CN111565107A - Key processing method and device based on cloud service platform and computer equipment - Google Patents
Key processing method and device based on cloud service platform and computer equipment Download PDFInfo
- Publication number
- CN111565107A CN111565107A CN202010671789.9A CN202010671789A CN111565107A CN 111565107 A CN111565107 A CN 111565107A CN 202010671789 A CN202010671789 A CN 202010671789A CN 111565107 A CN111565107 A CN 111565107A
- Authority
- CN
- China
- Prior art keywords
- key
- data
- private key
- public key
- hardware encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Storage Device Security (AREA)
Abstract
The application relates to a secret key processing method and device based on a cloud service platform and computer equipment. The method comprises the following steps: receiving a key generation request initiated by a user side; acquiring a key algorithm type specified by the key generation request; accessing a hardware encryption machine according to the key algorithm type, so that the hardware encryption machine adopts a key algorithm corresponding to the key algorithm type to generate a paired public key and private key; receiving the public key and the private key fed back by the hardware encryption machine; and storing the private key in a storage position appointed by a cloud service platform, and issuing the public key to the user side. By adopting the method, the safety of the private key can be effectively improved.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and an apparatus for processing a key based on a cloud service platform, a computer device, and a storage medium.
Background
With the rapid development and wide application of computer technology, in order to improve the security of data transmission, data to be transmitted can be encrypted through a secret key, so that the leakage of data content is avoided. In a conventional manner, data is encrypted by an asymmetric encryption method including a public key and a private key, and the private key is used for decrypting the data encrypted by the public key. Thus, the security of the private key is particularly important.
In the conventional manner, a public key and a private key which are paired are generated by the user himself, and the private key is stored by the user himself. The private key has a large leakage risk and a loss risk, which results in the security of the private key being reduced.
Disclosure of Invention
In view of the foregoing, it is necessary to provide a key processing method, an apparatus, a computer device, and a storage medium based on a cloud service platform, which can improve security of a private key.
A key processing method based on a cloud service platform comprises the following steps:
receiving a key generation request initiated by a user side;
acquiring a key algorithm type specified by the key generation request;
accessing a hardware encryption machine according to the key algorithm type, so that the hardware encryption machine adopts a key algorithm corresponding to the key algorithm type to generate a paired public key and private key;
receiving the public key and the private key fed back by the hardware encryption machine;
and storing the private key in a storage position appointed by a cloud service platform, and issuing the public key to the user side.
A key processing apparatus based on a cloud service platform, the apparatus comprising:
the request receiving module is used for receiving a key generation request initiated by a user side; acquiring a key algorithm type specified by the key generation request;
the key generation module is used for accessing the hardware encryption machine according to the key algorithm type, so that the hardware encryption machine adopts the key algorithm corresponding to the key algorithm type to generate a matched public key and private key;
the key processing module is used for receiving the public key and the private key fed back by the hardware encryption machine; and storing the private key in a storage position appointed by a cloud service platform, and issuing the public key to the user side.
A computer device comprising a memory and a processor, the memory storing a computer program, the processor implementing the following steps when executing the computer program:
receiving a key generation request initiated by a user side;
acquiring a key algorithm type specified by the key generation request;
accessing a hardware encryption machine according to the key algorithm type, so that the hardware encryption machine adopts a key algorithm corresponding to the key algorithm type to generate a paired public key and private key;
receiving the public key and the private key fed back by the hardware encryption machine;
and storing the private key in a storage position appointed by a cloud service platform, and issuing the public key to the user side.
A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, carries out the steps of:
receiving a key generation request initiated by a user side;
acquiring a key algorithm type specified by the key generation request;
accessing a hardware encryption machine according to the key algorithm type, so that the hardware encryption machine adopts a key algorithm corresponding to the key algorithm type to generate a paired public key and private key;
receiving the public key and the private key fed back by the hardware encryption machine;
and storing the private key in a storage position appointed by a cloud service platform, and issuing the public key to the user side.
According to the key processing method and device based on the cloud service platform, the computer equipment and the storage medium, the key generation request sent by the user side is received, and the hardware encryption machine is accessed according to the key algorithm type specified by the key generation request, so that the hardware encryption machine adopts the key algorithm corresponding to the key algorithm type to generate the matched public key and private key, and the user side does not need to generate the public key and the private key by itself. The private key is stored in the storage position appointed by the cloud service platform by receiving the public key and the private key fed back by the hardware encryption machine, and the public key is issued to the user side, so that the user side does not need to receive and store the private key, the risk that the user side loses and reveals the private key is avoided, and the safety of the private key is effectively improved.
A data decryption method based on a cloud service platform, the method comprising:
receiving a data ciphertext, wherein the data ciphertext is generated by encrypting a data plaintext by using a public key;
determining a private key which is stored by the cloud service platform and is matched with the public key and a decryption algorithm type corresponding to the private key based on the data ciphertext;
accessing a hardware encryption machine according to the data cipher text, the decryption algorithm type and the private key, so that the hardware encryption machine decrypts the data cipher text by adopting a decryption algorithm corresponding to the decryption algorithm type based on the private key to obtain a data plaintext;
and receiving the data plaintext fed back by the hardware encryption machine.
In one embodiment, the determining, based on the data ciphertext, a private key paired with the public key and stored by the cloud service platform, and a type of decryption algorithm corresponding to the private key includes: determining a key identification corresponding to the public key based on the data ciphertext; and searching a private key matched with the public key and a decryption algorithm type corresponding to the private key from a storage position appointed by a cloud service platform by taking the key identification as an index.
In one embodiment, the method further comprises: and when the private key matched with the public key is not found from the storage position appointed by the cloud service platform, generating decryption failure prompt information.
In one embodiment, the public key and the private key are encrypted separately, and the method further comprises: determining a target root key label corresponding to the public key based on the data ciphertext; accessing a hardware encryption machine according to the data cipher text, the decryption algorithm type and the private key, so that the hardware encryption machine decrypts the data cipher text by adopting a decryption algorithm corresponding to the decryption algorithm type based on the private key to obtain a data plaintext, including: accessing the hardware encryption machine according to the data ciphertext, the target root key label, the decryption algorithm type and the private key, enabling the hardware encryption machine to decrypt the private key according to a root key corresponding to the target root key label to obtain a private key plaintext, and performing data decryption on the data ciphertext by adopting a decryption algorithm corresponding to the decryption algorithm type based on the private key plaintext to obtain a data plaintext.
A data decryption apparatus based on a cloud service platform, the apparatus comprising:
the data receiving module is used for receiving a data ciphertext, and the data ciphertext is generated by encrypting a data plaintext by adopting a public key;
the private key obtaining module is used for determining a private key which is stored by a cloud service platform and is matched with the public key and a decryption algorithm type corresponding to the private key based on the data ciphertext;
the data decryption module is used for accessing a hardware encryption machine according to the data ciphertext, the decryption algorithm type and the private key, so that the hardware encryption machine decrypts the data ciphertext by adopting a decryption algorithm corresponding to the decryption algorithm type based on the private key to obtain a data plaintext; and receiving the data plaintext fed back by the hardware encryption machine.
In one embodiment, the private key obtaining module is further configured to determine, based on the data ciphertext, a key identifier corresponding to the public key; and searching a private key matched with the public key and a decryption algorithm type corresponding to the private key from a storage position appointed by a cloud service platform by taking the key identification as an index. In one embodiment, the public key and the private key are encrypted respectively, and the data decryption module is further configured to determine a target root key tag corresponding to the public key based on the data ciphertext; accessing the hardware encryption machine according to the data ciphertext, the target root key label, the decryption algorithm type and the private key, enabling the hardware encryption machine to decrypt the private key according to a root key corresponding to the target root key label to obtain a private key plaintext, and performing data decryption on the data ciphertext by adopting a decryption algorithm corresponding to the decryption algorithm type based on the private key plaintext to obtain a data plaintext.
A computer device comprising a memory and a processor, the memory storing a computer program, the processor implementing the following steps when executing the computer program:
receiving a data ciphertext, wherein the data ciphertext is generated by encrypting a data plaintext by using a public key;
determining a private key which is stored by the cloud service platform and is matched with the public key and a decryption algorithm type corresponding to the private key based on the data ciphertext;
accessing a hardware encryption machine according to the data cipher text, the decryption algorithm type and the private key, so that the hardware encryption machine decrypts the data cipher text by adopting a decryption algorithm corresponding to the decryption algorithm type based on the private key to obtain a data plaintext;
and receiving the data plaintext fed back by the hardware encryption machine.
A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, carries out the steps of:
receiving a data ciphertext, wherein the data ciphertext is generated by encrypting a data plaintext by using a public key;
determining a private key which is stored by the cloud service platform and is matched with the public key and a decryption algorithm type corresponding to the private key based on the data ciphertext;
accessing a hardware encryption machine according to the data cipher text, the decryption algorithm type and the private key, so that the hardware encryption machine decrypts the data cipher text by adopting a decryption algorithm corresponding to the decryption algorithm type based on the private key to obtain a data plaintext;
and receiving the data plaintext fed back by the hardware encryption machine.
According to the data decryption method and device based on the cloud service platform, the computer equipment and the storage medium, the data ciphertext generated by encrypting the data plaintext by adopting the public key is received, the private key which is stored by the cloud service platform and is matched with the public key and the decryption algorithm type corresponding to the private key are determined based on the data ciphertext, and the cloud service platform can store the private key by itself. The cloud service platform accesses the hardware encryption machine according to the data cipher text, the type of the decryption algorithm and the private key, so that the hardware encryption machine decrypts the data cipher text based on the private key by adopting the decryption algorithm corresponding to the type of the decryption algorithm, and receives the data plain text fed back by the hardware encryption machine. The private key matched with the public key is stored by the cloud service platform, the data ciphertext is decrypted by the cloud service platform and the hardware encryption machine, the private key is not required to be stored and used by a user side, the risk of private key leakage and loss is reduced, and the safety of the private key is effectively improved. Meanwhile, the safety of data plaintext for data encryption based on the public key matched with the private key is improved.
Drawings
FIG. 1 is a diagram of an application environment of a key processing method based on a cloud service platform in an embodiment;
FIG. 2 is a schematic flowchart of a key processing method based on a cloud service platform in an embodiment;
fig. 3 is a schematic flowchart of a key processing method based on a cloud service platform in another embodiment;
fig. 4 is a schematic interface diagram of a new key created at the user end in an embodiment;
FIG. 5 is a diagram illustrating an interface for a client to display key identifiers in an embodiment;
fig. 6 is a schematic diagram illustrating an interface for a user side to determine to obtain a public key according to an embodiment;
FIG. 7 is a flowchart illustrating a key processing method based on a cloud service platform according to still another embodiment;
FIG. 8 is a flowchart illustrating a key processing method based on a cloud service platform in another embodiment;
fig. 9 is a schematic diagram illustrating an interface for decrypting data at a user terminal according to an embodiment;
FIG. 10 is a diagram illustrating a system architecture corresponding to a cloud service platform in one embodiment;
fig. 11 is an application environment diagram of a key processing method based on a cloud service platform in another embodiment;
FIG. 12 is a flowchart illustrating a data decryption method based on a cloud service platform according to an embodiment;
FIG. 13 is a block diagram of a key processing apparatus based on a cloud service platform according to an embodiment;
FIG. 14 is a block diagram illustrating an exemplary data decryption apparatus based on a cloud service platform;
FIG. 15 is a diagram showing an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The key processing method based on the cloud service platform can be applied to the application environment shown in fig. 1. The user terminal 102, the cloud service platform 104, and the hardware encryption device 106 may be connected and communicate in a wireless communication manner. The cloud service platform 104 receives a key generation request initiated by the user terminal 102; the cloud service platform 104 acquires a key algorithm type specified by the key generation request; the cloud service platform 104 accesses the hardware encryption machine 106 according to the key algorithm type, so that the hardware encryption machine 106 generates a paired public key and private key by using the key algorithm corresponding to the key algorithm type; the hardware encryption machine 106 is used for encrypting data based on a public key and decrypting data based on a private key; the cloud service platform 104 receives the public key and the private key fed back by the hardware encryption machine 106; the cloud service platform 104 stores the private key in a storage location specified by the cloud service platform 104, and issues the public key to the user terminal 102. The user terminal 102 may be operated on a terminal, and the terminal may specifically be, but is not limited to, various personal computers, notebook computers, smart phones, tablet computers, smart speakers, and portable wearable devices. The hardware encryptor 106 is a hardware host encryption device. The cloud service platform 104 is a cloud platform that provides cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, web services, cloud communication, middleware services, domain name services, security services, CDNs, and big data and artificial intelligence platforms, based on cloud technologies such as cloud computing, cloud storage, and big data.
Cloud technology (Cloud technology) is a general term for network technology, information technology, integration technology, management platform technology, application technology and the like based on Cloud computing model application, can form a resource pool, is used as required, and is flexible and convenient. Cloud computing technology will become an important support. Background services of the technical network system require a large amount of computing and storage resources, such as video websites, picture-like websites and more web portals. With the high development and application of the internet industry, each article may have its own identification mark and needs to be transmitted to a background system for logic processing, data in different levels are processed separately, and various industrial data need strong system background support and can only be realized through cloud computing.
Cloud computing (cloud computing) is a computing model that distributes computing tasks over a pool of resources formed by a large number of computers, enabling various application systems to obtain computing power, storage space, and information services as needed. The network that provides the resources is referred to as the "cloud". Resources in the "cloud" appear to the user as being infinitely expandable and available at any time, available on demand, expandable at any time, and paid for on-demand. As a basic capability provider of cloud computing, a cloud computing resource pool (called as an IaaS (Infrastructure as a Service) platform for short) is established, and multiple types of virtual resources are deployed in the resource pool and are selectively used by external clients. The cloud computing resource pool mainly comprises: computing devices (which are virtualized machines, including operating systems), storage devices, and network devices. According to the logic function division, a PaaS (Platform as a Service) layer can be deployed on an IaaS (Infrastructure as a Service) layer, a SaaS (Software as a Service) layer is deployed on the PaaS layer, and the SaaS can be directly deployed on the IaaS. PaaS is a platform on which software runs, such as a database, a web container, etc. SaaS is a variety of business software, such as web portal, sms, and mass texting. Generally speaking, SaaS and PaaS are upper layers relative to IaaS.
In an embodiment, as shown in fig. 2, a key processing method based on a cloud service platform is provided, where the method is executed on the cloud service platform, and is described by taking the method as an example applied to the cloud service platform 104 in fig. 1, and includes the following steps:
The user side corresponds to a cloud service platform (hereinafter referred to as a "cloud platform"), and the user side runs on an operating system of a terminal corresponding to the user to provide local services for the user. The user side may specifically be a web page side (web side) or an App (Application software) local to the terminal. For example, the User side may specifically be a cloud console corresponding to the cloud platform, and may display a WEB User Interface (WEB UI) to the User. The cloud console may include a control panel or command line interface, etc. The user side may also be application Software established based on an SDK (Software Development Kit), and communicate with the cloud platform based on a transmission Protocol such as HTTP (Hyper Text Transfer Protocol).
The user side can generate a key generation request and send the key generation request to the cloud platform. The key generation request is used for requesting the cloud platform to provide the key generation service and generating a key specified by the key generation request. The key generation request may be generated based on the acquired user trigger operation, or may be generated by the user side according to the actual application requirement.
For example, when the user needs to generate the key, the user can control the user terminal through the input device of the terminal. The input device may specifically include, but is not limited to, at least one of a key corresponding to the terminal, a trackball, a touch pad, a touch screen covered on the display interface, a keyboard, a mouse, and the like. When the user side acquires the key generation triggering operation, the user side may generate the key generation request based on the key generation triggering operation.
The key generation triggering operation may specifically be a touch operation, a cursor operation, a key operation, a voice operation, or the like. The touch operation may be a touch-and-click operation, a touch-and-press operation, or the like, and the touch operation may be a single-point touch operation or a multi-point touch operation. Multipoint refers to at least two points. The cursor operation may be a click operation or a press operation by a control cursor. The key operation may specifically include a virtual key operation or a physical key operation. For example, the display interface corresponding to the user side includes a key generation control, and when the user side obtains a click operation acting on the key generation control, a key generation request is generated.
The cloud platform may provide, based on a plurality of different cloud services, an Application Programming Interface (API) corresponding to each of the plurality of cloud services to the client. Wherein, plural means two or more. The user side can access cloud services of the cloud platform through the API provided by the cloud platform. A KMS (key management Service) may be deployed in the cloud platform. The cloud platform may provide a key generation service based on the KMS. The user can access the KMS through the user side and call the key management service corresponding to the cloud platform. When a user needs to generate a key, the cloud platform may receive a key generation request initiated by the user side through the API, and provide a key generation service for the user in response to the key generation request.
The key algorithm type refers to an algorithm type corresponding to a key generation algorithm for generating a key. The key algorithm type is specifically a key generation algorithm type corresponding to asymmetric encryption. Asymmetric encryption requires two keys to be paired for encryption and decryption, the two keys being a public key (hereinafter referred to as "public key") and a private key (hereinafter referred to as "private key"), respectively. And generating a public key and a private key which are matched according to a key generation algorithm corresponding to the key algorithm type.
The key algorithm type specified by the key generation request may be a fixed key algorithm type, and the key algorithm type specified by different user terminals or different key generation requests initiated by the same user terminal may be the same key algorithm type. The type of key algorithm specified by the key generation request may also be any of a variety of key algorithm types. For example, the type of the key algorithm may specifically be any one of RSA (RSA algorithm), ElGamal, SM2 (one of elliptic curve public key cryptography algorithms), and the like.
After receiving the key generation request, the cloud platform acquires the key algorithm type specified by the key generation request in response to the key generation request. Specifically, the key algorithm type specified by the key generation request may be selected by the user from multiple key algorithm types according to actual requirements, and the user side may obtain the key algorithm type selected by the user to generate the key generation request carrying the key algorithm type. After receiving the key generation request, the cloud platform analyzes the key generation request to acquire the key algorithm type carried by the key generation request.
In one embodiment, the user end may present a plurality of candidate key algorithm types to the user through the user interface, and the presentation form of the candidate key algorithm types may be one of a plurality of presentation forms such as a list, a tile, or a pull-down. The user side can obtain the selection operation of the user, and the target key algorithm type selected by the user is determined from the candidate key algorithm types based on the selection operation. The user side can generate a key generation request carrying a target key algorithm type, and uploads the key generation request to the cloud platform.
In one embodiment, the cloud platform may also obtain a key usage scenario specified by the key generation request. The key usage scenario may be a usage scenario of the generated key selected by the user or determined according to actual application requirements. The cloud platform may select a corresponding key algorithm type according to the key usage scenario. For example, the RSA algorithm is a key algorithm which is used more internationally, and the SM2 algorithm is a key algorithm designed for the chinese standard. When the key usage scenario specified by the key generation request is a chinese compliance scenario, the cloud platform may determine that the key algorithm type is the SM2 algorithm. When the key usage scenario may correspond to multiple key algorithm types, the cloud platform may randomly select one key algorithm type from the multiple key algorithm types.
And step 206, accessing the hardware encryption machine according to the key algorithm type, so that the hardware encryption machine adopts the key algorithm corresponding to the key algorithm type to generate a paired public key and private key.
The hardware encryption machine is a hardware encryption device which can perform data encryption, data encryption and key generation. The hardware encryptor may support multiple types of key algorithms. The cloud platform and the hardware encryption machine can be connected and communicated in a wireless communication mode. For example, the cloud platform and the hardware encryption device may communicate with each other using a transmission Protocol such as a TCP/IP Protocol (transmission control Protocol/Internet Protocol). The cloud platform can access the hardware encryption machine according to the key algorithm type, so that the hardware encryption machine adopts the key algorithm corresponding to the key algorithm type to generate the paired public key and private key.
Specifically, the cloud platform may access the hardware encryption machine according to the key algorithm type based on the communication connection with the hardware encryption machine. The hardware encryption machine comprises a key generator, and after receiving the key algorithm type, the hardware encryption machine can use the key algorithm type as a parameter to control the key generator to generate a key by adopting a key algorithm corresponding to the key algorithm type. The key algorithm type corresponds to asymmetric encryption, the key generated by the hardware encryption machine is a public key and a private key which are matched, and the matched public key and the matched private key can form a group of key pairs.
The hardware encryption machine can generate a public key and a private key which are matched according to the type of a key algorithm, and can also encrypt data based on the public key and decrypt data based on the private key matched with the public key. The data are encrypted and decrypted through the hardware encryption machine, and the safety of the data is effectively guaranteed.
In one embodiment, when the cloud platform accesses the hardware encryption machine according to the key algorithm type corresponding to the symmetric encryption, the hardware encryption machine may also use the key algorithm type corresponding to the symmetric encryption as a parameter, and generate a single key by using the symmetric encryption algorithm corresponding to the key algorithm type.
The cloud platform accesses the hardware encryption machine according to the key algorithm type, so that the hardware encryption machine adopts the key algorithm corresponding to the key algorithm type to generate the paired public key and private key. Compared with the mode that the paired public key and private key are completely generated by the cloud platform, the security of the private key is improved on the hardware level by the hardware encryption machine, and the risk that the cloud platform reveals the private key is reduced.
And step 208, receiving the public key and the private key fed back by the hardware encryption machine.
The cloud platform can receive the public key and the private key fed back by the hardware encryption machine through communication connection with the hardware encryption machine. The public key and the private key which are received by the cloud platform and fed back by the hardware encryption machine can be a public key plaintext and a private key plaintext respectively, and can also be a public key ciphertext and a private key ciphertext respectively. The public key ciphertext is obtained by encrypting the public key plaintext, and the private key ciphertext is obtained by encrypting the private key plaintext.
The cloud platform can store the received private key in a storage position designated by the cloud platform, and issue the public key to the user side. Specifically, for different user sides, the cloud platform can designate the same storage location to store the private keys corresponding to the different user sides. The cloud platform can also respectively determine different storage positions according to different user sides, and store the private key to the respective corresponding storage positions of the user sides. The storage location specified by the cloud platform may be a storage location based on cloud storage, and the cloud platform may store the received private key in the cloud database according to the specified storage location.
The cloud platform can issue the received public key to the user side so that the user side can distribute the public key conveniently, and data are encrypted based on the public key. In one embodiment, the cloud platform may further store the paired public key and private key in a storage location specified by the cloud platform, so as to backup the public key.
In this embodiment, the cloud platform generates the paired public key and private key based on the received key generation request initiated by the user side, and the user side does not need to generate the private key by itself, thereby avoiding the risk of leakage of the private key after the user side generates the private key. The cloud platform accesses the hardware encryption machine according to the key algorithm type by obtaining the key algorithm type specified by the key generation request, so that the hardware encryption machine adopts the key algorithm corresponding to the key algorithm type to generate a matched public key and private key, and the security of the private key is improved by the hardware encryption machine from a hardware level. The cloud platform receives the public key and the private key fed back by the hardware encryption machine, stores the private key in a storage position appointed by the cloud platform, and sends the public key to the user side. The cloud platform can not issue the private key to the user side, and the user side does not need to contact and store the private key completely, so that the risk that the user side loses and reveals the private key is avoided, and the security of the private key is effectively improved.
In an embodiment, as shown in fig. 3, a key processing method based on a cloud service platform is provided, which specifically includes the following steps:
At step 304, the type of key algorithm specified by the key generation request is obtained.
After receiving a key generation request initiated by a user side, the cloud platform can also obtain a target root key label. The hardware encryption machine may correspond to one or more root keys, and the root keys are stored in the hardware encryption machine. Each root key can correspond to a root key label, and a one-to-one correspondence relationship exists between the root keys and the root key labels. The target root key tag corresponds to the target root key and is used for marking the target root key. The target root key is a root key used for encrypting a public key and a private key in the root keys corresponding to the hardware encryption machine. When the hardware encryption machine only corresponds to one root key, the cloud platform can obtain a root key label corresponding to the root key as a target root key label.
When the hardware encryption machine corresponds to a plurality of root keys, the cloud platform may obtain a fixed root key label as a target root key label from root key labels corresponding to the plurality of root keys respectively. That is, when the cloud platform receives different key generation requests initiated by the same or different user sides, the cloud platform may obtain the same root key tag as a target root key tag.
In one embodiment, the cloud platform may further obtain a candidate root key label set corresponding to the hardware encryption machine, randomly select a candidate root key label from the candidate root key label set, and determine the selected candidate root key label as a target root key label. Specifically, when the hardware encryption machine corresponds to a plurality of root keys, the root key labels corresponding to the root keys are determined as candidate root key labels. The cloud platform can obtain a candidate root key label set corresponding to the hardware encryption machine, wherein the candidate root key label set comprises a plurality of candidate root key labels. The cloud platform may randomly select one candidate root key label from the candidate root key label set, and the cloud platform may determine the selected candidate root key label as a target root key label.
The cloud platform randomly selects the target root key label from the candidate root key label set, so that the uncertainty of the target root key label is increased. And encrypting the plain text of the private key through the target root key corresponding to the target root key label selected randomly to obtain a cipher text of the private key. Even if the encrypted private key ciphertext is leaked, the private key ciphertext cannot be decrypted through the target root key corresponding to the target root key label of the encrypted private key, so that the private key plaintext cannot be leaked, and the safety of the private key plaintext is effectively improved.
In one embodiment, the cloud platform may further obtain a root key tag specified by the key generation request, and determine the root key tag specified by the key generation request as the target root key tag. The root key label specified by the key generation request may be a candidate root key label determined by the user side from a set of candidate root key labels. Specifically, the user side may select the candidate root key tag from the candidate root key tag set according to the actual application requirement. The user side can also select candidate root key labels from the candidate root key label set based on a preset root key label selection strategy. For example, the user side may form a candidate tag sequence according to the candidate root key tags included in the candidate root key tag set, and sequentially select the candidate root key tags according to the candidate tag sequence. The user side can also randomly determine candidate root key labels from the candidate root key label set. The user side can also display a plurality of candidate root key labels included in the candidate root key label set through a user interface, obtain the candidate root key labels selected by the user from the candidate root key label set, and generate a key generation request carrying the candidate root key labels selected by the user.
And 308, accessing the hardware encryption machine according to the key algorithm type and the target root key tag, enabling the hardware encryption machine to adopt the key algorithm corresponding to the key algorithm type to generate a matched public key plaintext and private key plaintext, and respectively encrypting the public key plaintext and the private key plaintext according to the target root key corresponding to the target root key tag to obtain a public key ciphertext and a private key ciphertext.
The cloud platform can access the hardware encryption machine according to the key algorithm type and the target root key label, so that the hardware encryption machine generates a matched public key and private key according to the key algorithm type and the target root key label. Specifically, the cloud platform may access a key generator in the hardware encryption machine with the key algorithm type and the target root key label as parameters, and the hardware encryption machine generates a public key and a private key which are paired through the key generator with the key algorithm type and the target root key label as parameters. The hardware encryption machine adopts a key algorithm corresponding to the type of the key algorithm to generate a public key plaintext and a private key plaintext which are matched, then the public key plaintext and the private key plaintext are respectively encrypted according to a target root key corresponding to a target root key label, a public key ciphertext is obtained by encrypting the public key plaintext, and a private key ciphertext is obtained by encrypting the private key plaintext.
And 310, receiving the public key and the private key fed back by the hardware encryption machine, wherein the received public key is a public key ciphertext, and the received private key is a private key ciphertext.
The hardware encryption machine can output the public key ciphertext and the private key ciphertext and feed the public key ciphertext and the private key ciphertext back to the cloud platform. The cloud platform receives a public key and a private key fed back by the hardware encryption machine, the public key received by the cloud platform is a public key ciphertext, and the received private key is a private key ciphertext. The cloud platform can store the private key ciphertext in a storage position designated by the cloud platform, and issue the public key ciphertext to the user side.
In this embodiment, after the hardware encryption machine generates the paired public key plaintext and private key plaintext by obtaining the target root key tag and accessing the hardware encryption machine according to the key algorithm type and the target root key tag, the hardware encryption machine encrypts the public key plaintext and the private key plaintext respectively according to the target root key corresponding to the target root key tag to obtain a public key ciphertext and a private key ciphertext. The public key received by the cloud platform and fed back by the hardware encryption machine is a public key ciphertext, and the private key is a private key ciphertext. The clear text of the private key only appears in the hardware encryption machine, and the hardware encryption machine improves the security of the private key from a hardware level. The cloud platform can not receive the plain text of the private key, even if the cloud platform reveals the private key, the revealed private key is the cipher text of the private key, the risk that the cloud platform reveals the plain text of the private key is avoided, and the safety of the plain text of the private key is effectively improved.
In one embodiment, the step of storing the private key in a storage location specified by the cloud service platform includes: generating a key identification corresponding to the private key; and taking the key identification as an index, and storing the private key, the public key and the decryption algorithm type for data decryption corresponding to the private key in a storage position appointed by the cloud service platform in an associated manner.
After receiving the public key and the private key fed back by the hardware encryption machine, the cloud platform may store the public key and the private key to a storage location specified by the cloud platform. The public key and the private key received by the cloud platform can be a public key plaintext and a private key plaintext respectively, and can also be a public key ciphertext and a private key ciphertext respectively. Specifically, the cloud platform may generate a key identifier corresponding to the private key, and the key identifier may be used to uniquely mark the corresponding private key. The key identifier may specifically be a key ID (Identity document) corresponding to the private key, and the key ID may specifically be a unique character string corresponding to the private key. The cloud platform can generate a key ID uniquely corresponding to the private key according to a preset key ID generation strategy. The cloud platform may determine a format of the key ID according to a key ID generation policy, e.g., the key ID generation policy may determine that the key ID includes at least one of numbers, uppercase letters, lowercase letters, or special characters. In one embodiment, the key ID generated by the cloud platform may be represented as "77781 df9-8762-11ea-a613-525400d9da 05", and the cloud platform may determine the character string as the key identification corresponding to the private key.
The cloud platform may use the key identifier as an index, and store the key information corresponding to the key identifier in association with a storage location specified by the cloud platform. Specifically, the key identifier corresponds to the private key, and the cloud platform may obtain a public key paired with the private key and fed back by the hardware encryption machine, and a decryption algorithm type corresponding to the private key and used for data decryption. The cloud platform uses the key identification as an index, and stores the private key, the public key and the decryption algorithm type corresponding to the private key to a storage position appointed by the cloud platform in an associated manner. The decryption algorithm type is an algorithm type corresponding to a decryption algorithm for decrypting data based on a private key.
In one embodiment, the key information may further include a key name corresponding to the paired public key and private key, key description information, key generation time, key state, key owner information, and an encryption algorithm for data encryption corresponding to the public key. The type of decryption algorithm used for data decryption corresponding to the private key corresponds to the type of encryption algorithm used for data encryption corresponding to the public key. The cloud platform can use the key identification as an index, and stores various key information corresponding to the private key in a storage position in an associated manner, so that the corresponding key information can be conveniently searched through the key identification.
In one embodiment, key information such as key name, key description information, key algorithm type, and key usage may be user-determined. Fig. 4 is a schematic diagram of an interface of a new key at a user end in an embodiment, as shown in fig. 4. When a user needs to generate a key, the user side can display a new key page through a user interface to obtain part of key information configured by the user. The user side can generate a key generation request carrying key information. The cloud platform can obtain key information configured by a user, and after receiving a matched public key and a matched private key fed back by the hardware encryption machine, the public key, the private key and the corresponding key information are stored in a storage position in an associated manner by using a key identifier corresponding to the private key.
In one embodiment, the cloud platform may issue the key identifier and the public key to the user side, and the user side may display the key identifier to the user through the user interface. The user side does not need to directly obtain the private key, can access the cloud platform through the key identification, and requests the service of the private key corresponding to the key identification from the cloud platform, and the user side does not need to generate, store and use the private key, so that the risk of revealing the private key by the user side is effectively reduced. As shown in fig. 5, fig. 5 is a schematic interface diagram illustrating a key identifier at a user side in an embodiment. The user side can also display the key identification and the key information of the key corresponding to the user through a user interface. As shown in fig. 5, the user end can display key information such as key identification, key name, key generation time, and key status through the user interface without directly obtaining the private key.
In this embodiment, by generating a key identifier corresponding to the private key, and using the key identifier as an index, the private key, the public key, and a decryption algorithm type for data decryption corresponding to the private key are stored in a storage location specified by the cloud platform in an associated manner, so that the cloud platform searches the corresponding private key, public key, or decryption algorithm type from the storage location by using the key identifier as an index, and efficiency of searching the private key, public key, and decryption algorithm type from the storage location is improved. Meanwhile, the private key is stored in the storage position appointed by the cloud platform, the user side does not need to acquire and store the private key, the risk that the user side reveals and loses the private key is reduced, and the safety of the private key is effectively improved.
In one embodiment, the method further comprises: receiving a public key acquisition request initiated by a user side; acquiring a key identifier specified by the public key acquisition request; searching a public key from a storage position appointed by the cloud service platform by taking the key identification as an index; and issuing the searched public key to the user side.
The cloud platform takes the key identification as an index, stores the paired private key and public key to a storage position specified by the cloud platform, and then can receive a public key acquisition request initiated by a user side. The public key obtaining request can be generated by the user side according to the user requirement and is sent to the cloud platform through an API provided by the cloud platform. For example, when the user needs to obtain the generated public key, the user side may be controlled to initiate a public key obtaining request to the cloud platform, so as to obtain the corresponding public key from the cloud platform.
In one embodiment, the user side may obtain a user account for logging in the user side, obtain a key identifier corresponding to the user based on the user account, and display the key identifier to the user through the user interface. The key identifier corresponding to the user may refer to a key identifier corresponding to a key owned by the user, or may refer to a key identifier corresponding to a key usable by the user. When the user side receives the public key acquisition triggering operation, the user side acquires the secret key identification appointed by the public key acquisition triggering operation, generates a public key acquisition request and sends the public key acquisition request to the cloud platform. As shown in fig. 5, when the user side displays the key identifier through the user interface, the user interface may further include a public key obtaining control corresponding to the key identifier. The user can trigger the public key obtaining control corresponding to the key identification to obtain the public key corresponding to the key identification.
In one embodiment, after receiving the public key obtaining triggering operation, the user side may further respond to the public key obtaining triggering operation to obtain the key identifier corresponding to the user account, and display the key identifier to the user through the user interface, so that the user can select the key identifier, from the plurality of key identifiers, for which the corresponding public key needs to be obtained according to actual requirements.
In one embodiment, as shown in fig. 6, fig. 6 is an interface diagram illustrating the user side determining to obtain the public key in one embodiment. The user side can determine to acquire the public key through the user interface when the public key acquisition control is triggered. When the user determines to acquire the public key corresponding to the key identifier, the user side may perform a public key acquisition operation, generate a public key acquisition request, and send the public key acquisition request to the cloud platform.
After receiving the public key acquisition request initiated by the user side, the cloud platform may respond to the public key acquisition request to acquire the key identifier specified by the public key acquisition request, where the key identifier specified by the public key acquisition request may be a key identifier selected by the user when the user side generates the public key acquisition request. The cloud platform uses the key identification as an index, and searches a public key corresponding to the stored key identification from a storage position specified by the cloud platform. The cloud platform can issue the searched public key to the user side, so that the user side can use the public key to encrypt data, or distribute the public key to other user sides for use.
In one embodiment, when the cloud platform uses the key identifier as an index and does not find the public key corresponding to the key identifier from the storage location, the cloud platform may generate a public key acquisition failure prompt message and issue the public key acquisition failure prompt message to the user side, so as to prompt the user side not to find the public key according to the key identifier. The public key acquisition failure prompt message may be at least one of a text prompt message, a voice prompt message, or an image prompt message.
In one embodiment, the public key stored in the storage location by the cloud platform may be a public key plaintext fed back by the hardware encryption machine, and the cloud platform may send the public key plaintext found from the storage location to the user side. The public key stored to the storage position by the cloud platform can also be a public key ciphertext fed back after the hardware encryption machine encrypts the plaintext of the public key according to the target root key corresponding to the target root key label. The cloud platform can issue the public key ciphertext searched from the storage location to the user side.
In this embodiment, the cloud platform uses the key identifier as an index, and stores the private key, the public key, and the decryption algorithm type corresponding to the private key in association with the storage location specified by the cloud platform, and then the cloud platform can receive a public key acquisition request initiated by the user side, acquire the key identifier specified by the public key acquisition request, search the public key from the storage location by using the key identifier as the index, and send the searched public key to the user side, so that the user side can manage and use the public key in the paired public key and private key, and convenience in using and managing the public key by the user side is effectively improved. The user side can obtain and use the public key without obtaining and storing the private key matched with the public key, and the private key is always stored in the storage position appointed by the cloud platform, so that the risk that the user side reveals and loses the private key is reduced, and the safety of the private key is effectively improved.
In an embodiment, as shown in fig. 7, a key processing method based on a cloud service platform provided by the present application includes:
And step 710, respectively performing character encoding on the binary public key and the binary private key to obtain a character-encoded public key and a character-encoded private key.
The predetermined character encoding scheme may be any one of a plurality of encoding schemes capable of encoding binary data into characters. For example, the preset character encoding mode may specifically be Base64 (an encoding mode for representing binary data based on 64 printable characters). The cloud platform can respectively perform Base64 encoding on the binary public key and the binary private key, encode the binary data into visible characters, and obtain the character-encoded public key and the character-encoded private key. The data types corresponding to the character-coded public key and the character-coded private key are printable characters. The cloud platform may also perform character encoding on the public key and the private key of the binary system by using other character encoding modes, where the character encoding mode is not limited.
And step 712, storing the character-encoded private key in a storage position specified by the cloud service platform.
The cloud platform can receive the public key and the private key fed back by the hardware encryption machine, and the public key and the private key fed back by the hardware encryption machine are binary data respectively. The public key received by the cloud platform can be a binary public key plaintext or a binary public key ciphertext, and the received private key can be a binary private key plaintext or a binary private key ciphertext. The cloud platform can respectively perform character encoding on the binary public key and the binary private key by adopting a preset character encoding mode to obtain the character-encoded public key and the character-encoded private key. The cloud platform can store the character-coded private key and the storage position specified by the cloud platform, and issue the character-coded public key to the user side.
In this embodiment, after receiving the binary public key and the binary private key fed back by the hardware encryption machine, the cloud platform performs character encoding on the binary public key and the binary private key respectively to obtain a character-encoded public key and a character-encoded private key. The cloud platform stores the character-coded private key in a storage position appointed by the cloud platform, and issues the character-coded public key to the user side, so that the binary public key and the binary private key are prevented from being lost in the storage or transmission process, the integrity of the character-coded public key and the character-coded private key in the storage or storage process is effectively ensured, and the accuracy of the stored private key and the issued public key is improved.
In an embodiment, as shown in fig. 8, a key processing method based on a cloud service platform provided by the present application includes:
And 808, receiving the public key and the private key fed back by the hardware encryption machine.
The cloud platform may generate a paired public key and private key in response to the key generation request. The cloud platform stores the private key to a storage position appointed by the cloud platform and issues the public key to the user side, and the user side can encrypt data based on the public key and can also distribute the public key to other user sides, so that the other user sides encrypt the data, and the security of the data is improved.
In one embodiment, the public key may be used to encrypt data to be transmitted. Before sending the data to be transmitted to the data receiver, the data sender can encrypt the data to be transmitted based on the public key, so that data leakage in the transmission process is avoided, and the safety of data transmission is ensured. The data to be transmitted may be various types of data, and the data type of the data is not limited herein. It will be appreciated that the data sender and data receiver are relative terms. For example, the ue a and the ue B are two different ues. When the client a sends data to the client B, the client a is the data sender and the client B is the data receiver. When the ue B sends data to the ue a, the ue B may also be a data sender and the ue a is a data receiver. The data receiver may obtain the generated public key and distribute the public key to the data sender. Different data receivers can respectively correspond to different public keys. Before the data sender transmits the data to the data receiver, the data to be transmitted can be encrypted based on the public key distributed by the data receiver, so that the safety of the data in the transmission process is ensured.
In one embodiment, a user side corresponding to a data sending party may initiate a data encryption request to a cloud platform, and the cloud platform may obtain a data plaintext and a public key specified by the data encryption request, where the data plaintext may specifically be data to be transmitted. The cloud platform can access the hardware encryption machine according to the data plaintext, the public key and the encryption algorithm type corresponding to the public key and used for data encryption, so that the hardware encryption machine adopts the encryption algorithm corresponding to the encryption algorithm type, and performs data encryption on the data plaintext based on the public key to obtain a data ciphertext. The cloud platform can receive the data ciphertext fed back by the hardware encryption machine and sends the data ciphertext to the user side corresponding to the data sending side, so that the user side can transmit the data ciphertext to the data receiving side.
The cloud platform can receive a data decryption request initiated by a user side. The data decryption request is used for requesting the cloud platform to decrypt the encrypted data ciphertext. The data decryption request carries a data ciphertext for encrypting data based on the public key. The data cipher text can be input to the user terminal by the user through the input device. For example, as shown in fig. 9, fig. 9 is a schematic interface diagram illustrating a user side performing data decryption in one embodiment. The user interface displayed at the user side can comprise a data ciphertext input box, and a user can write the data ciphertext needing to be decrypted into the data ciphertext input box through input equipment.
The user side can obtain the data ciphertext written in the data ciphertext input frame, generates a data decryption request carrying the data ciphertext when receiving data decryption triggering operation, and sends the data decryption request to the cloud platform through an API (application program interface) provided by the cloud platform. The data decryption trigger operation may specifically be a trigger operation acting on a data decryption control included in the user interface. As shown in fig. 9, the user interface includes an "execute" control, and when the user clicks the execute control through a click operation, the user terminal requests the data decryption service from the cloud platform.
The cloud platform may obtain, based on the obtained data ciphertext, a private key paired with the public key from a storage location specified by the cloud platform. The storage locations specified by the cloud platform may be uniform, or may be respectively corresponding to different user terminals. The private key acquired by the cloud platform can be a private key plaintext or a private key ciphertext.
In one embodiment, the cloud platform may determine, based on the data ciphertext, a key identifier corresponding to the data ciphertext, and the cloud platform may use the key identifier as an index to search, from a storage location specified by the cloud platform, a private key paired with the public key, so as to obtain a private key used for data decryption and a decryption algorithm type corresponding to the private key.
In one embodiment, when the cloud platform does not acquire the private key paired with the public key from the storage location, the cloud platform may generate decryption failure prompt information, and issue the decryption failure prompt information to the user side, so as to prompt the user that the private key capable of decrypting the data ciphertext is not found.
And 816, accessing the hardware encryption machine according to the private key, the type of the decryption algorithm and the data ciphertext, so that the hardware encryption machine decrypts the data ciphertext by adopting the decryption algorithm corresponding to the type of the decryption algorithm based on the private key to obtain the data plaintext.
After the cloud platform acquires the private key matched with the public key from the storage position, the hardware encryption machine can be accessed according to the private key and the data ciphertext, so that the hardware encryption machine uses the private key as a parameter to decrypt the data ciphertext based on the private key to obtain the data plaintext corresponding to the data ciphertext. The cloud platform can receive the data plaintext fed back by the hardware encryption machine and sends the data plaintext to the user side, and the user side can display the received data plaintext through the user interface.
In one embodiment, the cloud platform uses the key identification as an index, and may also search a storage location for a decryption algorithm type corresponding to the private key for data decryption. The cloud platform can access the hardware encryption machine according to the data ciphertext, the private key and the decryption algorithm type corresponding to the private key, so that the hardware encryption machine adopts the decryption algorithm corresponding to the decryption algorithm type, and decrypts the data ciphertext based on the private key to obtain the data plaintext corresponding to the data ciphertext. Wherein the decryption algorithm type corresponding to the private key, the encryption algorithm type corresponding to the public key and the key algorithm type used to generate the key are corresponding.
In this embodiment, the cloud platform decrypts the data ciphertext, which is carried by the data decryption request and is used for performing data encryption based on the public key, by receiving the data decryption request initiated by the user side, without using a private key to perform data decryption by the user side. The cloud platform acquires a private key matched with the public key from the storage position based on the data ciphertext, accesses the hardware encryption machine according to the private key and the data ciphertext, receives a data plaintext fed back by the hardware encryption machine after the data ciphertext is decrypted by the hardware encryption machine based on the private key, and sends the data plaintext to the user side. The data decryption is carried out through the hardware encryption machine, and the safety of the private key is improved from the hardware level. The private key is stored in a storage position designated by the cloud platform, and the user side is not required to store and provide the private key. In the whole process of key generation and data decryption, the user side does not need to contact, store and use the private key, so that the risk of revealing the private key by the user side is avoided, and the safety of the private key is effectively improved.
In an embodiment, when the cloud platform decrypts data, the private key paired with the public key acquired from the storage location may be a private key plaintext, or may be a private key ciphertext encrypted by the hardware encryption machine. When the private key acquired by the cloud platform is a private key ciphertext, the cloud platform may further acquire a target root key tag corresponding to the private key from the storage location, where the target root key tag is stored in the storage location in association with the private key. The cloud platform can access the hardware encryption machine according to the data ciphertext, the private key, the decryption algorithm type corresponding to the private key and the target root key label, so that the hardware encryption machine decrypts the private key ciphertext according to the target root key corresponding to the target root key label to obtain a private key plaintext, and performs data decryption on the data ciphertext according to the private key plaintext by adopting the decryption algorithm corresponding to the decryption algorithm type to obtain the data plaintext. The cloud platform can receive the data plaintext fed back by the hardware encryption machine and sends the data plaintext to the user side.
In this embodiment, the private key acquired by the cloud platform from the storage location is a private key ciphertext, a target root key tag corresponding to the private key needs to be acquired, and the hardware encryption machine is accessed according to the target root key tag, so that the hardware encryption machine decrypts the private key ciphertext according to the target root key corresponding to the target root key tag, and decrypts the data ciphertext based on the private key plaintext obtained by decryption, so as to obtain the data plaintext. The clear text of the private key only appears in the hardware encryption machine, and the hardware encryption machine improves the security of the clear text of the private key from a hardware level. Even if the cloud platform reveals the private key, only the private key ciphertext is revealed, and the plaintext of the private key cannot be really revealed, so that the security of the private key is effectively improved.
In one embodiment, the cloud platform may also perform data signing based on a private key. Specifically, the cloud platform may further receive a data signature request initiated by the user side, where the data signature request carries the data to be signed and the key identifier. The cloud platform may use the key identifier as an index, and search for a private key corresponding to the key identifier from the storage location. The cloud platform can access the hardware encryption machine according to the data to be signed and the private key, so that the hardware encryption machine carries out data signing on the data to be signed based on the private key to obtain the signed data. The cloud platform can receive the signed data fed back by the hardware encryption machine and send the signed data to the user side.
In one embodiment, the cloud platform may further obtain a signature algorithm type corresponding to the private key, access the hardware encryption machine according to the data to be signed, the private key and the signature algorithm type, enable the hardware encryption machine to adopt a signature algorithm corresponding to the signature algorithm type, and perform data signing on the data to be signed based on the private key to obtain signed data.
In one embodiment, the private key acquired by the cloud platform may be a private key ciphertext, the cloud platform may further acquire a target root key tag corresponding to the private key ciphertext, and access the hardware encryption machine according to the data to be signed, the private key, the signature algorithm type and the target root key tag, so that the hardware encryption machine decrypts the private key ciphertext according to the target root key corresponding to the target root key tag to obtain a private key plaintext, and performs data signing on the data to be signed based on the private key plaintext by using the signature algorithm corresponding to the signature algorithm type to obtain the signed data.
In this embodiment, the cloud platform may obtain the corresponding private key from the storage location according to the data to be signed and the key identifier carried in the data signature request initiated by the user, and perform data signature on the data to be signed based on the private key to obtain the signed data. The user side does not need to provide a private key for the cloud platform, and does not need to store and use the private key, so that the risk of revealing the private key by the user side is effectively reduced, and the safety of the private key is effectively improved.
In one embodiment, the cloud platform may receive a signature verification request, where the signature verification request carries signed data, and the signed data refers to data subjected to data signature based on a private key. The cloud platform can determine a public key corresponding to the private key based on the signed data, and accesses the hardware encryption machine according to the public key and the signed data, so that the hardware encryption machine performs signature verification on the signed data based on the public key to obtain a signature verification result. The cloud platform can receive the signature verification result fed back by the hardware encryption machine and sends the signature verification result to the user side. The user side does not need to contact the private key completely in the process of verifying the signed data, the risk that the private key is leaked by the user side is reduced, and the safety of the private key is effectively improved.
In one embodiment, the method further comprises: after receiving a service calling request initiated by a user side, determining the request type of the service calling request; the service invocation request comprises a key generation request; acquiring a user account corresponding to a user side; inquiring the authority corresponding to the request type configured for the user account; and when the user account has the right, continuing to respond to the service invoking request.
The user side can access the cloud service through the API provided by the cloud platform, and after the cloud platform receives a service calling request initiated by the user side, the authority of calling the corresponding service by the user side can be verified. Specifically, a CAM (Cloud Access Management, Cloud-based Access Management) may be deployed in the Cloud platform, and the CAM is a user identity authentication and authority control based on the Cloud platform, is responsible for the whole life cycle Management of a user account and authority, and may be used for Access control of resources and services owned by a user, so as to ensure the security of Cloud resource Access. The cloud platform can perform authority verification on a service calling request initiated by the user side based on the CAM, so that the user side is prevented from accessing or calling resources and services without authority.
As shown in fig. 10, fig. 10 is a schematic diagram of a system architecture corresponding to a cloud service platform in an embodiment. The user can access the cloud platform through an API provided by the cloud platform using the SDK or a cloud console (WEB UI). The CAM and the KMS can be deployed in the cloud platform, and when the cloud platform receives a service calling request initiated by a user side, authority control can be performed on services corresponding to the service calling request accessed by the user side through the CAM. And after determining that the user side has the right to access the corresponding service, responding to the corresponding service calling request through the KMS.
After receiving a service calling request initiated by a user side, the cloud platform can determine a request type corresponding to the service calling request. The service invocation request may include a key generation request. In one embodiment, the service invocation request may further include, but is not limited to, a public key acquisition request, a data encryption request, a data decryption request, a data signature request, a signature verification request, and the like. The cloud platform can obtain a user account corresponding to the user side, and the user account can be used for logging in the user side. The user account may be tagged with a corresponding user identity.
The cloud platform can query the permission configured for the user account and corresponding to the request type based on the CAM, so as to judge whether the permission corresponding to the request type exists in the pre-configured permission corresponding to the user account. When the user account has the corresponding authority, the cloud platform can continue to respond to the service calling request and provide the service corresponding to the service calling request for the user side.
In one embodiment, when the user account does not have the authority corresponding to the request type, the cloud platform may no longer respond to the service invocation request initiated by the user side. The cloud platform can also generate no-permission prompt information and issue the generated no-permission prompt information to the user side so as to prompt that the user identity corresponding to the user account does not have the permission for calling the service corresponding to the request type.
In this embodiment, after receiving a service invocation request initiated by a user, determining a request type of the service invocation request, acquiring a user account corresponding to the user, and verifying whether the user account has a right to invoke a service corresponding to the service invocation request by querying a right corresponding to the request type configured for the user account. When the user account has the right, the service calling request is continuously responded, so that the calling safety of the resources and the services of the cloud platform is effectively improved.
The application also provides an application scenario applying the key processing method based on the cloud service platform. Specifically, as shown in fig. 11, a data receiver 1102, a cloud platform 1104, a hardware encryptor 1106 and a data sender 1108 are connected and communicate by way of wireless communication. The key processing method based on the cloud service platform is applied to the application scene as follows: the user side may specifically be the data receiving side 1102 in the data transmission process. Data recipient 1102 initiates a key generation request to cloud platform 1104 by accessing cloud platform 1104 through a command line tool. In response to the key generation request, the cloud platform 1104 obtains the key algorithm type, and accesses the hardware encryption machine 1106 according to the key algorithm type, so that the hardware encryption machine 1106 generates a paired public key and private key. The cloud platform 1104 receives the public key and the private key fed back by the hardware encryption machine 1106, stores the private key in the storage position specified by the cloud platform 1104, and issues the public key to the data receiver 1102. The data receiver 1102 distributes the public key to the data sender 1108. The data sender 1108 performs data encryption on the data plaintext to be transmitted according to the received public key to obtain a data ciphertext. The data sender 1108 sends the data ciphertext to the data receiver 1102, so as to ensure the security of the data in the transmission process. The data receiving party 1102 initiates a data decryption request to the cloud platform 1104, where the data decryption request carries a data cipher text for data encryption based on a public key. The cloud platform 1104 acquires a private key paired with the public key from the storage location based on the data cipher text, and accesses the hardware encryption machine 1106 according to the private key and the data cipher text, so that the hardware encryption machine 1106 decrypts the data cipher text based on the private key to obtain a data plaintext. The cloud platform 1104 receives the data plaintext fed back by the hardware encryption machine 1106, and sends the data plaintext to the data receiver 1102.
The application also provides a data decryption method based on the cloud service platform, which can be applied to the application environment shown in fig. 1. Specifically, the cloud service platform 104 receives a data ciphertext, and the data ciphertext is generated by encrypting a data plaintext by using a public key. The cloud service platform 104 determines, based on the data ciphertext, a private key that is stored by the cloud service platform 104 and that is paired with the public key, and a decryption algorithm type corresponding to the private key. The cloud service platform 104 accesses the hardware encryption machine 106 according to the data cipher text, the decryption algorithm type and the private key, so that the hardware encryption machine 106 decrypts the data cipher text by using the decryption algorithm corresponding to the decryption algorithm type based on the private key to obtain the data plaintext. The cloud service platform 104 receives the data plaintext fed back by the hardware encryption machine 106.
In an embodiment, as shown in fig. 12, a data decryption method based on a cloud service platform is provided, which is described by taking the method as an example of being applied to the cloud service platform 104 in fig. 1, and includes the following steps:
The cloud service platform (hereinafter referred to as "cloud platform") may receive a data ciphertext, and the data ciphertext is generated by encrypting a data plaintext by using a public key. When the method is applied to a data transmission scene, the data plaintext can be data to be transmitted, and the data ciphertext can be data used for transmission after being encrypted. The public key refers to a public key in asymmetric encryption. The public key may be generated in advance, and a generation manner of the public key is similar to the key generation manner in the embodiment of the key processing method based on the cloud service platform, and therefore details are not described here again.
In one embodiment, the data ciphertext received by the cloud platform may be sent by the user side. When the user side needs to decrypt the data ciphertext, a data decryption request carrying the data ciphertext can be generated, and the data decryption request is sent to the cloud platform. The data cipher text can be input to the user terminal by the user through the input device. For example, the user interface displayed at the user end may include a data ciphertext input box, and the user may write the data ciphertext to be decrypted into the data ciphertext input box through the input device. The user side can obtain the data ciphertext written in the data ciphertext input frame, generates a data decryption request carrying the data ciphertext when receiving data decryption triggering operation, and sends the data decryption request to the cloud platform through an API (application program interface) provided by the cloud platform. The data decryption trigger operation may specifically be a trigger operation acting on a data decryption control included in the user interface. The cloud platform can receive a data decryption request initiated by a user side and acquire a data ciphertext carried by the data decryption request.
In one embodiment, after the cloud platform receives the data ciphertext, the whole data ciphertext may be checked. Specifically, the cloud platform can read parameters for verification from the data ciphertext and verify whether the data ciphertext integrally meets the legitimacy requirement based on the read parameters. For example, the cloud platform may check whether the data cipher text meets the cipher text format requirement based on the read parameters. And when the verification result of the data ciphertext is that the verification is successful, the cloud platform can continue to decrypt the data ciphertext. When the verification result of the data ciphertext is verification failure, the cloud platform can give up decrypting the data ciphertext.
The cloud platform may determine, based on the received data ciphertext, a private key that is stored by the cloud platform in pairing with the public key and a decryption algorithm type that corresponds to the private key. The public key and the paired private key are stored in advance in a storage position designated by the cloud platform. The storage locations designated by the cloud platform may be uniform, or different user terminals may respectively correspond to different storage locations. The private key which is obtained by the cloud platform and is paired with the public key can be a private key plaintext or a private key ciphertext. The cloud platform may obtain, based on the obtained private key paired with the public key, a decryption algorithm type corresponding to the private key. The type of the decryption algorithm corresponding to the private key can be stored in a storage location designated by the cloud platform in association with the private key. The decryption algorithm type corresponding to the private key corresponds to the encryption algorithm type corresponding to the public key.
In one embodiment, the step of determining, based on the data ciphertext, a private key paired with the public key and a decryption algorithm type corresponding to the private key, which are stored by the cloud service platform, includes: determining a key identifier corresponding to the public key based on the data ciphertext; and searching a private key matched with the public key from a storage position appointed by the cloud service platform according to the key identification, and a decryption algorithm type corresponding to the private key.
In one embodiment, when the cloud platform does not acquire the private key paired with the public key from the storage location, the cloud platform may generate decryption failure prompt information to prompt that the private key capable of decrypting the data ciphertext is not found.
The cloud platform can read the data ciphertext and identify the key identification corresponding to the public key from the data ciphertext. The key identifier may be generated when the cloud platform generates the private key and the public key, and the key identifier may specifically be a key ID (Identity document) corresponding to the private key and the public key, and the key ID may specifically be a unique character string corresponding to the private key and the public key. After the cloud platform generates the paired public key and private key, the cloud platform stores the public key, the private key and the decryption algorithm type corresponding to the private key in a storage position corresponding to the cloud platform in an associated manner by taking the key identification as an index. The cloud platform may use the key identification as an index, and search for a private key paired with the public key and a decryption algorithm type corresponding to the private key from a storage location specified by the cloud platform.
And 1206, accessing the hardware encryption machine according to the data ciphertext, the decryption algorithm type and the private key, so that the hardware encryption machine decrypts the data ciphertext by adopting the decryption algorithm corresponding to the decryption algorithm type based on the private key to obtain the data plaintext.
And step 1208, receiving the data plaintext fed back by the hardware encryption machine.
After the cloud platform finds the private key matched with the public key and the decryption algorithm type corresponding to the private key from the storage position, the hardware encryption machine can be accessed according to the data ciphertext, the private key and the decryption algorithm type, so that the hardware encryption machine takes the private key and the decryption algorithm type as parameters, adopts the decryption algorithm corresponding to the decryption algorithm type, decrypts the data ciphertext based on the private key, and obtains the data plaintext corresponding to the data ciphertext. The cloud platform can receive the data plaintext fed back by the hardware encryption machine and complete the decryption operation of the data ciphertext.
In one embodiment, when the data ciphertext is obtained based on a data decryption request initiated by the user side, the cloud platform may send the received data plaintext fed back by the hardware encryption machine to the corresponding user side, so that the user side displays the data plaintext through the user interface.
In this embodiment, the cloud platform may store the private key by itself by receiving the data ciphertext generated by encrypting the data plaintext with the public key, and determining, based on the data ciphertext, the private key that is stored by the cloud platform and is paired with the public key, and the decryption algorithm type corresponding to the private key. The cloud platform accesses the hardware encryption machine according to the data cipher text, the type of the decryption algorithm and the private key, so that the hardware encryption machine decrypts the data cipher text based on the private key by adopting the decryption algorithm corresponding to the type of the decryption algorithm, and receives the data plain text fed back by the hardware encryption machine. The hardware encryption machine improves the security of the private key from the hardware level. The private key matched with the public key is stored by the cloud platform, the data ciphertext is decrypted by the cloud platform and the hardware encryption machine, the private key is not required to be stored and used by a user side, the risk of private key leakage and loss is reduced, and the safety of the private key is effectively improved. Meanwhile, the safety of data plaintext for data encryption based on the public key matched with the private key is improved.
In one embodiment, the public key and the private key are encrypted respectively, and the private key acquired by the cloud platform is a private key ciphertext. The cloud platform can also determine a target root key tag corresponding to the public key based on the data ciphertext. The public key and the private key are encrypted by a target root key corresponding to the target root key label respectively.
In one embodiment, the cloud platform may determine, based on the data ciphertext, a key identifier corresponding to the public key, and search, with the key identifier as an index, a private key corresponding to the public key, a target root key tag, and a decryption algorithm type corresponding to the private key from a storage location.
The cloud platform can access the hardware encryption machine according to the data ciphertext, the target root key tag, the decryption algorithm type and the private key ciphertext, so that the hardware encryption machine decrypts the private key ciphertext according to the target root key corresponding to the target root key tag to obtain a private key plaintext, adopts the decryption algorithm corresponding to the decryption algorithm type, and decrypts the data ciphertext according to the private key plaintext to obtain the data plaintext.
In this embodiment, the private key acquired by the cloud platform from the storage location is a private key ciphertext, a target root key tag corresponding to the private key needs to be acquired, and the hardware encryption machine is accessed according to the target root key tag, so that the hardware encryption machine decrypts the private key ciphertext according to the target root key corresponding to the target root key tag, and decrypts the data ciphertext based on the private key plaintext obtained by decryption, so as to obtain the data plaintext. The clear text of the private key only appears in the hardware encryption machine, and the hardware encryption machine improves the security of the clear text of the private key from a hardware level. Even if the cloud platform reveals the private key, only the private key ciphertext is revealed, and the plaintext of the private key cannot be really revealed, so that the security of the private key is effectively improved.
It should be understood that although the steps in the flowcharts of fig. 2, 3, 7, 8, and 12 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least some of the steps in fig. 2, 3, 7, 8 and 12 may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, which are not necessarily performed in sequence, but may be performed alternately or alternately with other steps or at least some of the other steps.
In one embodiment, as shown in fig. 13, there is provided a key processing apparatus 1300 based on a cloud service platform, which may adopt a software module or a hardware module, or a combination of the two modules as a part of a computer device, and specifically includes: a request receiving module 1302, a key generating module 1304, and a key processing module 1306, wherein:
a request receiving module 1302, configured to receive a key generation request initiated by a user side; the type of key algorithm specified by the key generation request is obtained.
And a key generation module 1304, configured to access the hardware encryption device according to the type of the key algorithm, so that the hardware encryption device generates a public key and a private key that are paired by using the key algorithm corresponding to the type of the key algorithm.
The key processing module 1306 is configured to receive a public key and a private key fed back by the hardware encryption machine; and storing the private key in a storage position appointed by the cloud service platform, and issuing the public key to the user side.
In this embodiment, by receiving a key generation request sent by a user side, accessing a hardware encryption machine according to a key algorithm type specified by the key generation request, so that the hardware encryption machine generates a paired public key and private key by using a key algorithm corresponding to the key algorithm type, without the need for the user side to generate the public key and the private key by itself. The hardware encryption machine improves the security of the private key from the hardware level. The private key is stored in the storage position appointed by the cloud service platform by receiving the public key and the private key fed back by the hardware encryption machine, and the public key is issued to the user side, so that the user side does not need to receive and store the private key, the risk that the user side loses and reveals the private key is avoided, and the safety of the private key is effectively improved.
In an embodiment, the key processing apparatus 1300 based on the cloud service platform further includes a data decryption module, configured to receive a data decryption request initiated by a user, where the data decryption request carries a data cipher text for performing data encryption based on a public key; based on the data ciphertext, acquiring a private key matched with the public key from a storage position and a decryption algorithm type corresponding to the private key; accessing the hardware encryption machine according to the private key, the type of the decryption algorithm and the data ciphertext, so that the hardware encryption machine decrypts the data ciphertext by adopting the decryption algorithm corresponding to the type of the decryption algorithm based on the private key to obtain the data plaintext; and receiving the data plaintext fed back by the hardware encryption machine, and sending the data plaintext to the user side.
In one embodiment, the data decryption module is further configured to determine, based on the data ciphertext, a key identifier corresponding to the public key; and searching a private key matched with the public key from a storage position appointed by the cloud service platform according to the key identification, and a decryption algorithm type corresponding to the private key.
In an embodiment, the data decryption module is further configured to generate decryption failure prompt information when the private key paired with the public key is not found from the storage location specified by the cloud service platform; and sending the decryption failure prompt information to the user side.
In one embodiment, the public key and the private key are separately encrypted; the data decryption module is further used for determining a target root key label corresponding to the public key based on the data ciphertext; accessing the hardware encryption machine according to the data ciphertext, the target root key label, the decryption algorithm type and the private key, enabling the hardware encryption machine to decrypt the private key according to the root key corresponding to the target root key label to obtain a private key plaintext, and decrypting the data ciphertext by adopting the decryption algorithm corresponding to the decryption algorithm type based on the private key plaintext to obtain the data plaintext.
In an embodiment, the key processing apparatus 1300 based on the cloud service platform further includes a data encryption module, configured to receive a data encryption request initiated by a user, obtain a data plaintext and a public key specified by the data encryption request, and obtain an encryption algorithm type corresponding to the public key; accessing the hardware encryption machine according to the public key, the encryption algorithm type and the data plaintext, so that the hardware encryption machine encrypts the data plaintext by adopting an encryption algorithm corresponding to the encryption algorithm type based on the public key to obtain a data ciphertext; and receiving a data ciphertext fed back by the hardware encryptor, and issuing the data ciphertext to the user side.
In one embodiment, the received public key is a public key ciphertext, and the received private key is a private key ciphertext; the key generation module 1304 is further configured to obtain a target root key tag; accessing the hardware encryption machine according to the key algorithm type and the target root key label, enabling the hardware encryption machine to adopt the key algorithm corresponding to the key algorithm type to generate a matched public key plaintext and private key plaintext, and respectively encrypting the public key plaintext and the private key plaintext according to the target root key corresponding to the target root key label to obtain a public key ciphertext and a private key ciphertext.
In an embodiment, the key generation module 1304 is further configured to obtain a candidate root key tag set corresponding to the hardware encryption engine; and randomly selecting candidate root key labels from the candidate root key label set, and determining the selected candidate root key labels as target root key labels.
In one embodiment, the key processing module 1306 is further configured to generate a key identifier corresponding to the private key; and taking the key identification as an index, and storing the private key, the public key and the decryption algorithm type for data decryption corresponding to the private key in a storage position appointed by the cloud service platform in an associated manner.
In an embodiment, the key processing apparatus 1300 based on the cloud service platform further includes a public key issuing module, configured to receive a public key acquisition request initiated by a user side; acquiring a key identifier specified by the public key acquisition request; searching a public key from a storage position appointed by the cloud service platform by taking the key identification as an index; and issuing the searched public key to the user side.
In one embodiment, the key processing module 1306 is further configured to perform character encoding on the binary public key and the binary private key respectively to obtain a character-encoded public key and a character-encoded private key; storing the character-coded private key in a storage position appointed by a cloud service platform; and issuing the character-coded public key to the user terminal.
In an embodiment, the key processing apparatus 1300 based on the cloud service platform further includes an authority query module, configured to determine a request type of a service invocation request after receiving the service invocation request initiated by a user side; the service invocation request comprises a key generation request; acquiring a user account corresponding to a user side; inquiring the authority corresponding to the request type configured for the user account; and when the user account has the right, continuing to respond to the service invoking request.
For specific limitations of the key processing device based on the cloud service platform, reference may be made to the above limitations of the key processing method based on the cloud service platform, and details are not repeated here. The various modules in the key processing device based on the cloud service platform may be wholly or partially implemented by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, as shown in fig. 14, there is provided a data decryption apparatus 1400 based on a cloud service platform, which may adopt a software module or a hardware module, or a combination of the two, as a part of a computer device, and specifically includes: a data receiving module 1402, a private key obtaining module 1404, and a data decrypting module 1406, wherein:
the data receiving module 1402 is configured to receive a data ciphertext, where the data ciphertext is generated by encrypting a data plaintext with a public key.
The private key obtaining module 1404 is configured to determine, based on the data ciphertext, a private key that is stored by the cloud service platform and is paired with the public key, and a decryption algorithm type corresponding to the private key.
The data decryption module 1406 is configured to access the hardware encryption machine according to the data ciphertext, the decryption algorithm type and the private key, so that the hardware encryption machine decrypts the data ciphertext by using the decryption algorithm corresponding to the decryption algorithm type based on the private key to obtain a data plaintext; and receiving the data plaintext fed back by the hardware encryption machine.
In this embodiment, the cloud platform may store the private key by itself by receiving the data ciphertext generated by encrypting the data plaintext with the public key, and determining, based on the data ciphertext, the private key that is stored by the cloud service platform and is paired with the public key and the decryption algorithm type corresponding to the private key. The cloud service platform accesses the hardware encryption machine according to the data cipher text, the type of the decryption algorithm and the private key, so that the hardware encryption machine decrypts the data cipher text based on the private key by adopting the decryption algorithm corresponding to the type of the decryption algorithm, and receives the data plain text fed back by the hardware encryption machine. The hardware encryption machine improves the security of the private key from the hardware level. The private key matched with the public key is stored by the cloud service platform, the data ciphertext is decrypted by the cloud service platform and the hardware encryption machine, the private key is not required to be stored and used by a user side, the risk of private key leakage and loss is reduced, and the safety of the private key is effectively improved. Meanwhile, the safety of data plaintext for data encryption based on the public key matched with the private key is improved.
In an embodiment, the private key obtaining module 1404 is further configured to determine, based on the data ciphertext, a key identifier corresponding to the public key; and searching a private key matched with the public key from a storage position appointed by the cloud service platform according to the key identification, and a decryption algorithm type corresponding to the private key.
In one embodiment, the public key and the private key are separately encrypted; the data decryption module 1406 is further configured to determine, based on the data ciphertext, a target root key tag corresponding to the public key; accessing the hardware encryption machine according to the data ciphertext, the target root key label, the decryption algorithm type and the private key, enabling the hardware encryption machine to decrypt the private key according to the root key corresponding to the target root key label to obtain a private key plaintext, and performing data decryption on the data ciphertext by adopting the decryption algorithm corresponding to the decryption algorithm type based on the private key plaintext to obtain the data plaintext.
For specific limitations of the data decryption apparatus based on the cloud service platform, reference may be made to the above limitations of the data decryption method based on the cloud service platform, and details are not repeated here. The modules in the data decryption device based on the cloud service platform may be wholly or partially implemented by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, and the computer device may be a cloud server corresponding to a cloud service platform, and an internal structure diagram of the computer device may be as shown in fig. 15. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer equipment is used for storing key processing data based on the cloud service platform and data decryption data based on the cloud service platform. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to realize a key processing method based on a cloud service platform and a data decryption method based on the cloud service platform.
Those skilled in the art will appreciate that the architecture shown in fig. 15 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is further provided, which includes a memory and a processor, the memory stores a computer program, and the processor implements the steps of the above method embodiments when executing the computer program.
In an embodiment, a computer-readable storage medium is provided, in which a computer program is stored which, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.
In one embodiment, a computer program product or computer program is provided that includes computer instructions stored in a computer-readable storage medium. The computer instructions are read by a processor of a computer device from a computer-readable storage medium, and the computer instructions are executed by the processor to cause the computer device to perform the steps in the above-mentioned method embodiments.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include at least one of non-volatile and volatile memory. Non-volatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical storage, or the like. Volatile Memory can include Random Access Memory (RAM) or external cache Memory. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (15)
1. A key processing method based on a cloud service platform is characterized by comprising the following steps:
receiving a key generation request initiated by a user side;
acquiring a key algorithm type specified by the key generation request;
accessing a hardware encryption machine according to the key algorithm type, so that the hardware encryption machine adopts a key algorithm corresponding to the key algorithm type to generate a paired public key and private key;
receiving the public key and the private key fed back by the hardware encryption machine;
and storing the private key in a storage position appointed by a cloud service platform, and issuing the public key to the user side.
2. The method of claim 1, further comprising:
receiving a data decryption request initiated by the user side, wherein the data decryption request carries a data ciphertext for encrypting data based on the public key;
based on the data ciphertext, acquiring the private key matched with the public key and a decryption algorithm type corresponding to the private key from the storage position;
accessing the hardware encryption machine according to the private key, the decryption algorithm type and the data ciphertext, so that the hardware encryption machine decrypts the data ciphertext by adopting a decryption algorithm corresponding to the decryption algorithm type based on the private key to obtain a data plaintext;
and receiving the data plaintext fed back by the hardware encryption machine, and sending the data plaintext to the user side.
3. The method of claim 2, wherein the obtaining the private key paired with the public key from the storage location based on the data ciphertext, and wherein a type of decryption algorithm corresponding to the private key comprises:
determining a key identification corresponding to the public key based on the data ciphertext;
and searching the private key matched with the public key and the decryption algorithm type corresponding to the private key from the storage position appointed by the cloud service platform according to the key identification.
4. The method of claim 3, further comprising:
when the private key matched with the public key is not found from the storage position appointed by the cloud service platform, generating decryption failure prompt information;
and sending the decryption failure prompt information to the user side.
5. The method of claim 2, wherein the public key and the private key are separately encrypted; the method further comprises the following steps:
determining a target root key label corresponding to the public key based on the data ciphertext;
accessing the hardware encryption machine according to the private key, the decryption algorithm type and the data ciphertext to enable the hardware encryption machine to decrypt the data ciphertext by adopting a decryption algorithm corresponding to the decryption algorithm type based on the private key to obtain a data plaintext, wherein the method comprises the following steps:
accessing the hardware encryption machine according to the data ciphertext, the target root key label, the decryption algorithm type and the private key, enabling the hardware encryption machine to decrypt the private key according to a root key corresponding to the target root key label to obtain a private key plaintext, and performing data decryption on the data ciphertext by adopting a decryption algorithm corresponding to the decryption algorithm type based on the private key plaintext to obtain a data plaintext.
6. The method of claim 1, further comprising:
receiving a data encryption request initiated by the user side, and acquiring a data plaintext and a public key specified by the data encryption request and an encryption algorithm type corresponding to the public key;
accessing the hardware encryption machine according to the public key, the encryption algorithm type and the data plaintext, so that the hardware encryption machine encrypts the data plaintext by adopting an encryption algorithm corresponding to the encryption algorithm type based on the public key to obtain a data ciphertext;
and receiving the data cipher text fed back by the hardware encryption machine, and sending the data cipher text to the user side.
7. The method of claim 1, wherein the received public key is a public key ciphertext and the received private key is a private key ciphertext; the method further comprises the following steps: acquiring a target root key label;
the accessing a hardware encryption machine according to the key algorithm type to enable the hardware encryption machine to generate a paired public key and private key by using a key algorithm corresponding to the key algorithm type comprises:
accessing a hardware encryption machine according to the key algorithm type and the target root key label, enabling the hardware encryption machine to generate a matched public key plaintext and private key plaintext by adopting a key algorithm corresponding to the key algorithm type, and respectively encrypting the public key plaintext and the private key plaintext according to the target root key corresponding to the target root key label to obtain a public key ciphertext and a private key ciphertext.
8. The method of claim 7, wherein obtaining the target root key label comprises:
acquiring a candidate root key label set corresponding to the hardware encryption machine;
and randomly selecting a candidate root key label from the candidate root key label set, and determining the selected candidate root key label as a target root key label.
9. The method of claim 1, wherein storing the private key in a storage location specified by a cloud service platform comprises:
generating a key identification corresponding to the private key;
and storing the private key, the public key and the decryption algorithm type for data decryption corresponding to the private key in a storage position appointed by a cloud service platform in an associated manner by taking the key identification as an index.
10. The method of claim 9, further comprising:
receiving a public key acquisition request initiated by the user side;
acquiring a key identifier specified by the public key acquisition request;
searching the public key from the storage position specified by the cloud service platform by taking the key identification as an index;
and issuing the searched public key to the user side.
11. The method of claim 1, wherein storing the private key in a storage location specified by a cloud service platform and issuing the public key to the user side comprises:
respectively carrying out character encoding on the binary public key and the binary private key to obtain a character-encoded public key and a character-encoded private key;
storing the character-coded private key in a storage position appointed by a cloud service platform;
and issuing the public key subjected to character coding to the user side.
12. The method according to any one of claims 1 to 11, further comprising:
after receiving a service calling request initiated by the user side, determining the request type of the service calling request; the service invocation request comprises the key generation request;
acquiring a user account corresponding to the user side;
inquiring the permission configured for the user account and corresponding to the request type;
and when the user account has the right, continuing to respond to the service invoking request.
13. A key processing device based on a cloud service platform, the device comprising:
the request receiving module is used for receiving a key generation request initiated by a user side; acquiring a key algorithm type specified by the key generation request;
the key generation module is used for accessing the hardware encryption machine according to the key algorithm type, so that the hardware encryption machine adopts the key algorithm corresponding to the key algorithm type to generate a matched public key and private key;
the key processing module is used for receiving the public key and the private key fed back by the hardware encryption machine; and storing the private key in a storage position appointed by a cloud service platform, and issuing the public key to the user side.
14. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any of claims 1 to 12.
15. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 12.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010671789.9A CN111565107B (en) | 2020-07-14 | 2020-07-14 | Key processing method and device based on cloud service platform and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010671789.9A CN111565107B (en) | 2020-07-14 | 2020-07-14 | Key processing method and device based on cloud service platform and computer equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111565107A true CN111565107A (en) | 2020-08-21 |
| CN111565107B CN111565107B (en) | 2020-11-27 |
Family
ID=72072793
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010671789.9A Active CN111565107B (en) | 2020-07-14 | 2020-07-14 | Key processing method and device based on cloud service platform and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111565107B (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112637201A (en) * | 2020-12-22 | 2021-04-09 | 北京浪潮数据技术有限公司 | Request processing method, device, equipment and system of web server |
| CN112685786A (en) * | 2021-01-27 | 2021-04-20 | 永辉云金科技有限公司 | Financial data encryption and decryption method, system, equipment and storage medium |
| CN113139166A (en) * | 2021-03-16 | 2021-07-20 | 标信智链(杭州)科技发展有限公司 | Evaluation expert signature method and device based on cloud certificate |
| CN113347144A (en) * | 2021-04-14 | 2021-09-03 | 西安慧博文定信息技术有限公司 | Method, system, equipment and storage medium for reciprocal data encryption |
| CN113672957A (en) * | 2021-08-23 | 2021-11-19 | 平安国际智慧城市科技股份有限公司 | Method, device and equipment for processing buried point data and storage medium |
| CN114095165A (en) * | 2021-11-22 | 2022-02-25 | 中国建设银行股份有限公司 | Key updating method, server device, client device and storage medium |
| CN114285655A (en) * | 2021-12-27 | 2022-04-05 | 中国电信股份有限公司 | Key determination method and device, storage medium and electronic device |
| CN114499836A (en) * | 2021-12-29 | 2022-05-13 | 北京像素软件科技股份有限公司 | Key management method, key management device, computer equipment and readable storage medium |
| CN114897112A (en) * | 2022-04-18 | 2022-08-12 | 上海美的茵信息技术有限公司 | Diagnostic data transmission method and device for diagnostic equipment based on two-dimensional code mode, computer equipment and storage medium |
| CN115422570A (en) * | 2022-11-07 | 2022-12-02 | 北京数盾信息科技有限公司 | Data processing method and system for distributed storage |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100228970A1 (en) * | 2001-01-10 | 2010-09-09 | Sony Corporation | Public key certificate issuing system, public key certificate issuing method, digital certification apparatus, and program storage medium |
| CN102088349A (en) * | 2010-12-27 | 2011-06-08 | 深圳市安捷信联科技有限公司 | Personalized method and system of intelligent card |
| CN102833253A (en) * | 2012-08-29 | 2012-12-19 | 五八同城信息技术有限公司 | Method and server for establishing safe connection between client and server |
| CN105512886A (en) * | 2015-12-04 | 2016-04-20 | 成都中联信通科技股份有限公司 | NFC technology-based financial IC card on-line payment method |
| CN105577680A (en) * | 2016-01-18 | 2016-05-11 | 青岛海尔智能家电科技有限公司 | Key generation method, encrypted data analyzing method, devices and key managing center |
| CN108513704A (en) * | 2018-04-17 | 2018-09-07 | 福建联迪商用设备有限公司 | The remote distribution method and its system of terminal master key |
| CN108809906A (en) * | 2017-05-03 | 2018-11-13 | 腾讯科技(深圳)有限公司 | Data processing method, system and device |
| CN108833449A (en) * | 2018-08-22 | 2018-11-16 | 海南新软软件有限公司 | Web communication encrypted transmission method, apparatus and system based on RAS algorithm |
| US10277580B1 (en) * | 2013-12-23 | 2019-04-30 | Digicert, Inc. | Multi-algorithm key generation and certificate install |
| CN110378110A (en) * | 2019-06-28 | 2019-10-25 | 北京威努特技术有限公司 | Software cryptography processing method, software verification method and device |
-
2020
- 2020-07-14 CN CN202010671789.9A patent/CN111565107B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100228970A1 (en) * | 2001-01-10 | 2010-09-09 | Sony Corporation | Public key certificate issuing system, public key certificate issuing method, digital certification apparatus, and program storage medium |
| CN102088349A (en) * | 2010-12-27 | 2011-06-08 | 深圳市安捷信联科技有限公司 | Personalized method and system of intelligent card |
| CN102833253A (en) * | 2012-08-29 | 2012-12-19 | 五八同城信息技术有限公司 | Method and server for establishing safe connection between client and server |
| US10277580B1 (en) * | 2013-12-23 | 2019-04-30 | Digicert, Inc. | Multi-algorithm key generation and certificate install |
| CN105512886A (en) * | 2015-12-04 | 2016-04-20 | 成都中联信通科技股份有限公司 | NFC technology-based financial IC card on-line payment method |
| CN105577680A (en) * | 2016-01-18 | 2016-05-11 | 青岛海尔智能家电科技有限公司 | Key generation method, encrypted data analyzing method, devices and key managing center |
| CN108809906A (en) * | 2017-05-03 | 2018-11-13 | 腾讯科技(深圳)有限公司 | Data processing method, system and device |
| CN108513704A (en) * | 2018-04-17 | 2018-09-07 | 福建联迪商用设备有限公司 | The remote distribution method and its system of terminal master key |
| CN108833449A (en) * | 2018-08-22 | 2018-11-16 | 海南新软软件有限公司 | Web communication encrypted transmission method, apparatus and system based on RAS algorithm |
| CN110378110A (en) * | 2019-06-28 | 2019-10-25 | 北京威努特技术有限公司 | Software cryptography processing method, software verification method and device |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112637201B (en) * | 2020-12-22 | 2023-04-21 | 北京浪潮数据技术有限公司 | Method, device, equipment and system for processing request of web server |
| CN112637201A (en) * | 2020-12-22 | 2021-04-09 | 北京浪潮数据技术有限公司 | Request processing method, device, equipment and system of web server |
| CN112685786A (en) * | 2021-01-27 | 2021-04-20 | 永辉云金科技有限公司 | Financial data encryption and decryption method, system, equipment and storage medium |
| CN113139166A (en) * | 2021-03-16 | 2021-07-20 | 标信智链(杭州)科技发展有限公司 | Evaluation expert signature method and device based on cloud certificate |
| CN113347144A (en) * | 2021-04-14 | 2021-09-03 | 西安慧博文定信息技术有限公司 | Method, system, equipment and storage medium for reciprocal data encryption |
| CN113672957A (en) * | 2021-08-23 | 2021-11-19 | 平安国际智慧城市科技股份有限公司 | Method, device and equipment for processing buried point data and storage medium |
| CN114095165A (en) * | 2021-11-22 | 2022-02-25 | 中国建设银行股份有限公司 | Key updating method, server device, client device and storage medium |
| CN114095165B (en) * | 2021-11-22 | 2024-04-26 | 中国建设银行股份有限公司 | Key updating method, server device, client device and storage medium |
| CN114285655A (en) * | 2021-12-27 | 2022-04-05 | 中国电信股份有限公司 | Key determination method and device, storage medium and electronic device |
| CN114285655B (en) * | 2021-12-27 | 2024-04-30 | 中国电信股份有限公司 | Method and device for determining secret key, storage medium and electronic device |
| CN114499836A (en) * | 2021-12-29 | 2022-05-13 | 北京像素软件科技股份有限公司 | Key management method, key management device, computer equipment and readable storage medium |
| CN114897112A (en) * | 2022-04-18 | 2022-08-12 | 上海美的茵信息技术有限公司 | Diagnostic data transmission method and device for diagnostic equipment based on two-dimensional code mode, computer equipment and storage medium |
| CN114897112B (en) * | 2022-04-18 | 2023-07-18 | 上海美的茵信息技术有限公司 | Diagnostic data transmission method based on two-dimension code, computer equipment and storage medium |
| CN115422570A (en) * | 2022-11-07 | 2022-12-02 | 北京数盾信息科技有限公司 | Data processing method and system for distributed storage |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111565107B (en) | 2020-11-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111565107B (en) | Key processing method and device based on cloud service platform and computer equipment | |
| US11706026B2 (en) | Location aware cryptography | |
| CN107689869B (en) | User password management method and server | |
| US8484480B2 (en) | Transmitting information using virtual input layout | |
| CA3116405A1 (en) | Systems and methods for distributed data storage and delivery using blockchain | |
| CN113691502B (en) | Communication method, device, gateway server, client and storage medium | |
| EP3299990A1 (en) | Electronic device server and method for communicating with server | |
| CN101510888B (en) | Method, device and system for improving data security for SaaS application | |
| CN107342861B (en) | Data processing method, device and system | |
| CN113067699B (en) | Data sharing method and device based on quantum key and computer equipment | |
| CN108199847B (en) | Digital security processing method, computer device, and storage medium | |
| CN110781140B (en) | Method, device, computer equipment and storage medium for signing data in blockchain | |
| KR20180101870A (en) | Method and system for data sharing using attribute-based encryption in cloud computing | |
| CN104917807A (en) | Resource transfer method, apparatus and system | |
| CN105101183A (en) | Method and system for protecting private contents at mobile terminal | |
| CN104243149A (en) | Encrypting and decrypting method, device and server | |
| CN102404337A (en) | Data encryption method and device | |
| US20200044838A1 (en) | Data encryption method and system using device authentication key | |
| CN113489706B (en) | Data processing method, device, system, equipment and storage medium | |
| CN114844688A (en) | Data transmission method, device, equipment and computer storage medium | |
| CN109120576B (en) | Data sharing method and device, computer equipment and storage medium | |
| CN107707611B (en) | Electric power data cloud processing method, device and system | |
| CN116366364A (en) | Terminal data processing method and system for cloud computer | |
| CN114389802B (en) | Information decryption method and device, electronic equipment and readable storage medium | |
| US20220171844A1 (en) | Secure password storage system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40028343 Country of ref document: HK |