cloud API key management method, cloud platform access method, cloud API key management device, cloud platform access device and server Download PDFInfo
- Publication number
- CN111538977A CN111538977A CN202010576953.8A CN202010576953A CN111538977A CN 111538977 A CN111538977 A CN 111538977A CN 202010576953 A CN202010576953 A CN 202010576953A CN 111538977 A CN111538977 A CN 111538977A
- Authority
- CN
- China
- Prior art keywords
- key
- ciphertext
- white
- cloud
- cloud api
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Abstract
The application relates to a cloud API key management method, a cloud platform access method, a cloud API key management device and a cloud platform access device and a server. The method comprises the following steps: receiving a cloud API key acquisition request sent by a target user account, distributing a plain text cloud API key for the target user account, encrypting the plain text cloud API key through a ciphertext white box encryption key to obtain a ciphertext cloud API key, and feeding back the target ciphertext key and a ciphertext white box decryption key to the target user account; responding to the cloud platform access request, acquiring a target ciphertext key and a ciphertext white box decryption key, and decrypting the ciphertext cloud API key through the ciphertext white box decryption key to obtain a plaintext cloud API key; and calling the cloud API to access the cloud platform according to the plaintext cloud API key. In the technical field of cloud security, the security of identity authentication through a cloud API key is improved by applying a white-box encryption and decryption technology to the using process of the cloud API key.
Description
Technical Field
The embodiment of the application relates to the field of cloud security, in particular to a method, a device and a server for managing a cloud API key and accessing a cloud platform.
Background
In the field of Cloud security, an Application Programming Interface (API) key refers to identity authentication and authentication information of an Application or a service server accessing a Cloud platform, and is a string of special character strings allocated to a user by a Cloud Access Management (CAM) system, so that the Cloud API key has a significant effect on security of user resources stored in the Cloud platform.
In the related art, when a cloud API key is used, the CAM system of the cloud platform allocates the cloud API key to a user, the allocated cloud API key is a plaintext, and the user directly configures the plaintext of the cloud API key in a configuration file or a source code of an application program (or a service server) for identity authentication using the cloud API key when the service server accesses the cloud platform.
Obviously, by adopting the management and use method of the cloud API key in the related art, the CAM allocates the plaintext cloud API key to the user, and there is a security risk of the cloud API key leakage.
Disclosure of Invention
The embodiment of the application provides a cloud API key management method, a cloud platform access method, a cloud API key management device, a cloud platform access device and a server, which can improve the security of a cloud API key in a cloud access scene.
In one aspect, a method for managing a cloud API key is provided, where the method includes:
receiving a cloud API key acquisition request sent by a target user account;
responding to the cloud API key acquisition request, distributing a plain cloud API key for the target user account, wherein the plain cloud API key is a key used for identity authority verification when a cloud API is called to access a cloud platform;
encrypting the plaintext cloud API key through a ciphertext white-box encryption key to obtain a ciphertext cloud API key, wherein the ciphertext white-box encryption key is subjected to white-box encryption;
feeding back a target ciphertext key and a ciphertext white-box decryption key to the target user account, wherein the target ciphertext key at least comprises the ciphertext cloud API key, the target ciphertext key and the ciphertext white-box decryption key are configured to a service server corresponding to the target user account, the ciphertext white-box decryption key is used for decrypting the target ciphertext key to obtain the plaintext cloud API key, and the ciphertext white-box decryption key is subjected to white-box encryption processing.
In another aspect, an access method for a cloud platform is provided, where the method includes:
responding to a cloud platform access request, acquiring a target ciphertext key and a ciphertext white box decryption key, wherein the target ciphertext key and the ciphertext white box decryption key are provided by a cloud platform and configured in a service server, the target ciphertext key is obtained by encrypting the cloud platform by using a ciphertext white box encryption key, the target ciphertext key at least comprises a ciphertext cloud API key, and the ciphertext white box encryption key and the ciphertext white box decryption key are subjected to white box encryption processing;
decrypting the ciphertext cloud API key in the target ciphertext key through the ciphertext white box decryption key to obtain a plaintext cloud API key;
and calling a cloud API to access the cloud platform according to the plaintext cloud API key, wherein the plaintext cloud API key is used for identity authority verification.
In another aspect, an apparatus for managing a cloud API key is provided, the apparatus including:
the receiving module is used for receiving a cloud API key obtaining request sent by a target user account;
the allocation module is used for responding to the cloud API key acquisition request and allocating a plain cloud API key to the target user account, wherein the plain cloud API key is a key used for identity authority verification when a cloud API is called to access a cloud platform;
the first encryption processing module is used for encrypting the plaintext cloud API key through a ciphertext white-box encryption key to obtain a ciphertext cloud API key, and the ciphertext white-box encryption key is subjected to white-box encryption processing;
the feedback module is configured to feed back a target ciphertext key and a ciphertext white-box decryption key, where the target ciphertext key at least includes the ciphertext cloud API key, the target ciphertext key and the ciphertext white-box decryption key are configured to a service server corresponding to the target user account, the ciphertext white-box decryption key is used to decrypt the target ciphertext key to obtain the plaintext cloud API key, and the ciphertext white-box decryption key is subjected to white-box encryption processing.
In another aspect, an access apparatus for a cloud platform is provided, the apparatus including:
a third obtaining module, configured to obtain a target ciphertext key and a ciphertext white-box decryption key in response to a cloud platform access request, where the target ciphertext key and the ciphertext white-box decryption key are provided by a cloud platform and configured in a service server, the target ciphertext key is obtained by encrypting, by the cloud platform, a ciphertext white-box encryption key, the target ciphertext key at least includes a ciphertext cloud API key, and the ciphertext white-box encryption key and the ciphertext white-box decryption key are subjected to white-box encryption processing;
the first decryption processing module is used for decrypting the ciphertext cloud API key in the target ciphertext key through the ciphertext white box decryption key to obtain a plaintext cloud API key;
and the access module is used for calling cloud API to access the cloud platform according to the plaintext cloud API key, and the plaintext cloud API key is used for identity authority verification.
In another aspect, a server is provided, which includes a processor and a memory, where the memory stores at least one instruction, at least one program, a code set, or a set of instructions, and the at least one instruction, the at least one program, the code set, or the set of instructions is loaded and executed by the processor to implement the management method of the cloud API key as described above, or to implement the access method of the cloud platform as described above.
In another aspect, a computer-readable storage medium is provided, in which at least one instruction, at least one program, a set of codes, or a set of instructions is stored, and the at least one instruction, the at least one program, the set of codes, or the set of instructions is loaded and executed by a processor to implement the management method of the cloud API key as described above, or to implement the access method of the cloud platform as described above.
The technical scheme provided by the application can comprise the following beneficial effects:
in a management scene of a cloud API key, after a cloud platform receives a cloud API key acquisition request of a target user account, firstly, a plaintext cloud API key is distributed for the target user account, the plaintext cloud API key is encrypted through a ciphertext white box encryption key to obtain a ciphertext cloud API key, then, a target ciphertext key at least containing the ciphertext cloud API key and a ciphertext white box decryption key are fed back to an administrator, and the ciphertext is fed back to the administrator, so that compared with the related technology that a plaintext cloud API key is directly distributed for a user, the confidentiality of the cloud API key can be improved; moreover, when the cloud API key is encrypted, the ciphertext white-box encryption key is adopted, the ciphertext white-box encryption key is a ciphertext obtained after white-box encryption, the decryption key correspondingly fed back to an administrator is also a ciphertext white-box decryption key (namely, the ciphertext white-box decryption key is obtained after white-box encryption), the protection of the key used for encryption and decryption can be realized, the cloud API key is prevented from being decrypted after the decryption key is leaked, the safety of the cloud API key is improved, and the safety of user resources stored in the cloud platform is improved.
In an access scene of a cloud platform, a target ciphertext key (at least comprising a ciphertext cloud API key) and a ciphertext white box decryption key provided by the cloud platform are configured in a service server, when the service server has a requirement for accessing the cloud platform, the target ciphertext key and the ciphertext white box decryption key are obtained, and the ciphertext cloud API key in the target ciphertext key is decrypted according to the ciphertext white box decryption key to obtain a plaintext cloud API key, so that the service server can access the cloud platform according to the cloud API key and call the cloud API, and correspondingly, the cloud platform performs identity verification on an access request according to the plaintext cloud API key. Because the target ciphertext key and the ciphertext white-box decryption key configured in the service server are ciphertexts, the cloud API key can be prevented from being decrypted when the ciphertext white-box decryption key and the ciphertext cloud API key are lost, plaintext cannot occur in the decryption process, the security of the decryption process can be ensured, and the security of the cloud API key is improved, so that other unauthorized devices are prevented from accessing the cloud platform, and the security of user resources stored in the cloud platform is further improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.
FIG. 1 illustrates a system diagram of a cloud computer system provided in various embodiments of the present application;
fig. 2 illustrates a flowchart of a method for managing cloud API keys according to an exemplary embodiment of the present application;
FIG. 3 illustrates a schematic diagram of a cloud API key management interface shown in an exemplary embodiment of the present application;
FIG. 4 illustrates a schematic diagram of a white-box key management interface shown in an exemplary embodiment of the present application;
fig. 5 shows a flowchart of a method for managing cloud API keys according to another exemplary embodiment of the present application;
fig. 6 shows a corresponding structure diagram of the KMS server according to an exemplary embodiment of the present application;
fig. 7 shows a flowchart of a method for managing cloud API keys according to another exemplary embodiment of the present application;
fig. 8 is a schematic diagram showing a comparison between the encryption/decryption process and the white-box encryption/decryption process in the related art;
fig. 9 shows a flowchart of a method for managing cloud API keys according to another exemplary embodiment of the present application;
FIG. 10 shows a schematic diagram of a process for determining a target ciphertext key, shown in an example embodiment of the present application;
FIG. 11 illustrates a flow chart of an access method of a cloud platform in accordance with an exemplary embodiment of the present application;
FIG. 12 is a diagram illustrating a process for configuring a target ciphertext key and a ciphertext white-box decryption key, shown in an example embodiment of the present application;
FIG. 13 illustrates a flow chart of an access method of a cloud platform in accordance with another exemplary embodiment of the present application;
FIG. 14 illustrates a flow chart of an access method of a cloud platform in accordance with another exemplary embodiment of the present application;
FIG. 15 is a diagram illustrating a process of a decryption operation shown in an exemplary embodiment of the present application;
FIG. 16 illustrates a flow chart of an access method of a cloud platform shown in another exemplary embodiment of the present application;
FIG. 17 depicts a flowchart of a process for white-box encrypting a cloud API key, in accordance with an illustrative embodiment of the present application;
FIG. 18 illustrates a flow chart of a white-box decryption process shown in an exemplary embodiment of the present application;
FIG. 19 shows a schematic diagram of a complete encryption/decryption process shown in an exemplary embodiment of the present application;
fig. 20 is a block diagram illustrating a configuration of a cloud API key management apparatus according to an exemplary embodiment of the present application;
fig. 21 is a block diagram illustrating a structure of an access device of a cloud platform according to an exemplary embodiment of the present application;
fig. 22 shows a block diagram of a server according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The embodiment of the application provides a method for managing a cloud API key and accessing a cloud platform. For ease of understanding, the terms referred to in this application are explained below.
1) Cloud technology (Cloud technology)
The cloud technology is a general term of network technology, information technology, integration technology, management platform technology, application technology and the like based on cloud computing business model application, can form a resource pool, is used as required, and is flexible and convenient. Cloud computing technology will become an important support. Background services of the technical network system require a large amount of computing and storage resources, such as video websites, picture-like websites and more web portals. With the high development and application of the internet industry, each article may have its own identification mark and needs to be transmitted to a background system for logic processing, data in different levels are processed separately, and various industrial data need strong system background support and can only be realized through cloud computing.
2) Cloud Security (Cloud Security)
Cloud security refers to the generic name of security software, hardware, users, organizations, and security cloud platforms applied based on cloud computing business models. The cloud security integrates emerging technologies and concepts such as parallel processing, grid computing and unknown virus behavior judgment, abnormal monitoring of software behaviors in the network is achieved through a large number of meshed clients, the latest information of trojans and malicious programs in the internet is obtained and sent to the server for automatic analysis and processing, and then the virus and trojan solution is distributed to each client.
The cloud security mainly comprises: (1) the cloud computing security refers to the security of the cloud and various applications on the cloud, and comprises cloud computer system security, user data security storage and isolation, user access authentication, information transmission security, network attack protection, compliance audit and the like; (2) the cloud of the security infrastructure means that cloud computing is adopted to newly build and integrate security infrastructure resources and optimize a security protection mechanism, and the cloud computing technology is adopted to build a super-large-scale security event and an information acquisition and processing platform, so that the acquisition and correlation analysis of mass information are realized, and the handling control capability and the risk control capability of the security event of the whole network are improved; (3) the cloud security service refers to security services, such as anti-virus services, provided for users based on a cloud computing platform. The embodiments disclosed in the embodiments of the present application are applications in a cloud computing security level.
3) Cloud API key
The cloud API key refers to identity authentication and authentication information of an application program or a service server accessing a cloud platform, and is a special character string distributed to a user by a CAM system. In an illustrative example, a service provider stores a user resource on a cloud platform and applies for a cloud API key as an identity credential for accessing the user resource; the service provider configures the applied cloud API key in a service server, and when the service server accesses the cloud platform, the cloud API key needs to be carried so that the cloud platform can verify the cloud API key, and the service server is allowed to access the user resources stored on the cloud platform after the verification is passed.
In a possible application scenario, developers of some application programs may rent a cloud platform to store user resource information, such as service data related to the application program, and when a background server of the application program is processing a service, the developers need to go to the cloud platform to access the user resource information stored in advance. In order to ensure the security of the user resources on the cloud platform, only some specified (authorized) servers or devices are allowed to access, so that developers need to apply for a cloud API key for access authentication on the cloud platform and configure the cloud API key in the service server, so that the service server carries the cloud API key when accessing the cloud platform, thereby ensuring that only the authorized devices can access the user resources on the cloud platform, and ensuring the security of the user resource information stored on the cloud platform.
In the related technology, a service provider may apply for a cloud API key on a cloud platform, the cloud platform allocates a plaintext cloud API key for the plaintext cloud API key, the service provider takes the plaintext cloud API key, and configures the plaintext cloud API key in a device or a service server that needs to access the cloud platform, for example, in a configuration file or a source code of the service server, so that the service server obtains and carries the plaintext cloud API key when accessing, accesses the cloud platform, and allows the service server to access a user resource stored in the cloud platform after the cloud platform passes verification of the cloud API key.
Obviously, in the cloud API key management and cloud platform access method used in the related art, the cloud platform directly provides the plaintext cloud API key for the user, and the service provider directly configures the plaintext cloud API key in the service server, and after other users acquire the configuration file or the source code, the plaintext cloud API key can be directly obtained, which causes the leakage of the cloud API key, thereby threatening the security of the user resources stored on the cloud platform.
Unlike the management of cloud API keys and the access method of a cloud platform in the related art, the embodiments of the present application provide a new management of cloud API keys and access method of a cloud platform, please refer to fig. 1, which shows a system configuration diagram of a cloud computer system provided in various embodiments of the present application. As shown in fig. 1, the system includes a cloud platform 101, a service server 102, and a terminal 103.
The cloud platform 101 is a cloud computing resource pool in the cloud technology field, and multiple types of virtual resources are deployed in the resource pool and are selectively used by external customers. The cloud computing resource pool mainly comprises: computing devices (which are virtualized machines, including operating systems), storage devices, and network devices. The cloud server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as cloud service, a cloud database, cloud computing, a cloud function, cloud storage, network service, cloud communication, middleware service, domain name service, security service, Content Delivery Network (CDN), big data and an artificial intelligence platform. In the embodiment of the present application, the cloud platform 101 includes a CAM server 104 and a Key Management System (KMS) server 105, wherein, the CAM server 104 distributes the plain cloud API key for the user account, the KMS server provides the white-box encryption service for the plain cloud API key, in an illustrative example, when the cloud platform receives a cloud API key acquisition request for a target user account, a cleartext cloud API key is first assigned by CAM server 104 to the target user account, when the administrator authorizes the KMS server 105 to perform encryption service on the cloud API key, the CAM server 104 sends the generated plaintext cloud API key to the KMS server 105, the KMS server 105 performs white-box decryption on the plaintext cloud API key to obtain a ciphertext cloud API key, and feeds back to the CAM server 104, and the cloud API key management interface corresponding to the CAM server 104 displays the key and feeds back the key to the administrator. In one possible application scenario, a developer of an application rents the cloud platform 101 for storing business data resources related to the application, so that when the application has a business data processing requirement, a business server 102 corresponding to the application accesses the business data resources stored in the cloud platform 101.
The service servers 102 are connected directly or indirectly through wired or wireless communication.
The service server 102 is a device having functions of service data processing and service data access, and is a background server or a service server corresponding to an application program, and can receive a service processing request from the application program and access service data resources stored in the cloud platform according to the service processing request; the system can be a server, a server cluster formed by a plurality of servers or a cloud computing center. In the embodiment of the application, the service server 102 is configured with a ciphertext cloud API key and a ciphertext white box decryption key provided by the cloud platform, and is configured to, when the service server 102 accesses the cloud platform, perform decryption operation on the ciphertext cloud API key according to the ciphertext white box decryption key to obtain a plaintext cloud API key, and carry the plaintext cloud API key to access the cloud platform 101, so that the cloud platform 101 performs identity authentication on the service server 102 according to the plaintext cloud API key.
The server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud computing services.
In one possible implementation, the business server 102 may access the cloud platform 101 through a cloud API.
The terminal 103 is connected to the service server 102 directly or indirectly by wired or wireless communication.
The terminal 103 is a device installed with an application program, and may be a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, and the like, which is not limited in this embodiment of the present application.
In the embodiment of the present application, a description is given by taking an example that a management method of a cloud API key is applied to the cloud platform 101, and an example that an access method of the cloud platform is applied to the service server 102.
Referring to fig. 2, a flowchart of a method for managing a cloud API key according to an exemplary embodiment of the present application is shown, where the embodiment of the present application is described by taking an example that the method is applied to a cloud platform shown in fig. 1, and the method includes the following steps.
The cloud API key acquisition request can be a request triggered when an administrator (administrator for short) of a service provider clicks a cloud API key control in a control interface of a cloud platform, and correspondingly, the cloud platform receives the cloud API key acquisition request of a target user account; or the cloud API key acquisition request may also be sent by a service server corresponding to the target user account, and correspondingly, the cloud platform receives the cloud API key acquisition request sent by the target user account, which is not limited in this embodiment.
In a possible implementation manner, the cloud platform provides a cloud API key management interface, the cloud API key management interface provides functions of creating a cloud API key, enabling or closing the cloud API key, performing encryption operation on the cloud API, and the like, an administrator logs in the cloud platform and enters the cloud API key management interface, in the cloud API key management interface, the administrator clicks a key creation control, and correspondingly, the cloud platform receives a cloud API key acquisition request of a target user account, that is, the cloud API key is allocated to the target user account.
In an illustrative example, as shown in fig. 3, a schematic diagram of a cloud API key management interface is shown in an illustrative embodiment of the present application. Relevant information of the cloud API key, such as creation time of the cloud API key, a use state of the cloud API key, and the like, is displayed in the cloud API key management interface 301, when an administrator logs in a cloud platform and enters the cloud API key management interface 301, the administrator can click the newly-built key control 302, and accordingly, the cloud platform receives a cloud API key acquisition request of a target user account, i.e., allocates a plaintext cloud API key to the target user account, and displays the generated plaintext cloud API key in the cloud API key management interface 301, and the administrator can obtain the cloud API key by clicking the copy control 303 in the cloud API key management interface 301.
In another exemplary example, after the cloud platform allocates the plaintext cloud API key to the administrator, the cloud API key is encrypted to obtain a ciphertext cloud API key, and the target ciphertext key including the ciphertext cloud API key is fed back to the administrator from the corresponding cloud API key management interface 301.
And 203, encrypting the plaintext cloud API key through the ciphertext white-box encryption key to obtain the ciphertext cloud API key, wherein the ciphertext white-box encryption key is subjected to white-box encryption.
In the related technology, on one hand, a clear cloud API key of a target user account is directly fed back in an unencrypted mode and is directly configured by an administrator; on one hand, a symmetric encryption mode is adopted, namely, a plaintext secret key is adopted to encrypt a plaintext cloud API secret key and feed back the encrypted ciphertext cloud API secret key to an administrator, and correspondingly, the administrator configures the ciphertext cloud API secret key and a corresponding plaintext decryption secret key in a service server, for example, the ciphertext cloud API secret key is configured in a configuration file, and the plaintext decryption secret key is configured in a source code. Therefore, aiming at the security risk in the non-encryption or encryption mode, the embodiment of the application adopts a white-box encryption mode in the encryption process, namely, a ciphertext white-box encryption key and a ciphertext white-box decryption key, and because the ciphertext white-box encryption key and the ciphertext white-box decryption key are subjected to white-box encryption processing (a key used for encryption and decryption is mixed with an encryption algorithm), other users cannot directly obtain the key used for encryption and decryption, so that the protection on the encryption and decryption key is improved, and the security of the cloud API key is further improved.
In one possible embodiment, the cloud platform is provided with a white-box key management interface, in which an administrator may apply for a white-box key (including a white-box encryption key and a white-box decryption key), turn on or disable the white-box key, and the like, for example, the administrator clicks a key control created in the white-box key management interface, and accordingly, the cloud platform receives an acquisition request for the white-box key, and assigns the white-box key to the target user account.
In an illustrative example, please refer to fig. 4, which illustrates a schematic diagram of a white-box key management interface in accordance with an illustrative embodiment of the present application. In the white-box key management interface 401, there are provided a newly-created white-box key control 402, a download decryption Software Development Kit (SDK) control 403, at least one set of white-box encryption/decryption keys, a creation time of the white-box encryption/decryption keys, an encryption algorithm used, a download decryption key control 405, and the like. The administrator can click the newly-built white-box key control 402, and accordingly, the cloud platform receives a white-box key creation request, creates a group of white-box encryption and decryption keys (including a ciphertext white-box encryption key and a ciphertext white-box decryption key) for the administrator, and can click the selection control 404 to select the white-box encryption and decryption key used for encrypting the plaintext cloud API key; the administrator can obtain the corresponding ciphertext decryption key by clicking the download decryption key control 405, and configure the corresponding ciphertext decryption key in the service server; the administrator can also obtain a decryption file for executing the white-box decryption process by clicking the download white-box decryption SDK control 403, and configure the decryption file in the service server.
In a possible implementation manner, the cloud platform provides an encryption function for the administrator to the cloud API key, and if the administrator starts the function, correspondingly, after the cloud platform generates a cloud API key plaintext, the cloud API key plaintext is encrypted by using a ciphertext white box encryption key to generate a ciphertext cloud API key, and the ciphertext cloud API key is fed back to the administrator.
In a possible implementation manner, when performing the Encryption processing, the Encryption algorithm used may be Data Encryption Standard (DES), Advanced Encryption Standard (AES), and the like, and the Encryption algorithm used in the Encryption processing is not limited in the embodiment of the present application.
And 204, feeding back a target ciphertext key and a ciphertext white box decryption key to the target user account, wherein the target ciphertext key at least comprises a ciphertext cloud API key, the target ciphertext key and the ciphertext white box decryption key are configured to a service server corresponding to the target user account, the ciphertext white box decryption key is used for decrypting the target ciphertext key to obtain a plaintext cloud API key, and the ciphertext white box decryption key is subjected to white box encryption processing.
In a possible implementation manner, after an administrator applies for a cloud API key in a cloud API key management interface, a cloud platform first allocates a plaintext cloud API key to a target user account, and after encrypting the plaintext cloud API key according to a white-box encryption key, obtains a ciphertext cloud API key as a target ciphertext key and feeds the target ciphertext key back to the administrator, that is, the encrypted ciphertext cloud API key is displayed in the cloud API key management interface, so that the administrator can obtain the target ciphertext key conveniently.
In another possible implementation manner, when the administrator applies for the white-box encryption and decryption key in the white-box key management interface, correspondingly, the cloud platform receives an acquisition request of the white-box encryption and decryption key, that is, allocates the white-box encryption and decryption key to the administrator, and provides an acquisition interface of the ciphertext white-box decryption key in the white-box key management interface, and the administrator can click the download control, that is, can acquire the corresponding ciphertext white-box decryption key.
In a possible implementation manner, an administrator acquires a target ciphertext key (including a ciphertext cloud API key) from a cloud API key management interface and acquires a ciphertext white-box decryption key from a white-box key management interface, that is, the target ciphertext key and the ciphertext white-box decryption key may be configured in a service server corresponding to a target user account (or a server to which the administrator allows access to user resources), so that when the service server accesses a cloud platform, the service server may decrypt the target ciphertext key according to the ciphertext white-box decryption key, thereby obtaining the plaintext cloud API key, and carry the plaintext cloud API key to access the cloud platform, and the cloud platform verifies the plaintext cloud API key, so as to implement identity verification on the service server.
In summary, in the embodiment of the application, in a management scenario of a cloud API key, after a cloud platform receives a cloud API key acquisition request of a target user account, first allocating a plaintext cloud API key to the target user account, and performing encryption processing on the plaintext cloud API key through a ciphertext white-box encryption key to obtain a ciphertext cloud API key, and then feeding back a target ciphertext key at least including the ciphertext cloud API key and a ciphertext white-box decryption key to an administrator, where since all the target ciphertext key and the ciphertext white-box decryption key are ciphertexts, compared with the related art in which a plaintext cloud API key is directly allocated to an administrator, the confidentiality of the cloud API key can be improved; moreover, when the cloud API key is encrypted, the ciphertext white-box encryption key is adopted, the ciphertext white-box encryption key is a ciphertext obtained after white-box encryption, the decryption key correspondingly fed back to an administrator is also a ciphertext white-box decryption key (namely, the ciphertext white-box decryption key is obtained after white-box encryption), the protection of the key used for encryption and decryption can be realized, the cloud API key is prevented from being decrypted after the decryption key is leaked, the safety of the cloud API key is improved, and the safety of user resources stored in the cloud platform is improved.
Since the process of managing the cloud API key at least involves two function servers in the cloud platform, for example, a CAM server providing cloud API key management and a KMS server providing white box key management, in order to implement automatic encryption processing on the cloud API key, in a possible implementation manner, an administrator is allowed to perform authorization operation, that is, the cloud platform receives authorization of the administrator by the KMS to encrypt the plaintext cloud API key, that is, in the process of distributing the cloud API key, the generated plaintext cloud API key is directly encrypted, and the encrypted ciphertext cloud API key is fed back to the CAM server, and after receiving the ciphertext cloud API key, the corresponding CAM server directly displays the ciphertext cloud API key in the cloud API key management interface.
In an exemplary example, as shown in fig. 5, a flowchart of a method for managing a cloud API key according to another exemplary embodiment of the present application is shown, where the embodiment of the present application takes an example that the method is applied to a cloud platform shown in fig. 1 as an example, and the method includes the following steps.
In a possible implementation manner, because the CAM server provides a cloud API key management function for the administrator, when the administrator clicks and creates a cloud API key control in a cloud API key management interface corresponding to the CAM server, the cloud API key acquisition request may be triggered, and correspondingly, the CAM server receives the cloud API key acquisition request sent by the target user account; or the cloud API key acquisition request is sent by a service server corresponding to the target user account, and correspondingly, the CAM server receives the cloud API key acquisition request sent by the target user account, which is not limited in this embodiment.
The CAM server is used for providing a management function of the cloud API key, and the cloud API key management interface in the above embodiment is a control interface corresponding to the CAM server in the cloud platform.
In a possible implementation manner, when an administrator clicks on a key creation control in a cloud API key management interface, a corresponding CAM server receives a cloud API key acquisition request for a target user account, that is, allocates a plaintext cloud API key to the target user account.
In another possible implementation manner, an administrator may apply for one cloud API key or multiple cloud API keys in a cloud API key management interface, which is not limited in this embodiment of the present application.
Because the CAM server provides a plaintext cloud API key creating function and the white box encryption function is provided by a special KMS server, in order to encrypt the plaintext cloud API key, developers open the CAM server and the KMS server, namely, information interaction can be performed between the CAM server and the KMS server through authorization, so that the plaintext cloud API key is automatically encrypted.
In a possible implementation manner, an administrator may apply for a whitebox key (including a ciphertext whitebox encryption key and a ciphertext whitebox decryption key) in a front-end interface (i.e., a whitebox key management interface) corresponding to the KMS server in advance, and accordingly, the KMS server receives an acquisition request of the whitebox encryption/decryption key of the target user account, that is, distributes the ciphertext whitebox decryption key and the ciphertext whitebox encryption key to the administrator.
In another possible implementation manner, an administrator may apply for multiple sets of white-box keys in a white-box key management interface, where there is a difference between ciphertext white-box decryption keys or ciphertext white-box encryption keys corresponding to different sets of white-box keys, which is not limited in this embodiment of the present application.
Since the white-box encryption processing on the cloud API key needs to be performed by the KMS server, and the whole encryption process involves interaction between the two servers, in order to ensure the data security of each of the two servers, in a possible implementation, an administrator needs to perform a white-box encryption authorization operation, that is, to allow the CAM server to access the white-box key resource in the KMS, and to allow the KMS to perform encryption processing on the plaintext cloud API key.
In a possible implementation manner, a white-box encryption authorization control is provided in a cloud API key management interface corresponding to the CAM server, and after the administrator clicks the white-box encryption authorization control, the CAM server receives a white-box encryption authorization instruction, that is, obtains white-box key resources corresponding to the target user account from the KMS server, for example, a set of white-box encryption and decryption keys that the target user account applies for in the KMS server.
Optionally, the obtained white-box key resource may include a white-box key ID or a white-box key identifier corresponding to a group of white-box encryption/decryption keys, and the like, which is not limited in this embodiment of the present application.
Optionally, after the CAM server obtains the white-box key resources, the white-box key resources may be displayed in a cloud API key management interface corresponding to the CAM server, for example, in a form of a prompt window, and at least one white-box key identifier is displayed in the prompt window, so that an administrator may select which set of white-box encryption/decryption keys to use.
And step 504, in response to receiving the enabling instruction of the target whitebox encryption and decryption key, sending a key identifier of the target whitebox encryption and decryption key to a KMS server through the CAM server, wherein the KMS server is used for determining a ciphertext whitebox encryption key used in encryption according to the key identifier.
In a possible implementation manner, if the CAM server receives a selection operation of any white-box encryption and decryption key, and correspondingly, the CAM server receives an enabling instruction of a target white-box encryption and decryption key, a key identification of the target white-box encryption and decryption key is sent to the KMS server through the CAM server, so that the KMS server determines a ciphertext white-box encryption key used in encryption according to the key identification.
In another possible implementation manner, an administrator may directly perform a selection operation in the whitebox key management interface corresponding to the KMS server, and correspondingly, the KMS server receives an enabling instruction for encrypting and decrypting the target whitebox key, so that a subsequent KMS server performs encryption processing on the plaintext cloud API key according to the ciphertext whitebox encryption key corresponding to the selection operation.
It should be noted that, step 503 and step 504 may be executed before step 501, or after step 501, or simultaneously, and this embodiment is not limited to this.
And 505, calling a white-box encryption interface provided by the KMS through the CAM server, and encrypting the plaintext cloud API key to obtain the ciphertext cloud API key.
In a possible implementation manner, after the CAM server generates the plaintext cloud API key according to the cloud API key acquisition request, the white-box encryption interface provided by the KMS server is called to send a white-box encryption request to the KMS server, and correspondingly, the KMS receives the white-box encryption request sent by the CAM server, and encrypts the received plaintext cloud API key to obtain the ciphertext cloud API key.
In another possible implementation manner, the white-box encryption request includes a target user account (or unique identification information corresponding to the target user account) and a plaintext cloud API key, where the target user account is used to perform permission check on the white-box encryption request, that is, to check whether the target user account has a white-box encryption permission, and if the permission check is passed, the received plaintext cloud API key is encrypted to obtain a ciphertext cloud API key.
In an exemplary example, please refer to fig. 6, which illustrates a corresponding structure diagram of a KMS server according to an exemplary embodiment of the present application, where the KMS server 600 includes: a white-box encryption interface 601, a rights management and control 602, a white-box key background 603, a white-box encryption SDK604, and the like. The CAM server sends a white-box encryption request to the KMS server 600 by calling a white-box encryption interface 601 provided by the KMS server 600, firstly checks the white-box encryption request through an authority management and control 602, and calls a white-box encryption SDK604 through a white-box key background 603 after the check is passed, and encrypts a plaintext cloud API key according to the ciphertext white-box encryption key to obtain a ciphertext cloud API key.
In order to ensure that the security of the cloud API key can be still ensured under the condition that both the white-box decryption key and the ciphertext cloud API key are leaked, the white-box encryption and decryption keys are subjected to white-box processing (i.e., the encryption and decryption keys are confused with an encryption algorithm), that is, the generated white-box encryption key is a ciphertext, and in order to realize normal encryption of the plaintext cloud API key, correspondingly, in the encryption processing process, the ciphertext white-box encryption key also needs to be decrypted, so that the ciphertext white-box encryption key can be used for encryption of the plaintext cloud API key.
In an illustrative example, based on fig. 5, as shown in fig. 7, step 505 includes step 505A and step 505B.
In step 505A, the CAM server calls a whitebox encryption interface provided by the KMS server, and performs whitebox decryption on the ciphertext whitebox encryption key through the KMS server to obtain a plaintext encryption key.
Unlike the encryption operation in the related art, the present application introduces a white-box encryption process, i.e., a key used for encryption is subjected to the white-box encryption process. In an illustrative example, as shown in fig. 8, a schematic diagram illustrating a comparison process between an encryption and decryption process and a white-box encryption and decryption process in the related art is shown. As shown in the encryption flow in fig. 8, in the related art, when performing an encryption operation, a plaintext cloud API key is encrypted according to a plaintext encryption key to obtain a ciphertext cloud API key; and white-box encryption processing is adopted, and because the white-box encryption key is a ciphertext, white-box decryption processing needs to be performed on the ciphertext white-box encryption key to obtain a plaintext encryption key, and then encryption processing is performed on the plaintext cloud API key according to the plaintext encryption key to obtain the ciphertext cloud API key. Correspondingly, as shown in the decryption flow in fig. 8, when performing decryption operation, in the related art, since the plaintext decryption key is configured in the service server, the ciphertext cloud API key is decrypted according to the plaintext decryption key to obtain a plaintext cloud API key; and adopting white-box decryption processing, because the white-box decryption key configured in the service server is a ciphertext, the white-box decryption key of the ciphertext needs to be subjected to white-box decryption processing to obtain a plaintext decryption key, and then the ciphertext cloud API key is subjected to decryption processing according to the plaintext decryption key to obtain the plaintext cloud API key.
In a possible implementation manner, in the process of encrypting the plaintext white-box, the KMS server first performs white-box decryption on the ciphertext white-box encryption key to obtain a plaintext white-box decryption key, so that a subsequent KMS server performs encryption on the plaintext cloud API key according to the plaintext white-box decryption key.
In an exemplary example, for example, the ciphertext white-box decryption key is "efaghijbklmcndop," and the ciphertext white-box decryption key is first subjected to white-box decryption processing to obtain a plaintext white-box decryption key "abcd," and the plaintext cloud API key is encrypted by using the "abcd.
In one possible embodiment, the KMS server is configured with a white-box encryption SDK for encrypting the plaintext cloud API key, so that when the KMS server encrypts the plaintext cloud API key, the KMS server calls the white-box encryption SDK to perform white-box decryption on the ciphertext white-box decryption key, thereby obtaining the plaintext encryption key.
In another possible implementation manner, in the process of creating the white-box encryption and decryption key by the KMS server, the plaintext encryption and decryption key may be generated first, and then the white-box encryption and decryption processing may be performed on the plaintext encryption and decryption key to obtain the ciphertext white-box encryption and decryption key.
And 505B, encrypting the plaintext cloud API key through the plaintext encryption key to obtain a ciphertext cloud API key.
In a possible implementation manner, after the KMS server performs white-box decryption processing on the ciphertext white-box decryption key to obtain a plaintext encryption key, the plaintext cloud API key is encrypted according to the plaintext encryption key and the encryption algorithm to obtain the ciphertext cloud API key, and since the encryption does not directly use the ciphertext white-box encryption key but uses the plaintext encryption key obtained after processing the ciphertext white-box decryption key, the protection effect on the encryption key can be achieved in the encryption process, and the security of the cloud API key is improved.
Optionally, the KMS server may also call the white box SDK, and encrypt the plaintext cloud API key according to the plaintext encryption key.
In the related art, since the CAM server allocates the plaintext cloud API keys to the target user account, the plaintext cloud API keys are fed back to the administrator in the cloud API key management interface corresponding to the CAM server, and in the embodiment of the present application, in order to avoid leakage of the plaintext cloud API keys due to the fact that the cloud API key management interface is visible to other users, the KMS server feeds back the generated ciphertext cloud API keys to the CAM server after completing the encryption operation on the plaintext cloud API keys, and the CAM server displays the ciphertext cloud API keys (i.e., the target ciphertext keys) in the cloud API key management interface.
In a possible implementation manner, when an administrator applies for a whitebox decryption key in a whitebox key management interface corresponding to the KMS server, and correspondingly, when the KMS server allocates a whitebox encryption/decryption key to a target user account, a ciphertext whitebox decryption key corresponding to the ciphertext whitebox encryption key is correspondingly generated, that is, in the whitebox key management interface, a download control of the ciphertext whitebox decryption key is provided, so that the administrator obtains the ciphertext whitebox decryption key.
In this embodiment, the cloud platform includes a CAM server and a KMS server, and the information interaction between the CAM server and the KMS server can be realized by authorizing the KMS server to encrypt the plaintext cloud API key: distributing a plaintext cloud API (application programming interface) key for a target user account by a CAM (computer aided manufacturing) server, encrypting the plaintext cloud API key by a KMS (KMS) server, feeding back the processed ciphertext cloud API key to the CAM server, and feeding back a target ciphertext key to an administrator by the CAM server, so that the aim of distributing the target ciphertext key for the target user account is fulfilled; in addition, when the plaintext cloud API key is encrypted through the ciphertext white-box encryption key, the ciphertext white-box encryption key is subjected to white-box decryption to obtain the plaintext encryption key, and then the plaintext cloud API key is subjected to encryption according to the plaintext encryption key, so that the visible white-box encryption key is not directly used in encryption operation, the confidentiality of the plaintext encryption key can be improved, the security of the encryption operation is improved, and the security of the cloud API key is further ensured.
In another possible application scenario, the KMS server is not required to be authorized by an administrator to perform encryption processing on the plaintext cloud API key, namely, the KMS server automatically encrypts the plaintext cloud API key generated by the CAM server, the administrator can also create the cloud API key in the cloud API key management interface corresponding to the CAM server, correspondingly, the CAM server distributes the plaintext cloud API key to the target user account, and feeds the plaintext cloud API key back to the cloud API key management interface, if the administrator needs to encrypt the plaintext cloud API key subsequently, the KMS provides the administrator with a white-box encryption processing function, the administrator can manually input the plaintext cloud API key into the white-box key management interface corresponding to the KMS, and triggering the white-box encryption control, and carrying out encryption processing on the received plaintext cloud API key by the KMS server to obtain a ciphertext cloud API key and feeding the ciphertext cloud API key back to the administrator.
Since the target ciphertext key and the ciphertext decryption key may be fed back to a corresponding interface or configured in a service server of a target user account, and there is a possibility of being acquired by other users, in order to further ensure the security of the cloud API key, a developer introduces ciphertext device information into the generated target ciphertext key, where the ciphertext device information is obtained by performing encryption processing on the device information and is used to perform device verification on an operating environment in which the ciphertext cloud API key is decrypted, so that when the device verification fails, it is indicated that the decryption operation may be performed in other unauthorized devices, and the decryption operation on the ciphertext cloud API key may be stopped, thereby reducing the risk of leakage of the cloud API key.
In an exemplary example, please refer to fig. 9, which shows a flowchart of a method for managing a cloud API key according to another exemplary embodiment of the present application, where the embodiment of the present application takes an example that the method is applied to the cloud platform shown in fig. 1 as an example, and the method includes the following steps.
And 903, encrypting the plaintext cloud API key through the ciphertext white-box encryption key to obtain the ciphertext cloud API key, wherein the ciphertext white-box encryption key is subjected to white-box encryption.
The embodiments of step 901 to step 903 may refer to the above embodiments, which are not described herein.
The service server is a device which is authorized by an administrator to access the cloud platform, or a device which is allowed by the administrator to configure a target ciphertext key and a ciphertext white box decryption key, or a server specified by a target user account, and the like.
In a possible implementation manner, an administrator manually inputs device information in a front-end interface (or a cloud API key management interface, or a white-box key management interface) corresponding to the cloud platform, so that the cloud platform performs encryption processing on the received device information, and is used for performing device verification on running devices performing decryption operation subsequently.
The device information corresponding to the service server refers to a unique identifier corresponding to the service server, for example, a service server ID, or a Media Access Control (MAC) address corresponding to the service server, and the like.
Optionally, the device information may be device information corresponding to one service server or device information corresponding to multiple service servers, and the number of the device information is not limited in this embodiment of the application.
And 905, encrypting the equipment information through the ciphertext white box encryption key to obtain ciphertext equipment information, wherein the ciphertext equipment information is used for carrying out equipment verification on the service server.
For the process of encrypting the device information, reference may be made to the process of encrypting the clear cloud API key in the foregoing embodiment, which is not described herein in this embodiment of the present application.
In a possible implementation manner, a KMS server in the cloud platform calls a white-box encryption SDK, and encrypts the device information according to a ciphertext white-box encryption key to obtain ciphertext device information.
In another possible implementation manner, the ciphertext white-box encryption key used for encrypting the device information may be the ciphertext white-box encryption key used for encrypting the plaintext cloud API key, or may be different ciphertext white-box encryption keys, which is not limited in this embodiment of the present application.
In a possible implementation manner, after the cloud platform encrypts the device information and the plaintext cloud API key respectively to obtain ciphertext device information and a ciphertext cloud API key, the ciphertext device information and the ciphertext cloud API key may be combined to obtain a target ciphertext key, and the target ciphertext key is fed back to the administrator.
In an exemplary example, please refer to fig. 10, which illustrates a schematic diagram of a process of determining a target ciphertext key according to an exemplary embodiment of the present application. The service server 1001 is configured with a device fingerprint information collection tool 1002, the device fingerprint information collection tool 1002 uploads the collected device information 1004 to the cloud platform, a KMS server in the cloud platform performs white-box encryption processing on the device information 1004 and the plaintext cloud API key 1003 to obtain ciphertext device information 1006 and a ciphertext cloud API key 1007, and determines the ciphertext device information 1006 and the ciphertext cloud API key 1007 as a target ciphertext key 1005.
In an illustrative example, the ciphertext device information and the ciphertext cloud API key may be obfuscated (not only by a simple combination operation) to determine as the target ciphertext key.
In a possible implementation manner, if the target ciphertext key includes the ciphertext device information and the ciphertext cloud API key, the target ciphertext key obtained by combining the ciphertext device information and the ciphertext cloud API key may be displayed in the cloud API key management interface correspondingly.
Optionally, for the ciphertext white-box decryption key, if the same group of white-box encryption and decryption keys are used when encrypting the device information and the plaintext cloud API key, the corresponding administrator only needs to download the corresponding ciphertext white-box decryption key in the white-box key management interface; if different groups of white-box encryption and decryption keys are adopted, the corresponding administrator needs to download the two ciphertext white-box decryption keys in the white-box key management interface, and correspondingly, the administrator needs to configure the target ciphertext key and the two ciphertext white-box decryption keys in the service server.
In the embodiment of the application, the administrator inputs the device information corresponding to the authorization service server in the front-end interface corresponding to the cloud platform, performs white-box encryption processing on the plaintext cloud API key, performs white-box encryption processing on the device information at the same time, obtains a target ciphertext key comprising ciphertext device information and the ciphertext cloud API key, and feeds back the target ciphertext key to the administrator, so that the administrator configures the target ciphertext key in the service server, preferentially performs decryption operation on the ciphertext device information when performing decryption operation on the target ciphertext key, obtains the device information, performs device verification on the device environment in which the decryption operation is performed through the device information, thereby ensuring that the decryption operation performed on the ciphertext cloud API key can be performed in the authorization service server, and further improving the security of the cloud API key.
In the embodiment of the present application, the encryption and decryption operations on the cloud API key are separately performed, that is, encryption processing is performed in the cloud platform, and decryption processing is performed in the service server, so that the service server can safely access the cloud platform. In the following embodiments, how the service server accesses the cloud platform is described in detail, that is, the decryption process of the target ciphertext key is described correspondingly.
Referring to fig. 11, a flowchart of an access method of a cloud platform according to an exemplary embodiment of the present application is shown, where the embodiment of the present application is described by taking an example that the method is applied to a service server shown in fig. 1, and the method includes the following steps.
The target ciphertext key and the ciphertext white box decryption key are provided by the cloud platform and are configured in the service server; for the obtaining manner of the target ciphertext key and the ciphertext white box decryption key, reference may be made to the foregoing embodiments, which are not described herein again.
The scenario that the cloud platform access requirement exists may be that the service server needs to go to the cloud platform to access the corresponding service resource when the application program has a service processing requirement, or when the service server needs to perform connection verification on the cloud API key when establishing connection with the cloud platform, the embodiment of the present application does not limit this.
In a possible implementation manner, an administrator may obtain a target ciphertext key and a ciphertext white-box decryption key from a cloud platform and issue the target ciphertext key and the ciphertext white-box decryption key to a developer of an application program, and the developer configures the target ciphertext key and the ciphertext white-box decryption key in a service server that needs to access the cloud platform.
In an exemplary example, as shown in fig. 12, a schematic diagram of a process of configuring a target ciphertext key and a ciphertext white-box decryption key is shown in an exemplary embodiment of the present application. An administrator (namely, an administrator corresponding to a target user account) performs white-box decryption processing in a control interface corresponding to a cloud platform through an authorized KMS server 1202, when the administrator applies for a cloud API key on the cloud platform, a CAM server 1201 distributes a plain text cloud API key to the administrator, the plain text cloud API key is sent to the KMS server 1202, after the KMS server 1202 performs white-box encryption processing, a ciphertext cloud API key is obtained and sent to the CAM server 1201, the CAM server 1201 feeds back the ciphertext cloud API key to the administrator, and finally the administrator distributes the obtained target ciphertext key (including the ciphertext cloud API key) and the ciphertext decryption key to development or operation and maintenance personnel of an application program, and the target ciphertext key and the ciphertext decryption key are configured in a service server.
In another possible implementation, when performing configuration operation, the target ciphertext key and the ciphertext white-box decryption key may be separately stored, for example, the target ciphertext key is stored in a business application, and the ciphertext white-box decryption key is stored in another storage location corresponding to the business application, so that other users cannot obtain the target ciphertext key and the ciphertext white-box decryption key at the same time, and security of the cloud API key may be improved.
And 1102, decrypting the ciphertext cloud API key in the target ciphertext key through the ciphertext white box decryption key to obtain the plaintext cloud API key.
Compared with the scheme in the related art, the plaintext cloud API key is directly configured in the service server, or the ciphertext cloud API key and the plaintext decryption key are configured in the service server.
In a possible implementation manner, when there is an access need, the service server may decrypt the ciphertext cloud API key in the target ciphertext key according to the obtained ciphertext white-box decryption key to obtain a plaintext cloud API key, so that a subsequent service server may access the cloud platform with the plaintext cloud API key.
The cloud API is equivalent to gateway equipment between the service server and the cloud platform and is used for carrying out identity verification when the service server is connected to the cloud platform.
In a possible implementation manner, after the service server decrypts the target ciphertext key to obtain the plaintext cloud API key, an access request is sent to the cloud API, where the access request carries the plaintext cloud API key, after the cloud API receives the access request, the plaintext cloud API key in the access request is checked, and if the check is passed, the connection between the service server and the cloud platform is established, so that the service server accesses the cloud platform.
The plaintext cloud API key may be carried by a Uniform Resource Locator (URL).
In this embodiment, in an access scenario of a cloud platform, a target ciphertext key (at least including a ciphertext cloud API key) and a ciphertext white box decryption key provided by the cloud platform are configured in a service server, and when the service server has a requirement for accessing the cloud platform, a plaintext cloud API key is obtained by obtaining the target ciphertext key and the ciphertext white box decryption key and decrypting a ciphertext cloud API key in the target ciphertext key according to the ciphertext white box decryption key, so that the service server accesses the cloud platform according to the cloud API key and calls the cloud API, and accordingly, the cloud platform performs identity verification on the access request according to the plaintext cloud API key. Because the target ciphertext key and the ciphertext white-box decryption key configured in the service server are ciphertexts, the cloud API key can be prevented from being decrypted when the ciphertext white-box decryption key and the ciphertext cloud API key are lost, plaintext cannot occur in the decryption process, the security of the decryption process can be ensured, and the security of the cloud API key is improved, so that other unauthorized devices are prevented from accessing the cloud platform, and the security of user resources stored in the cloud platform is further improved.
Correspondingly, when the target ciphertext key is decrypted according to the ciphertext white box decryption key, the white box decryption key needs to be decrypted firstly so as to obtain a plaintext decryption key, and the plaintext decryption key is used for realizing the decryption operation of the target ciphertext key.
In an illustrative example, based on FIG. 11, as shown in FIG. 13, step 1102 may include step 1102A and step 1102B.
And 1102A, performing white-box decryption operation on the ciphertext white-box decryption key to obtain a plaintext decryption key.
The plaintext decryption key and the plaintext encryption key in the above embodiment are a set of encryption and decryption keys.
In a possible implementation manner, when the service server performs a decryption operation on the target ciphertext key, the white-box decryption operation is performed on the ciphertext white-box decryption key first to obtain a plaintext decryption key, so that the target ciphertext key is decrypted by using the plaintext decryption key in the following step.
In an exemplary example, the ciphertext white-box decryption key may be "amnefyutkslhqp", and the resulting plaintext decryption key may be "efgh" after the white-box decryption process is performed on the ciphertext white-box decryption key.
And step 1102B, decrypting the ciphertext cloud API key through the plaintext decryption key to obtain the plaintext cloud API key.
In a possible implementation manner, after the service server obtains the plaintext white box decryption key, the ciphertext cloud API key is decrypted according to the plaintext white box decryption key and the decryption algorithm to obtain the plaintext cloud API key, which is used for identity verification when the cloud platform is subsequently accessed.
In this embodiment, when the service server decrypts the target ciphertext key according to the ciphertext white-box decryption key, the service server first performs white-box decryption on the ciphertext white-box decryption key to obtain a plaintext decryption key, and performs decryption operation on the ciphertext cloud API key by using the plaintext decryption key to obtain the plaintext cloud API key, thereby implementing a decryption process on the target ciphertext key.
In order to perform device verification on the operation environment for performing decryption operation on the ciphertext cloud API key, so that the decryption operation can be operated in the authorized device, and the security of the cloud API key is further ensured.
In an exemplary example, please refer to fig. 14, which shows a flowchart of an access method of a cloud platform according to another exemplary embodiment of the present application, and the embodiment of the present application takes application of the method to the service server shown in fig. 1 as an example to explain, and the method includes the following steps.
The implementation of step 1402 can refer to step 1101, and this embodiment is not described herein.
And 1402, decrypting the ciphertext equipment information in the target ciphertext key through the ciphertext white box decryption key to obtain the equipment information.
In order to enable the decryption operation on the ciphertext cloud API key to be operated in an authorization device (server), a target ciphertext key provided by the cloud platform comprises ciphertext device information and the ciphertext cloud API key, wherein the ciphertext device is used for performing device verification on the operation environment of the decryption operation, and the security of the cloud API key is further ensured.
In order to complete the device verification operation on the service server before decrypting the ciphertext cloud API key, it is first necessary to decrypt ciphertext device information in the target ciphertext key to obtain plaintext device information, so as to perform device verification according to the plaintext device information.
The process of performing decryption operation on the ciphertext device information may refer to the process of performing decryption operation on the ciphertext cloud API key in the foregoing, which is not described in detail herein.
In a possible implementation manner, white-box decryption processing is performed on the ciphertext decryption key to obtain a plaintext decryption key, and then decryption operation is performed on the ciphertext device information according to the plaintext decryption key and a decryption algorithm to obtain plaintext device information for subsequent device inspection.
And step 1403, performing equipment verification on the service server according to the equipment information.
For the way of performing the device verification, in one possible implementation, the following steps may be included.
Firstly, acquiring information of equipment to be verified of a service server.
In a possible implementation manner, when performing device verification on a service server, first, device information to be verified, such as a device ID or an MAC address of the current service server, corresponding to the current service server is obtained through a device information acquisition tool.
Optionally, preset device information may also be adopted and stored in the service server in advance.
And secondly, responding to the consistency of the equipment information to be verified and the equipment information, and determining that the service server passes the equipment verification.
In a possible implementation manner, if it is determined that the device information to be verified is consistent with the device information obtained by the decryption operation, it indicates that the decryption operation is run in an authorized (trusted) device, and the device verification is passed. And subsequent decryption operation of the cipher text cloud API key can be carried out.
In an illustrative example, please refer to fig. 15, which illustrates a schematic diagram of a process of a decryption operation shown in an illustrative embodiment of the present application. As shown in fig. 15, the target ciphertext key 1501 includes ciphertext device information 1502 and a ciphertext cloud API key 1503, before the ciphertext cloud API key 1503 is decrypted by the white-box decryption SDK1505, the ciphertext device information 1502 is decrypted to obtain device information, the device information to be verified 1506 corresponding to the service server is obtained, if the device information to be verified 1506 is consistent with the device information, the device verification is passed, the ciphertext cloud API key 1503 is decrypted, and a plaintext cloud API key 1507 is output.
And thirdly, in response to the inconsistency between the equipment information to be verified and the equipment information, determining that the service server does not pass the equipment verification.
In another possible implementation manner, if the acquired device information to be verified is inconsistent with the device information obtained by the decryption operation, it indicates that the decryption operation may be run in an unauthorized (untrusted) device, the current business service does not pass the device verification, and there is a risk in continuing the subsequent decryption operation of the ciphertext cloud API key.
In an exemplary example, as shown in fig. 15, if the device information to be verified 1506 is inconsistent with the device information, it indicates that the device verification fails, and if the current service server is an untrusted device, the decryption process on the ciphertext cloud API key is stopped, and the output verification fails.
In a possible implementation manner, if it is determined that the current service server passes the device verification, which indicates that the decryption operation is performed in the authorized (trusted) device, the decryption operation may be continuously performed on the ciphertext cloud API key, that is, the ciphertext cloud API key in the target ciphertext key is continuously decrypted by the ciphertext white-box decryption key, so as to obtain the plaintext cloud API key.
And step 1405, calling the cloud API to access the cloud platform according to the plaintext cloud API key, wherein the plaintext cloud API key is used for identity authority verification.
In this embodiment, ciphertext device information is added to the target ciphertext key, so that before decryption operation is performed on the ciphertext cloud API key, decryption operation is performed on the ciphertext device information first to obtain device information, the device information is used for performing device verification on a device environment in which the decryption operation is performed, and after the device verification is passed, decryption operation of the ciphertext cloud API key is continued, so that leakage of the cloud API key due to decryption operation performed by other users when the ciphertext cloud API key and the decryption key are acquired by other users is avoided, the security of the cloud API key is further improved, and the security of user resources of the cloud platform is ensured.
Since the white-box decryption process needs to execute a specific program, for example, the white-box decryption SDK, in a possible embodiment, the service server needs to be configured with the white-box decryption SDK in advance for executing the decryption operation on the target ciphertext key.
Referring to fig. 16, a flowchart of an access method of a cloud platform according to another exemplary embodiment of the present application is shown, where the embodiment of the present application is described by taking an example that the method is applied to the service server shown in fig. 1, and the method includes the following steps.
The implementation of step 1601 may refer to the above embodiments, which are not described herein.
The white box decryption SDK is obtained by downloading in a white box key management interface corresponding to the KMS server by an administrator and is manually configured in the service server, so that the service server can call the target ciphertext key when performing decryption operation on the target ciphertext key.
In one possible implementation, the administrator configures the white-box decryption SDK downloaded by the cloud platform in the service server so that the white-box decryption SDK can be run when performing the decryption operation.
It should be noted that step 1602 may be executed before step 1601, or executed simultaneously with step 1601, or executed after step 1601, which is not limited by the embodiment of the present application.
In a possible implementation manner, when the service server has a requirement for accessing the cloud platform or needs to acquire the plaintext cloud API key, the plaintext cloud API key is obtained by calling the white-box decryption SDK and decrypting the ciphertext cloud API key according to the ciphertext white-box decryption key.
Optionally, if the target ciphertext key includes the ciphertext device information and the ciphertext cloud API key, before performing a decryption operation on the ciphertext cloud API key, the white box decryption SDK needs to be run first, the ciphertext device information is decrypted according to the ciphertext white box decryption key to obtain the device information, after the device information passes verification, the white box decryption SDK continues to be run, and the ciphertext cloud API key is decrypted according to the white box decryption key to obtain the plaintext cloud API key.
And 1604, calling a cloud API to access the cloud platform according to the plaintext cloud API key, wherein the plaintext cloud API key is used for identity authority verification.
The implementation of step 1604 may refer to step 1103, and this embodiment is not described herein.
In this embodiment, the administrator downloads the white-box decryption SDK in the white-box key management interface corresponding to the KMS server, configures the white-box decryption SDK in the service server, and performs decryption operation on the target ciphertext key by running the white-box decryption SDK.
In the above embodiment, the white-box decryption process and the white-box decryption process are separated, the white-box encryption operation is provided for the cloud API key on the cloud level, the white-box decryption operation is provided by configuring the white-box decryption SDK in the service server, the cloud API key is protected in the encryption process and the decryption process, and compared with the encryption and decryption operation in the related art, the security of the cloud API key can be improved.
Referring to fig. 17, a flowchart illustrating a process of white-box encrypting a cloud API key according to an exemplary embodiment of the present application is shown, where the method includes the following steps.
At step 1701, a ciphertext white-box encryption key and a ciphertext white-box decryption key are created.
Step 1702, create a clear cloud API key.
Step 1703, obtain the device information of the service server.
Step 1704, encrypting the plaintext cloud API key and the device information respectively according to the ciphertext white box encryption key to obtain a ciphertext cloud API key and ciphertext device information, and determining the ciphertext cloud API key and the ciphertext device information as target ciphertext keys.
Step 1705, the target ciphertext key and the ciphertext white-box decryption key are configured in the service server.
The above embodiment shows a flowchart of a white-box encryption process, and in an exemplary example, as shown in fig. 18, it shows a flowchart of a white-box decryption process shown in an exemplary embodiment of the present application, and the method includes the following steps.
Step 1801, obtain target ciphertext key and ciphertext white-box decryption key.
And step 1802, decrypting the ciphertext device information in the target ciphertext key according to the ciphertext white box decryption key to obtain the device information.
Step 1803, obtaining information of the device to be verified corresponding to the current service server.
And 1804, if the equipment information to be verified is consistent with the equipment information, determining that the current service server passes equipment verification.
And 1805, decrypting the ciphertext cloud API key in the target ciphertext key according to the ciphertext white box decryption key to obtain a plaintext cloud API key.
Referring to fig. 19, a schematic diagram of a complete encryption and decryption process shown in an exemplary embodiment of the present application is shown.
In the embodiment of the application, an administrator (i.e., an administrator corresponding to a target user account) performs white-box decryption processing in a control interface corresponding to a cloud platform through an authorized KMS server 1902, and creates a white-box encryption and decryption key (ciphertext) in the KMS server 1902, when the administrator applies for a cloud API key on the cloud platform, a CAM server 1901 allocates a plain text cloud API key to the administrator, and sends the plain text cloud API key to the KMS server 1902, the KMS server 1902 calls a white-box encryption SDK1903, and after performing white-box encryption processing on the plain text cloud API key, a ciphertext cloud API key is obtained and sent to the CAM server 1901, and then the CAM server 1901 feeds back the ciphertext cloud API key to the administrator; distributing the obtained target ciphertext key (including a ciphertext cloud API key) and the ciphertext white-box decryption key to development or operation and maintenance personnel of the application program by an administrator, configuring the target ciphertext key in a service application 1904 by the developer, and configuring the ciphertext white-box decryption key in a service server 1905, wherein the service application runs in the service server 1905; when decryption operation is performed, the target ciphertext key and the ciphertext white-box decryption key are obtained by calling the white-box decryption SDK1906, and the target ciphertext key is decrypted according to the ciphertext white-box decryption key, so that a plaintext cloud API key is obtained.
Referring to fig. 20, a block diagram of a cloud API key management apparatus according to an exemplary embodiment of the present application is shown. The management device of the cloud API key can be implemented by software, hardware or a combination of the two to be all or part of the cloud platform. The management device of the cloud API key can comprise:
a receiving module 2001, configured to receive a cloud API key acquisition request sent by a target user account;
an allocating module 2002, configured to allocate a clear cloud API key to the target user account in response to the cloud API key acquisition request, where the clear cloud API key is a key used for performing identity authentication when a cloud API is called to access a cloud platform;
a first encryption processing module 2003, configured to perform encryption processing on the plaintext cloud API key through a ciphertext white-box encryption key to obtain a ciphertext cloud API key, where the ciphertext white-box encryption key is subjected to white-box encryption processing;
a feedback module 2004, configured to feed back a target ciphertext key and a ciphertext white-box decryption key to a target user account, where the target ciphertext key at least includes the ciphertext cloud API key, the target ciphertext key and the ciphertext white-box decryption key are configured to a service server corresponding to the target user account, the ciphertext white-box decryption key is used to decrypt the target ciphertext key to obtain the plaintext cloud API key, and the ciphertext white-box decryption key is subjected to white-box encryption processing.
In one possible implementation, the cloud platform includes a key management system KMS server and a cloud access management CAM server;
in one possible implementation, the allocating module 2002 includes:
the allocation unit is used for responding to the cloud API key acquisition request and allocating the plain cloud API key to the target user account through the CAM server;
the first encryption processing module comprises:
and the encryption processing unit is used for calling a white box encryption interface provided by the KMS through the CAM server to encrypt the plaintext cloud API key to obtain the ciphertext cloud API key.
In one possible implementation, the apparatus further includes:
a first obtaining module, configured to, in response to a white-box encryption authorization instruction of the target user account, obtain, by the CAM server, a white-box key resource of the target user account from the KMS server, where the white-box key resource includes at least one set of white-box encryption/decryption keys;
and the sending module is used for responding to a received enabling instruction of the target whitebox encryption and decryption key, sending a key identifier of the target whitebox encryption and decryption key to the KMS server through the CAM server, wherein the KMS server is used for determining the ciphertext whitebox encryption key used in encryption according to the key identifier.
In a possible implementation manner, the encryption processing unit is further configured to:
carrying out white-box decryption processing on the ciphertext white-box encryption key through the KMS to obtain a plaintext encryption key;
and encrypting the plaintext cloud API key through the plaintext encryption key to obtain the ciphertext cloud API key.
In one possible implementation, the apparatus further includes:
the second acquisition module is used for acquiring the equipment information of the service server;
the second encryption processing module is used for encrypting the equipment information through the ciphertext white-box encryption key to obtain ciphertext equipment information, and the ciphertext equipment information is used for carrying out equipment verification on the service server;
and the determining module is used for determining the ciphertext device information and the ciphertext cloud API key as the target ciphertext key.
In summary, in the embodiment of the application, in a management scenario of a cloud API key, after a cloud platform receives a cloud API key acquisition request of a target user account, first allocating a plaintext cloud API key to the target user account, and performing encryption processing on the plaintext cloud API key through a ciphertext white-box encryption key to obtain a ciphertext cloud API key, and then feeding back a target ciphertext key at least including the ciphertext cloud API key and a ciphertext white-box decryption key to an administrator, where since all the target ciphertext key and the ciphertext white-box decryption key are ciphertexts, compared with the related art in which a plaintext cloud API key is directly allocated to an administrator, the confidentiality of the cloud API key can be improved; moreover, when the cloud API key is encrypted, the ciphertext white-box encryption key is adopted, the ciphertext white-box encryption key is a ciphertext obtained after white-box encryption, the decryption key correspondingly fed back to an administrator is also a ciphertext white-box decryption key (namely, the ciphertext white-box decryption key is obtained after white-box encryption), the protection of the key used for encryption and decryption can be realized, the cloud API key is prevented from being decrypted after the decryption key is leaked, the safety of the cloud API key is improved, and the safety of user resources stored in the cloud platform is improved.
Referring to fig. 21, a block diagram of an access device of a cloud platform according to an exemplary embodiment of the present application is shown. The access device of the cloud platform can be implemented by software, hardware or a combination of the two to become all or part of the service server. The access device of the cloud platform may include:
a third obtaining module 2101, configured to obtain a target ciphertext key and a ciphertext white-box decryption key in response to a cloud platform access request, where the target ciphertext key and the ciphertext white-box decryption key are provided by a cloud platform and configured in a service server, the target ciphertext key is obtained by the cloud platform through encryption by using a ciphertext white-box encryption key, the target ciphertext key at least includes a ciphertext cloud API key, and the ciphertext white-box encryption key and the ciphertext white-box decryption key are subjected to white-box encryption processing;
the first decryption processing module 2102 is configured to decrypt the ciphertext cloud API key in the target ciphertext key through the ciphertext white-box decryption key to obtain a plaintext cloud API key;
an access module 2103, configured to call a cloud API to access the cloud platform according to the plaintext cloud API key, where the plaintext cloud API key is used to perform identity right verification.
In one possible implementation, the first decryption processing module 2102 includes:
the first decryption processing unit is used for carrying out white box decryption operation on the ciphertext white box decryption key to obtain a plaintext decryption key;
and the second decryption processing unit is used for decrypting the ciphertext cloud API key through the plaintext decryption key to obtain the plaintext cloud API key.
In a possible implementation manner, the target ciphertext key further includes ciphertext device information;
in one possible implementation, the apparatus further includes:
the second decryption processing module is used for decrypting the ciphertext equipment information in the target ciphertext key through the ciphertext white box decryption key to obtain equipment information;
the verification module is used for verifying the equipment of the service server according to the equipment information;
in one possible implementation, the first decryption processing module 2102 further includes:
and the third decryption processing unit is used for responding to the service server passing equipment verification and executing the step of decrypting the ciphertext cloud API key in the target ciphertext key through the ciphertext white box decryption key to obtain a plaintext cloud API key.
In a possible implementation manner, the verification module includes:
the acquisition unit is used for acquiring the information of the equipment to be verified of the service server;
a first determining unit, configured to determine that the service server passes device verification in response to that the device information to be verified is consistent with the device information;
and a second determining unit, configured to determine that the service server fails to pass the device verification in response to that the device information to be verified and the device information are inconsistent.
In one possible implementation, the apparatus further includes:
a configuration module to configure a white-box decryption SDK, the white-box decryption SDK provided by the cloud platform;
in one possible implementation manner, the first decryption processing module includes:
and the fourth decryption processing unit is used for calling the white-box decryption SDK and decrypting the ciphertext cloud API key according to the ciphertext white-box decryption key to obtain the plaintext cloud API key.
In summary, in the embodiment of the application, in an access scenario of a cloud platform, a target ciphertext key (at least including a ciphertext cloud API key) and a ciphertext white box decryption key provided by the cloud platform are configured in a service server, and when the service server has a requirement for accessing the cloud platform, a plaintext cloud API key is obtained by obtaining the target ciphertext key and the ciphertext white box decryption key and decrypting a ciphertext cloud API key in the target ciphertext key according to the ciphertext white box decryption key, so that the service server accesses the cloud platform according to the cloud API key and calls the cloud API, and accordingly, the cloud platform performs identity verification on the access request according to the plaintext cloud API key. Because the target ciphertext key and the ciphertext white-box decryption key configured in the service server are ciphertexts, the cloud API key can be prevented from being decrypted when the ciphertext white-box decryption key and the ciphertext cloud API key are lost, plaintext cannot occur in the decryption process, the security of the decryption process can be ensured, and the security of the cloud API key is improved, so that other unauthorized devices are prevented from accessing the cloud platform, and the security of user resources stored in the cloud platform is further improved.
Referring to fig. 22, a block diagram of a server according to an exemplary embodiment of the present application is shown. The server may be configured to implement the management method of the cloud API key provided in the foregoing embodiment, or the server may also be configured to implement the access method of the cloud platform provided in the foregoing embodiment. Specifically, the method comprises the following steps:
the server 2200 includes a Central Processing Unit (CPU) 2201, a system Memory 2204 including a Random Access Memory (RAM) 2202 and a Read-Only Memory (ROM) 2203, and a system bus 2205 connecting the system Memory 2204 and the CPU 2201. The server 2200 also includes a basic Input/Output system (I/O system) 2206, which facilitates transfer of information between devices within the server, and a mass storage device 2207 for storing an operating system 2213, application programs 2214, and other program modules 2215.
The basic input/output system 2206 includes a display 2208 for displaying information and an input device 2209, such as a mouse, keyboard, etc., for a user to input information. Wherein the display 2208 and the input device 2209 are connected to the central processing unit 2201 through an input output controller 2210 connected to a system bus 2205. The basic input/output system 2206 may also include an input/output controller 2210 for receiving and processing input from a number of other devices, such as a keyboard, mouse, or electronic stylus. Similarly, input-output controller 2210 also provides output to a display screen, a printer, or other type of output device.
The mass storage device 2207 is connected to the central processing unit 2201 through a mass storage controller (not shown) connected to the system bus 2205. The mass storage device 2207 and its associated computer-readable storage media provide non-volatile storage for the server 2200. That is, the mass storage device 2207 may include a computer-readable storage medium (not shown) such as a hard disk or Compact Disc-Only Memory (CD-ROM) drive.
Without loss of generality, the computer-readable storage media may include computer storage media and communication media. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable storage instructions, data structures, program modules or other data. Computer storage media includes RAM, ROM, Erasable Programmable Read-Only Memory (EPROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), flash Memory or other solid state Memory technology, CD-ROM, Digital Versatile Disks (DVD), or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices. Of course, those skilled in the art will appreciate that the computer storage media is not limited to the foregoing. The system memory 2204 and mass storage device 2207 described above may be collectively referred to as memory.
The memory stores one or more programs configured to be executed by the one or more central processing units 2201, the one or more programs containing instructions for implementing the method embodiments described above, and the central processing unit 2201 executes the one or more programs to implement the methods provided by the various method embodiments described above.
The server 2200 may also operate as a remote server connected to a network via a network, such as the internet, according to various embodiments of the present application. That is, the server 2200 may be connected to the network 2212 through a network interface unit 2211 connected to the system bus 2205, or may be connected to other types of networks or remote server systems (not shown) using the network interface unit 2211.
The memory further includes one or more programs, the one or more programs are stored in the memory, and the one or more programs include instructions for performing the steps performed by the cloud platform or the service server in the method provided by the embodiment of the present application.
In an exemplary embodiment, there is also provided a non-transitory computer-readable storage medium having stored therein a computer program which, when executed by a processor, implements the above cloud API key management method or implements the above cloud platform access method.
In an exemplary embodiment, a computer program product for implementing the above cloud API key management method or the above cloud platform access method when executed by a processor is also provided.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.
Claims (14)
1. A management method for a cloud Application Programming Interface (API) key is characterized by comprising the following steps:
receiving a cloud API key acquisition request sent by a target user account;
responding to the cloud API key acquisition request, distributing a plain cloud API key for the target user account, wherein the plain cloud API key is a key used for identity authority verification when a cloud API is called to access a cloud platform;
encrypting the plaintext cloud API key through a ciphertext white-box encryption key to obtain a ciphertext cloud API key, wherein the ciphertext white-box encryption key is subjected to white-box encryption;
feeding back a target ciphertext key and a ciphertext white-box decryption key to the target user account, wherein the target ciphertext key at least comprises the ciphertext cloud API key, the target ciphertext key and the ciphertext white-box decryption key are configured to a service server corresponding to the target user account, the ciphertext white-box decryption key is used for decrypting the target ciphertext key to obtain the plaintext cloud API key, and the ciphertext white-box decryption key is subjected to white-box encryption processing.
2. The method according to claim 1, characterized in that the cloud platform comprises a Key Management System (KMS) server and a Cloud Access Management (CAM) server;
the allocating a plaintext cloud API key to the target user account in response to the cloud API key acquisition request comprises:
responding to the cloud API key acquisition request, and distributing the plain cloud API key to the target user account through the CAM server;
the encrypting the plaintext cloud API key through the ciphertext white-box encryption key to obtain the ciphertext cloud API key comprises:
and calling a white-box encryption interface provided by the KMS through the CAM server, and encrypting the plaintext cloud API key to obtain the ciphertext cloud API key.
3. The method according to claim 2, wherein before the cryptographic processing of the plaintext cloud API key by the ciphertext white-box encryption key to obtain the ciphertext cloud API key, the method further comprises:
responding to a white-box encryption authorization instruction of the target user account, and acquiring white-box key resources of the target user account from the KMS through the CAM server, wherein the white-box key resources comprise at least one group of white-box encryption and decryption keys;
in response to receiving an enabling instruction of a target white box encryption and decryption key, sending a key identifier of the target white box encryption and decryption key to the KMS through the CAM server, wherein the KMS is used for determining the ciphertext white box encryption key used in encryption according to the key identifier.
4. The method of claim 2, wherein the encrypting the plaintext cloud API key to obtain the ciphertext cloud API key comprises:
carrying out white-box decryption processing on the ciphertext white-box encryption key through the KMS to obtain a plaintext encryption key;
and encrypting the plaintext cloud API key through the plaintext encryption key to obtain the ciphertext cloud API key.
5. The method according to any one of claims 1 to 4, wherein after the allocating a plaintext cloud API key to the target user account in response to the cloud API key acquisition request, the method further comprises:
acquiring equipment information of the service server;
encrypting the equipment information through the ciphertext white box encryption key to obtain ciphertext equipment information, wherein the ciphertext equipment information is used for carrying out equipment verification on the service server;
and determining the ciphertext device information and the ciphertext cloud API key as the target ciphertext key.
6. An access method for a cloud platform, the method comprising:
responding to a cloud platform access request, acquiring a target ciphertext key and a ciphertext white box decryption key, wherein the target ciphertext key and the ciphertext white box decryption key are provided by a cloud platform and configured in a service server, the target ciphertext key is obtained by encrypting the cloud platform by using a ciphertext white box encryption key, the target ciphertext key at least comprises a ciphertext cloud API key, and the ciphertext white box encryption key and the ciphertext white box decryption key are subjected to white box encryption processing;
decrypting the ciphertext cloud API key in the target ciphertext key through the ciphertext white box decryption key to obtain a plaintext cloud API key;
and calling a cloud API to access the cloud platform according to the plaintext cloud API key, wherein the plaintext cloud API key is used for identity authority verification.
7. The method of claim 6, wherein the decrypting the ciphertext cloud API key of the target ciphertext key with the ciphertext white-box decryption key to obtain a plaintext cloud API key comprises:
carrying out white-box decryption operation on the ciphertext white-box decryption key to obtain a plaintext decryption key;
and decrypting the ciphertext cloud API key through the plaintext decryption key to obtain the plaintext cloud API key.
8. The method according to claim 6 or 7, wherein the target ciphertext key further comprises ciphertext device information;
before the ciphertext cloud API key in the target ciphertext key is decrypted by the ciphertext white-box decryption key to obtain the plaintext cloud API key, the method further includes:
decrypting the ciphertext equipment information in the target ciphertext key through the ciphertext white box decryption key to obtain equipment information;
performing equipment verification on the service server according to the equipment information;
the decrypting the ciphertext cloud API key in the target ciphertext key by the ciphertext white-box decryption key to obtain a plaintext cloud API key, including:
and in response to the service server passing equipment verification, executing the step of decrypting the ciphertext cloud API key in the target ciphertext key by the ciphertext white box decryption key to obtain a plaintext cloud API key.
9. The method of claim 8, wherein the performing the device check on the service server according to the device information comprises:
acquiring information of equipment to be verified of the service server;
responding to the consistency of the equipment information to be verified and the equipment information, and determining that the service server passes equipment verification;
and determining that the service server does not pass the equipment verification in response to the inconsistency between the equipment information to be verified and the equipment information.
10. The method according to claim 6 or 7, wherein before decrypting the ciphertext cloud API key in the target ciphertext key by the ciphertext white-box decryption key to obtain a plaintext cloud API key, the method further comprises:
configuring a white-box decryption Software Development Kit (SDK), the SDK being provided by the cloud platform;
the decrypting the ciphertext cloud API key in the target ciphertext key by the ciphertext white-box decryption key to obtain a plaintext cloud API key, including:
and calling the white box decryption SDK, and decrypting the ciphertext cloud API key according to the ciphertext white box decryption key to obtain the plaintext cloud API key.
11. An apparatus for managing cloud API keys, the apparatus comprising:
the receiving module is used for receiving a cloud API key obtaining request sent by a target user account;
the allocation module is used for responding to the cloud API key acquisition request and allocating a plain cloud API key to the target user account, wherein the plain cloud API key is a key used for identity authority verification when a cloud API is called to access a cloud platform;
the first encryption processing module is used for encrypting the plaintext cloud API key through a ciphertext white-box encryption key to obtain a ciphertext cloud API key, and the ciphertext white-box encryption key is subjected to white-box encryption processing;
a feedback module, configured to feed back a target ciphertext key and a ciphertext white-box decryption key to the target user account, where the target ciphertext key at least includes the ciphertext cloud API key, the target ciphertext key and the ciphertext white-box decryption key are configured to a service server corresponding to the target user account, the ciphertext white-box decryption key is used to decrypt the target ciphertext key to obtain the plaintext cloud API key, and the ciphertext white-box decryption key is subjected to white-box encryption processing.
12. An access apparatus of a cloud platform, the apparatus comprising:
a third obtaining module, configured to obtain a target ciphertext key and a ciphertext white-box decryption key in response to a cloud platform access request, where the target ciphertext key and the ciphertext white-box decryption key are provided by a cloud platform and configured in a service server, the target ciphertext key is obtained by encrypting, by the cloud platform, a ciphertext white-box encryption key, the target ciphertext key at least includes a ciphertext cloud API key, and the ciphertext white-box encryption key and the ciphertext white-box decryption key are subjected to white-box encryption processing;
the first decryption processing module is used for decrypting the ciphertext cloud API key in the target ciphertext key through the ciphertext white box decryption key to obtain a plaintext cloud API key;
and the access module is used for calling cloud API to access the cloud platform according to the plaintext cloud API key, and the plaintext cloud API key is used for identity authority verification.
13. A server, comprising a processor and a memory, wherein the memory stores at least one instruction, at least one program, a set of codes, or a set of instructions, and the at least one instruction, the at least one program, the set of codes, or the set of instructions is loaded and executed by the processor to implement the method for managing cloud API keys according to any one of claims 1 to 5, or to implement the method for accessing a cloud platform according to any one of claims 6 to 10.
14. A computer-readable storage medium, wherein at least one instruction, at least one program, a set of codes, or a set of instructions is stored in the storage medium, and the at least one instruction, the at least one program, the set of codes, or the set of instructions is loaded and executed by the processor to implement the method for managing cloud API keys according to any one of claims 1 to 5, or to implement the method for accessing a cloud platform according to any one of claims 6 to 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010576953.8A CN111538977B (en) | 2020-06-23 | 2020-06-23 | Cloud API key management method, cloud platform access method, cloud API key management device, cloud platform access device and server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010576953.8A CN111538977B (en) | 2020-06-23 | 2020-06-23 | Cloud API key management method, cloud platform access method, cloud API key management device, cloud platform access device and server |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111538977A true CN111538977A (en) | 2020-08-14 |
| CN111538977B CN111538977B (en) | 2020-10-23 |
Family
ID=71976374
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010576953.8A Active CN111538977B (en) | 2020-06-23 | 2020-06-23 | Cloud API key management method, cloud platform access method, cloud API key management device, cloud platform access device and server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111538977B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111988330A (en) * | 2020-08-28 | 2020-11-24 | 苏州中科安源信息技术有限公司 | Information security protection system and method based on white-box encryption in distributed system |
| CN114124364A (en) * | 2020-08-27 | 2022-03-01 | 国民技术股份有限公司 | Key security processing method, device, equipment and computer readable storage medium |
| CN114679287A (en) * | 2020-12-24 | 2022-06-28 | 美的集团股份有限公司 | Data processing method, system, electronic device and storage medium |
| CN117195276A (en) * | 2023-11-08 | 2023-12-08 | 荣耀终端有限公司 | Data protection method and electronic equipment |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20230153426A1 (en) * | 2021-11-17 | 2023-05-18 | Dell Products, L.P. | Hardware-based protection of application programming interface (api) keys |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104935568A (en) * | 2015-04-20 | 2015-09-23 | 成都康赛信息技术有限公司 | Interface authentication signature method facing cloud platform |
| CN107919958A (en) * | 2016-10-11 | 2018-04-17 | 阿里巴巴集团控股有限公司 | A kind of processing method of data encryption, device and equipment |
| CN108964922A (en) * | 2018-06-19 | 2018-12-07 | 深圳市文鼎创数据科技有限公司 | mobile terminal token activation method, terminal device and server |
| CN110309645A (en) * | 2019-04-16 | 2019-10-08 | 网宿科技股份有限公司 | A kind of couple of API carries out the method, apparatus and system of security protection |
| CN111262889A (en) * | 2020-05-06 | 2020-06-09 | 腾讯科技(深圳)有限公司 | Authority authentication method, device, equipment and medium for cloud service |
| CN111327616A (en) * | 2020-02-25 | 2020-06-23 | 上海东普信息科技有限公司 | Key management method, device, equipment and computer readable storage medium |
-
2020
- 2020-06-23 CN CN202010576953.8A patent/CN111538977B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104935568A (en) * | 2015-04-20 | 2015-09-23 | 成都康赛信息技术有限公司 | Interface authentication signature method facing cloud platform |
| CN107919958A (en) * | 2016-10-11 | 2018-04-17 | 阿里巴巴集团控股有限公司 | A kind of processing method of data encryption, device and equipment |
| CN108964922A (en) * | 2018-06-19 | 2018-12-07 | 深圳市文鼎创数据科技有限公司 | mobile terminal token activation method, terminal device and server |
| CN110309645A (en) * | 2019-04-16 | 2019-10-08 | 网宿科技股份有限公司 | A kind of couple of API carries out the method, apparatus and system of security protection |
| CN111327616A (en) * | 2020-02-25 | 2020-06-23 | 上海东普信息科技有限公司 | Key management method, device, equipment and computer readable storage medium |
| CN111262889A (en) * | 2020-05-06 | 2020-06-09 | 腾讯科技(深圳)有限公司 | Authority authentication method, device, equipment and medium for cloud service |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114124364A (en) * | 2020-08-27 | 2022-03-01 | 国民技术股份有限公司 | Key security processing method, device, equipment and computer readable storage medium |
| CN111988330A (en) * | 2020-08-28 | 2020-11-24 | 苏州中科安源信息技术有限公司 | Information security protection system and method based on white-box encryption in distributed system |
| CN111988330B (en) * | 2020-08-28 | 2023-05-26 | 苏州中科安源信息技术有限公司 | Information security protection system and method based on white-box encryption in distributed system |
| CN114679287A (en) * | 2020-12-24 | 2022-06-28 | 美的集团股份有限公司 | Data processing method, system, electronic device and storage medium |
| CN117195276A (en) * | 2023-11-08 | 2023-12-08 | 荣耀终端有限公司 | Data protection method and electronic equipment |
| CN117195276B (en) * | 2023-11-08 | 2024-04-16 | 荣耀终端有限公司 | Data protection method and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111538977B (en) | 2020-10-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11604901B2 (en) | Systems and methods for using extended hardware security modules | |
| CN111538977B (en) | Cloud API key management method, cloud platform access method, cloud API key management device, cloud platform access device and server | |
| CN110855671B (en) | Trusted computing method and system | |
| US11895096B2 (en) | Systems and methods for transparent SaaS data encryption and tokenization | |
| US9867051B2 (en) | System and method of verifying integrity of software | |
| CN111737366B (en) | Private data processing method, device, equipment and storage medium of block chain | |
| US10284374B2 (en) | Code signing system with machine to machine interaction | |
| CN111708991A (en) | Service authorization method, service authorization device, computer equipment and storage medium | |
| US11831753B2 (en) | Secure distributed key management system | |
| US8953805B2 (en) | Authentication information generating system, authentication information generating method, client apparatus, and authentication information generating program for implementing the method | |
| EP3555786B1 (en) | Secure provisioning of unique time-limited certificates to virtual application instances in dynamic and elastic systems | |
| US8848922B1 (en) | Distributed encryption key management | |
| KR101648364B1 (en) | Method for improving encryption/decryption speed by complexly applying for symmetric key encryption and asymmetric key double encryption | |
| US10298388B2 (en) | Workload encryption key | |
| US9864853B2 (en) | Enhanced security mechanism for authentication of users of a system | |
| US9910997B1 (en) | Secure credential storage | |
| CN117240625B (en) | Tamper-resistant data processing method and device and electronic equipment | |
| Junghanns et al. | Engineering of secure multi-cloud storage | |
| US10749689B1 (en) | Language-agnostic secure application development | |
| CN113886793A (en) | Device login method, device, electronic device, system and storage medium | |
| US10644890B1 (en) | Language-agnostic secure application deployment | |
| CN111316271A (en) | Virtual machine-computer implemented security method and system | |
| CN117313144A (en) | Sensitive data management method and device, storage medium and electronic equipment | |
| CN116488903A (en) | Key management method, device, computer equipment and storage medium | |
| CN117121435A (en) | Connection elastic multi-factor authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40028338 Country of ref document: HK |