CN111970126A

CN111970126A - Key management method and device

Info

Publication number: CN111970126A
Application number: CN202010897527.4A
Authority: CN
Inventors: 王东临
Original assignee: BEIJING SURSEN NETWORK TECHNOLOGY CO LTD
Current assignee: BEIJING SURSEN NETWORK TECHNOLOGY CO LTD
Priority date: 2020-08-31
Filing date: 2020-08-31
Publication date: 2020-11-20

Abstract

The application provides a key management method and a device, wherein the key management method comprises the following steps: obtaining the authorization of a user through a first identity authentication mode to generate a first authentication encryption key, wherein the first identity authentication mode is used for logging in a digital identity; and encrypting the at least one role decryption key by using the first authentication encryption key to obtain at least one initial encrypted role decryption key corresponding to the first identity authentication mode, wherein the at least one role decryption key corresponds to the at least one role of the digital identity one to one and is used for decrypting the at least one encrypted target key to obtain at least one target key. According to the technical scheme, the identity authentication mode can be associated with the target key, and the management and the use process of the target key are facilitated.

Description

Key management method and device

Technical Field

The present application relates to the field of encryption technologies, and in particular, to a key management method and apparatus.

Background

As blockchain technology grows, more and more investors begin to come into contact with digital currency. However, since the number of bits of a key for managing digital money is large and irregular, it is often very difficult to memorize the key, which has become a threshold on the way of popularization of digital money. In order to make it more convenient and more secure for the user to keep the keys, some solutions have emerged in the market in recent years, however, there has never appeared a solution that can really counteract the pressure of the user in key management.

Meanwhile, the internet of things is developing at a high speed, and more products in life begin to realize intelligent management. However, various intelligent products cause the user to manage numerous scattered accounts, and the user feels inconvenience. If the situation of poor management occurs, potential safety hazards can be even brought to the assets of the users.

Disclosure of Invention

In view of this, in order to solve the above problems faced by users in asset management in the prior art, embodiments of the present application provide a key management method and apparatus.

According to a first aspect of embodiments of the present application, there is provided a key management method, including: obtaining the authorization of a user through a first identity authentication mode to generate a first authentication encryption key, wherein the first identity authentication mode is used for logging in a digital identity; and encrypting the at least one role decryption key by using the first authentication encryption key to obtain at least one initial encrypted role decryption key corresponding to the first identity authentication mode, wherein the at least one role decryption key corresponds to the at least one role of the digital identity one to one and is used for decrypting the at least one encrypted target key to obtain at least one target key.

According to a second aspect of embodiments of the present application, there is provided a key management apparatus including: the first obtaining module is used for obtaining the authorization of a user through a first identity authentication mode to generate a first authentication encryption key, wherein the first identity authentication mode is used for logging in a digital identity; the first encryption module is configured to encrypt at least one role decryption key by using a first authentication encryption key to obtain at least one initial encrypted role decryption key corresponding to the first identity authentication method, where the at least one role decryption key corresponds to at least one role of the digital identity in a one-to-one manner, and is configured to decrypt at least one encrypted target key to obtain at least one target key.

According to a third aspect of embodiments of the present application, there is provided an electronic apparatus, including: a processor; a memory, wherein the memory is configured to store processor-executable instructions, which when executed by the processor, cause the processor to perform the key management method provided by the first aspect.

According to a fourth aspect of embodiments herein, there is provided a computer-readable storage medium comprising computer instructions stored thereon, which, when executed by a processor, cause the processor to perform the key management method provided by the first aspect described above.

The embodiment of the application provides a key management method and a key management device, wherein a first authentication encryption key corresponding to a first identity authentication mode is generated, and at least one role decryption key under a digital identity is encrypted by using the first authentication encryption key, wherein the at least one role decryption key is used for decrypting an encrypted target key to obtain at least one target key, so that the identity authentication mode and the target key can be associated, and the management and the use process of the target key are facilitated.

Drawings

Fig. 1 is a schematic system architecture diagram of a key management system according to an exemplary embodiment of the present application.

Fig. 2 is a flowchart illustrating a key management method according to an exemplary embodiment of the present application.

Fig. 3 is a flowchart illustrating a key management method according to another exemplary embodiment of the present application.

Fig. 4 is a flowchart illustrating a key management method according to another exemplary embodiment of the present application.

Fig. 5 is a flowchart illustrating a key management method according to another exemplary embodiment of the present application.

Fig. 6 is a flowchart illustrating a key management method according to another exemplary embodiment of the present application.

Fig. 7 is a flowchart illustrating a key management method according to another exemplary embodiment of the present application.

Fig. 8 is a flowchart illustrating a key management method according to another exemplary embodiment of the present application.

Fig. 9 is a flowchart illustrating a key management method according to another exemplary embodiment of the present application.

Fig. 10 is a schematic structural diagram of a key management device according to an exemplary embodiment of the present application.

Fig. 11 is a schematic structural diagram of a key management device according to another exemplary embodiment of the present application.

Fig. 12 is a block diagram of an electronic device for key management provided by an exemplary embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

Summary of the application

In the prior art, a secret key is an identity authentication method for a machine and is not for a person. The key can be used to manage digital currency and also to perform some intelligent operation (e.g. switching of a smart door lock, etc.), which can be set according to the needs of the user. However, the existing key has various problems in the using process. For example, in order to improve security, the length of the key is designed to be long, which may cause the user to easily forget the key; for different digital currencies or intelligent operations, a plurality of different keys may be corresponded, so that users are easy to confuse various keys; the key is easy to be stolen in the using process. These problems make the key have low overall security and poor convenience during use.

Exemplary System

Fig. 1 is a system architecture diagram of a key management system according to an exemplary embodiment of the present application, which illustrates an application scenario of key management by an electronic device. As shown in fig. 1, the key management system 1 includes an electronic device 10 and a server 20. The electronic device 10 may obtain the authorization of the user through the first identity authentication manner to generate a first authentication encryption key and a first authentication decryption key, encrypt the role key based on the first authentication encryption key, and store the encrypted role key to the server 20, so as to implement the creation process of the digital identity or the addition process of the first identity authentication manner of the digital identity. Further, the electronic device 10 may implement a role key management or usage process by obtaining the encrypted role key from the server 20 and decrypting it.

In another embodiment, the electronic device 10 may obtain the authorization of the user through the first identity authentication manner to generate a first authentication encryption key and a first authentication decryption key, encrypt the role key based on the first authentication encryption key, and store the encrypted role key in the electronic device 10, so as to implement the creation process of the digital identity or the addition process of the first identity authentication manner of the digital identity. Further, the electronic device 10 may implement a role key management or usage process by decrypting the encrypted role key.

Here, the electronic device 10 may be a mobile device such as a mobile phone, a game console, a tablet computer, a camera, a video camera, and a vehicle-mounted computer; or a computer such as a notebook computer, desktop computer, etc.; other electronic devices including processors and memory are also possible. When the electronic device 10 is a plurality of possible options, the first authentication manner may be a manner of authenticating the user through one existing information of the user, where the existing information may be an account of a third-party platform held by the user, for example, an account corresponding to an application installed on the electronic device 10 by the user, or the like.

It should be noted that the above application scenarios are only presented to facilitate understanding of the spirit and principles of the present application, and the embodiments of the present application are not limited thereto. Rather, embodiments of the present application may be applied to any scenario where it may be applicable.

Exemplary method

Fig. 2 is a flowchart illustrating a key management method according to an exemplary embodiment of the present application, where the method of fig. 2 may be executed by an electronic device, for example, a mobile phone, and in particular, may be executed by a client corresponding to a digital identity on the electronic device. As shown in fig. 2, the key management method relates to a process of creating a digital identity or a process of adding a first identity authentication mode (first identity authentication mode) of the digital identity, and specifically includes the following steps.

S210: and obtaining the authorization of the user through a first identity authentication mode to generate a first authentication encryption key, wherein the first identity authentication mode is used for logging in the digital identity.

The user can realize the creation process of the digital identity through the first identity authentication mode, or the digital identity is created in advance, and the user can add the first identity authentication mode for the digital identity.

In one embodiment, the digital identity may be created in advance, being an empty digital identity. In the process of adding the first identity authentication mode to the digital identity, at least one role can be set for the digital identity, each role corresponds to different rights and is used for managing or using different digital currencies or executing different intelligent operations.

In one embodiment, a plurality of roles are created for a digital identity through a first identity authentication means. After the digital identity is created, the user can log in the digital identity through a first identity authentication mode and can use the authority corresponding to any role to execute corresponding operation.

Further, the user can add other identity authentication modes to the digital identity through the first identity authentication mode. Any identity authentication mode can log in the digital identity, and different identity authentication modes can use the corresponding authorities of different roles.

The identity authentication mode may be a mode of performing identity authentication on the user through one existing information of the user, where the existing information of the user may include a third party platform account, an identity authentication chip, a human body biometric characteristic, a terminal system account, and the like, which are held by the user. The third-party platform account may be a social platform account, a shopping platform account, a financial platform account, a mobile phone number account, a network service account, an intelligent internet of things platform account, and the like held by the user, for example: WeChat account, Microsoft account, Taobao account, cell phone bank account, etc. It should be understood that the embodiments of the present application do not limit the specific types of existing information of the user.

It should be understood that the term "user" as used in this application is not limited to a natural person, but may also include, for example, a machine, a monkey, a virtual identity, an organization, etc., and the application does not limit the true identity of the user.

In an embodiment, the electronic device may generate a first authentication decryption key and a first authentication encryption key corresponding to a first authentication manner based on the first authentication manner. The authentication decryption key and the authentication encryption key can be used for verifying the identity authentication mode, so that the user can conveniently use the corresponding authority of the identity authentication mode.

The authentication decryption key and the authentication encryption key may be symmetric keys or asymmetric keys. The authentication encryption key may be an authentication public key and the authentication decryption key may be an authentication private key.

When the authentication decryption key and the authentication encryption key are symmetric keys, the two are the same; when the certification decryption key and the certification encryption key are asymmetric keys, the two are different.

The first authentication decryption key may be stored locally (electronic device) or on the server side.

S220: and encrypting the at least one role decryption key by using the first authentication encryption key to obtain at least one initial encrypted role decryption key corresponding to the first identity authentication mode, wherein the at least one role decryption key corresponds to the at least one role of the digital identity one to one and is used for decrypting the at least one encrypted target key to obtain at least one target key.

In one embodiment, at least one target key is used to manage assets corresponding to at least one role, respectively. When multiple roles are created for a digital identity through a first identity authentication means, a corresponding role decryption key may be generated for each role. Each role decryption key may correspond to one or more target keys for decrypting the encrypted target keys to obtain corresponding target keys.

In particular, the role decryption key may be randomly generated by the electronic device. Here, when a plurality of roles are created for the digital identity through the first identity authentication method, a corresponding role encryption key may also be generated for each role. Similar to the authentication key, the role decryption key and the role encryption key may be symmetric keys or asymmetric keys.

In another embodiment, the role decryption key may be generated at the server side.

Specifically, the digital identity may own at least one asset, such as an account number in digital currency, account numbers in various login manners, and the like. Wherein each asset has an associated target key for managing the corresponding asset. The encrypted target key can be stored at the server side or locally.

When a digital identity has only one role, namely a first role, the first role can have management rights for all assets held by the digital identity; when a digital identity contains multiple roles, different ones of the multiple roles may each have administrative rights to different ones of the assets held by the digital identity. For example, a digital identity may comprise a first role having authority to manage wechat accounts, microblog accounts and bus boarding cards and a second role having authority to manage smart door locks and digital currency accounts.

Further, when a role is given with a management authority for at least one asset, at least one target key corresponding to the at least one asset in the management authority of the role can be encrypted by using a role encryption key corresponding to the role, so that at least one encrypted target key is obtained and stored in the digital identity. For example, the first role encryption key is used to encrypt the target key of the asset corresponding to the first role, so as to obtain the encrypted target key. Thus, after the electronic device obtains the role decryption key, the encrypted target key can be decrypted by using the role decryption key, so as to obtain the target key.

Preferably, in another embodiment, after obtaining the target key, the electronic device may further use the target key to manage the asset corresponding to the target key according to an instruction of the user. For example, when the target key is a key of a digital money account, the user may issue an operation instruction to perform balance check on the digital money account. After receiving the operation instruction, the electronic device may find the corresponding encrypted target key, and decrypt the encrypted target key using the first role decryption key, thereby obtaining the target key and executing the operation instruction sent by the user.

The embodiment of the application provides a key management method, which includes generating a first authentication encryption key corresponding to a first identity authentication mode, and encrypting at least one role decryption key under a digital identity by using the first authentication encryption key, wherein the at least one role decryption key is used for decrypting an encrypted target key to obtain at least one target key, so that the identity authentication mode can be associated with the target key, and the management and the use process of the target key are facilitated.

Fig. 3 is a flowchart illustrating a key management method according to another exemplary embodiment of the present application. The embodiment shown in fig. 3 of the present application is extended based on the embodiment shown in fig. 2 of the present application, and the differences between the embodiment shown in fig. 3 and the embodiment shown in fig. 2 are emphasized below, and the descriptions of the same parts are omitted.

As shown in fig. 3, on the basis of the embodiment shown in fig. 2, the key management method provided in the embodiment of the present application further includes the following steps.

S230: and generating a third storage key based on the identity authentication information corresponding to the first identity authentication mode.

S240: and generating a first authentication decryption key corresponding to the first authentication encryption key.

S245: and encrypting the first authentication decryption key by using the third storage key to obtain the encrypted first authentication decryption key.

In this embodiment, the first authentication decryption key is encrypted, so that the security of the first authentication decryption key acquisition process can be ensured, and the security of the whole target key management and use process can be further improved. The encrypted first authentication decryption key may be stored locally. Here, the first authentication decryption key may be encrypted using the third storage key. The third storage key may be a symmetric key or an asymmetric key.

In an embodiment, the identity authentication information is non-public identity authentication information, and the third storage key may be generated based on the non-public identity authentication information and a parent name of the user corresponding to the first identity authentication method. For example, the non-public authentication information is a WeChat ID. The update core staff may know the WeChat ID, and the relatives and friends of the user may know the name of the parent, but the WeChat ID and the parent name are not overlapped basically, so that the security of key management can be improved, and the key can be effectively prevented from being stolen.

In one embodiment, as shown in fig. 3, the key management method further includes the following.

S250: and submitting the encrypted first authentication decryption key to a server side.

Specifically, the encrypted first authentication decryption key may be stored in a key database on the server side.

S255: and submitting at least one initial encryption role decryption key to the server side.

In particular, at least one initial encryption role decryption key may be stored in a user database at the server side.

In order to reduce the risk of revealing the third storage key, the electronic device may generate the third storage key based on the first identity authentication method, or may associate the generated third storage key with the first identity authentication method and store the third storage key, so that the electronic device may acquire the third storage key only when the user logs in the digital identity through the first identity authentication method. For example, the electronic device may calculate the third storage key based on the first identity authentication information, or the electronic device may randomly generate the third storage key and store the third storage key in the cloud corresponding to the first identity authentication method.

Specifically, when the first identity authentication mode is created, the electronic device may send an account creation request to the server, so that the server creates a first key database account for logging in the key database. The first key database account corresponds to a first identity authentication mode and is used for storing the encrypted first authentication decryption key. Here, the first key database account may have a pair of account number and password, that is, a first login account number and a first login password, and the electronic device may log in the key database according to the first login account number and the first login password and obtain data therefrom. It should be understood that the first login account and the first login password may be generated by the electronic device and then sent to the server, or may be directly generated by the server, which is not limited in this embodiment of the present application.

The electronic equipment can obtain a first login account and a first login password through calculation according to the first identity authentication mode, can also obtain the first login account and the first login password which are stored in advance through a corresponding cloud end of the first identity authentication mode, and can also directly obtain the first login account and the first login password which are associated with the first identity authentication mode from the local.

It should be understood that, in the embodiments of the present application, the specific generation and storage manner of the first login account number and the first login password is not limited.

Further, the initial encryption role decryption key is stored in a user database of the server side, the connection between the user database and the key database can be only clear at the electronic equipment side, and the connection between the user database and the key database is not clear at the background server side, so that when the user database is accessed to obtain the initial encryption role decryption key, a worker at the background server side does not know which user the accessed initial encryption role decryption key corresponds to, and therefore the security of the key obtaining process can be further improved.

The step S255 may be executed in any step between the steps S220 to S250, which is not limited in this embodiment of the application.

Optionally, the encrypted first authentication decryption key and/or the initial encryption role decryption key are stored locally, and a key management process that is semi-dependent or independent on the server side can be implemented.

Fig. 4 is a flowchart illustrating a key management method according to another exemplary embodiment of the present application. The embodiment shown in fig. 4 of the present application is extended on the basis of the embodiment shown in fig. 2 of the present application, and the differences between the embodiment shown in fig. 4 and the embodiment shown in fig. 2 are emphasized below, and the descriptions of the same parts are omitted.

As shown in fig. 4, on the basis of the embodiment shown in fig. 2, the key management method provided in the embodiment of the present application further includes the following steps.

S260: at least one role encryption key is randomly generated.

S265: and respectively encrypting at least one target key by using at least one role encryption key to obtain at least one encrypted target key.

S270: at least one encrypted target key is stored locally.

Specifically, the electronic device may set a plurality of roles for the digital identity in a first identity authentication manner, and generate a corresponding role encryption key for each role. The role encryption key may be generated randomly or based on specific information, a specific algorithm. The generation process of the role encryption key can be set as required, and the embodiment of the application does not limit the generation process.

The target key can be preset, and the target key encrypted by the role encryption key can be stored locally.

In this embodiment, step S260 may generate the role encryption key and the role decryption key at the same time, and both of them may be asymmetric keys. In other embodiments, the role encryption key and the role decryption key may be generated by the server, and the encrypted target key may also be stored in the server.

The step S260 may be executed before, after, or simultaneously with the step S220, which is not limited in this embodiment of the application.

According to an embodiment of the present application, the at least one role includes a first role and a second role, the digital identity includes a first authority level and a second authority level, the first authority level is lower than the second authority level, the first authority level has an authority to manage assets corresponding to the first role, the second authority level has an authority to manage assets corresponding to the first role and the second role, the first identity authentication mode corresponds to the first authority level, wherein the first authentication encryption key is used to encrypt the at least one role decryption key to obtain at least one initial encryption role decryption key corresponding to the first identity authentication mode (S220), including: and encrypting a first role decryption key corresponding to the first role and a second role decryption key corresponding to the second role by using the first authentication encryption key to obtain an initial encrypted first role decryption key and an initial encrypted second role decryption key corresponding to the first identity authentication mode so as to add a second identity authentication mode with a second authority level through the first identity authentication mode.

In this embodiment, the first identity authentication method is a first identity authentication method under the digital identity, and other identity authentication methods may be added to the digital identity through the first identity authentication method. That is, through the adding process, the digital identity may correspond to a plurality of identity authentication manners, which may correspond to the same user or different users.

The digital identity may include a plurality of permission levels, each permission level of the plurality of permission levels having a respective permission to manage an asset corresponding to at least one of the plurality of roles.

Specifically, one digital identity may divide all identity authentication modes corresponding to the digital identity according to the authority levels, so that each identity authentication mode has its own authority level, and further, the identity authentication mode has asset management authority of at least one role corresponding to the corresponding authority level.

For example, the first identity authentication method may correspond to a first authority level of the plurality of authority levels, and the first authority level may have an authority to manage the asset corresponding to the first role, so that the user who logs in the digital identity through the first identity authentication method can manage the asset corresponding to the first role; the second identity authentication mode may correspond to a second authority level of the plurality of authority levels, and the second authority level may have an authority to manage assets corresponding to the first role and the second role, so that a user who logs in the digital identity through the second identity authentication mode may simultaneously manage assets corresponding to the first role and the second role.

In practical applications, each identity authentication mode may have a corresponding authentication encryption key and an authentication decryption key, for example, the first identity authentication mode may correspond to the first authentication encryption key and the first authentication decryption key. When the first authentication mode is given a first authority level, the first authentication encryption key may be used to encrypt the first role decryption key corresponding to the first authority level, so as to obtain an initial encrypted first role decryption key. Thus, when the user logs in the digital identity through the first identity authentication mode, the electronic device can obtain the first authentication decryption key, find the initial encryption first role decryption key, and decrypt the initial encryption first role decryption key by using the first authentication decryption key to obtain the first role decryption key. For example, when the second authentication method is assigned with the second authority level, the first role decryption key and the second role decryption key corresponding to the second authority level may be encrypted respectively by using the second authentication encryption key to obtain the initial encrypted first role decryption key and the initial encrypted second role decryption key. Similarly, when the user logs in the digital identity through the second identity authentication mode, the electronic device may obtain the second authentication decryption key, find the initial encrypted first role decryption key and/or the initial encrypted second role decryption key according to the user's requirement, and decrypt the initial encrypted first role decryption key and/or the initial encrypted second role decryption key using the second authentication decryption key to obtain the first role decryption key and/or the second role decryption key.

It should be understood that the specific division and corresponding manner of the assets, roles, and permission levels may be set by those skilled in the art according to actual needs, or may be set by a user in the system in a self-defined manner, which is not limited in the embodiments of the present application.

In this embodiment, since the first identity authentication method is the first identity authentication method under the digital identity, the other identity authentication methods in the following can be added only by the first identity authentication method. Specifically, when a second identity authentication mode with a second authority level is added to the digital identity, in order to improve the security of the key management process, the digital identity needs to be logged in through the first identity authentication mode to obtain a first role decryption key and a second role decryption key, and the first role decryption key and the second role decryption key are encrypted by using a second authentication encryption key corresponding to the second identity authentication mode, so as to obtain an initial encrypted first role decryption key and an initial encrypted second role decryption key corresponding to the second identity authentication mode.

In an embodiment, the authority level of each identity authentication method may be assigned by the user, or may be determined by the property of the identity authentication method itself. For example, the authority level of the fingerprint identity authentication mode is higher than that of the WeChat identity authentication mode.

In an embodiment, since the first authentication mode is the first authentication mode under the digital identity, the first authentication mode under the digital identity may have the highest authority level (e.g., the second authority level) in order to add the second authentication mode with a higher authority level. Alternatively, a first authentication means under digital identity has a low permission level (e.g., a first permission level), but temporarily has the permission to acquire decryption keys for all roles, and after adding a second authentication means with a second permission level, the first authentication means restores the first permission level.

The following describes in detail a process of adding a second identity authentication means to a digital identity by a first identity authentication means.

Fig. 5 is a flowchart illustrating a key management method according to another exemplary embodiment of the present application, where the method of fig. 5 may be executed by an electronic device, for example, a mobile phone, and in particular, may be executed by a client corresponding to a digital identity on the electronic device. As shown in fig. 5, the key management method relates to a process of adding a second identity authentication method to a digital identity through a first identity authentication method, and specifically includes the following steps.

S510: and acquiring a first authentication decryption key corresponding to a first identity authentication mode of the digital identity.

Specifically, the user may log in the digital identity through a first identity authentication means.

In one embodiment, the first authentication decryption key may be directly obtained from a local or server side; in another embodiment, the encrypted first authentication decryption key may be obtained from a local or server side and decrypted by using the third storage key to obtain the first authentication decryption key.

S520: and acquiring a second authentication encryption key corresponding to a second identity authentication mode to be added for the digital identity.

In an embodiment, the second authentication encryption key may be generated simultaneously with the second authentication decryption key. The generation process of the second authentication encryption key and the second authentication decryption key may refer to the generation process of the first authentication encryption key and the first authentication decryption key, that is, refer to the description of the embodiment in fig. 2, and in order to avoid repetition, details are not described here again.

When the second authentication mode and the first authentication mode correspond to the same user, the second authentication mode and the first authentication mode may correspond to the same electronic device, and the process of acquiring the second authentication encryption key and the second authentication decryption key may be directly generated at the electronic device.

When the second identity authentication mode corresponds to a different user from the first identity authentication mode, the second identity authentication mode corresponds to a different electronic device from the first identity authentication mode, and at this time, the second authentication encryption key and the second authentication decryption key are obtained in a process that the electronic device corresponding to the first identity authentication mode receives the second authentication encryption key and the second authentication decryption key sent by the electronic device corresponding to the second identity authentication mode, and the second authentication encryption key and the second authentication decryption key are generated at the electronic device end corresponding to the second identity authentication mode.

S530: and decrypting the initial encrypted first role decryption key corresponding to the first identity authentication mode by using the first authentication decryption key to obtain the first role decryption key.

In particular, the digital identity may correspond to at least one role, each role corresponding to a role decryption key. And acquiring a corresponding role decryption key by using the first authentication decryption key according to the preset management authority of the second identity authentication mode. The preset management authority here may be set according to the user's intention. When at least one role is a plurality of roles, the user can preset the second identity authentication mode to have the authority of managing the assets corresponding to any one or more roles in the plurality of roles.

S540: and encrypting the first role decryption key by using the second authentication encryption key to obtain an initial encrypted first role decryption key corresponding to the second identity authentication mode.

The first role decryption key corresponds to a first role in at least one role of the digital identity and is used for decrypting the encrypted first target key to obtain a first target key.

In an embodiment, the second authentication decryption key is used to decrypt the initial encrypted first role decryption key corresponding to the second identity authentication method, so as to obtain the first role decryption key. The first target key is used to manage the asset corresponding to the first persona.

When the second identity authentication mode corresponds to the same user as the first identity authentication mode, the second identity authentication mode and the first identity authentication mode may correspond to the same electronic device, and at this time, the electronic device may store the initial encrypted first role decryption key corresponding to the second identity authentication mode to the client and/or the server corresponding to the second identity authentication mode.

When the second identity authentication mode corresponds to a different user than the first identity authentication mode, the second identity authentication mode corresponds to a different electronic device than the first identity authentication mode, and at this time, the electronic device corresponding to the first identity authentication mode can send the initial encrypted first role decryption key corresponding to the second identity authentication mode to the electronic device and/or the server corresponding to the second identity authentication mode.

The embodiment of the application provides a key management method, and by adding a second identity authentication mode to a digital identity through a first identity authentication mode, classified management of keys can be realized, and diversification of key management processes is realized.

According to an embodiment of the present application, the first identity authentication method corresponds to a first authority level of a plurality of authority levels of the digital identity, the second identity authentication method corresponds to a second authority level of the plurality of authority levels, and the first authority level has an authority to manage assets corresponding to the first role, wherein before the first authentication decryption key is used to decrypt an initial encrypted first role decryption key corresponding to the first identity authentication method, the key management method further includes: and determining a second authority level of the second identity authentication mode.

Specifically, in the process of adding the second identity authentication mode to the electronic device corresponding to the first identity authentication mode, the second permission level of the second identity authentication mode may be set by the user corresponding to the first identity authentication mode, may also be set by the user corresponding to the second identity authentication mode, and may also be determined by the attribute of the second identity authentication mode itself.

According to an embodiment of the application, the first authority level is higher than the second authority level, the first authority level further has an authority to manage assets corresponding to a second role of the at least one role, and the second authority level has an authority to manage assets corresponding to the first role.

In this embodiment, the first identity authentication method may be added with a second identity authentication method with a lower authority level than the first identity authentication method. Before adding the second identity authentication mode, the first identity authentication mode may be the only identity authentication mode under the digital identity, or may be one identity authentication mode of a plurality of identity authentication modes under the digital identity.

Fig. 6 is a flowchart illustrating a key management method according to another exemplary embodiment of the present application. The embodiment shown in fig. 6 of the present application is extended based on the embodiment shown in fig. 5 of the present application, and the differences between the embodiment shown in fig. 6 and the embodiment shown in fig. 5 are emphasized below, and the descriptions of the same parts are omitted.

In this embodiment, the first permission level is equal to the second permission level, and the first permission level further has a permission to manage an asset corresponding to a second role in the at least one role, where, as shown in fig. 6, the key management method further includes the following steps.

S561: and decrypting the initial encrypted second role decryption key corresponding to the first identity authentication mode by using the first authentication decryption key to obtain a second role decryption key.

S562: and encrypting the second role decryption key by using the second authentication encryption key to obtain an initial encrypted second role decryption key corresponding to the second identity authentication mode.

The second authentication decryption key is further used for decrypting the initial encrypted second role decryption key corresponding to the second identity authentication mode to obtain a second role decryption key, the second role decryption key corresponds to the second role and is used for decrypting the encrypted second target key to obtain a second target key, and the second target key is used for managing assets corresponding to the second role.

Here, step S561 may be performed simultaneously with step S530, and step S562 may be performed simultaneously with step S540.

In this embodiment, the first identity authentication method may be added with a second identity authentication method with the same authority level as the first identity authentication method.

Fig. 7 is a flowchart illustrating a key management method according to another exemplary embodiment of the present application. The embodiment shown in fig. 7 of the present application is extended based on the embodiment shown in fig. 5 of the present application, and the differences between the embodiment shown in fig. 7 and the embodiment shown in fig. 5 are emphasized below, and the descriptions of the same parts are omitted.

In this embodiment, before adding the second identity authentication means, the first identity authentication means is a unique authentication means under the digital identity, the first permission level is lower than the second permission level, the second permission level has a permission to manage the asset corresponding to the second role in the first role and the at least one role, and the first identity authentication means having the first permission level has a permission to manage the asset corresponding to the first role, where as shown in fig. 7, the key management method further includes the following contents.

S571: a second role decryption key is generated.

Specifically, the second role decryption key may be generated by the electronic device, for example, by a client corresponding to the digital identity; or the data is generated and sent to the electronic equipment by the server side.

S572: and encrypting the second role decryption key by using the second authentication encryption key to obtain an initial encrypted second role decryption key corresponding to the second identity authentication mode.

Specifically, in some embodiments, the execution subject of steps S571 and S572 may be an electronic device corresponding to the first authentication manner. The second role decryption key can be generated by the electronic equipment corresponding to the first identity authentication mode; or the second role decryption key can be generated by the server side, and the electronic equipment corresponding to the first identity authentication mode acquires the second role decryption key from the server side; or the second role decryption key may be generated by the electronic device corresponding to the second identity authentication method, and the electronic device corresponding to the first identity authentication method obtains the second role decryption key from the electronic device corresponding to the second identity authentication method. The initial encrypted second role decryption key corresponding to the second identity authentication mode may be stored in the electronic device or the server corresponding to the second identity authentication mode.

In other embodiments, at least one of the execution subjects in steps S571 and S572 may be an electronic device or a server corresponding to the second identity authentication method. The initial encrypted second role decryption key corresponding to the second identity authentication mode may be stored in the electronic device or the server corresponding to the second identity authentication mode.

In an embodiment, when the digital identity corresponds to a plurality of identity authentication modes, an identity authentication mode with a lower authority level in the plurality of identity authentication modes cannot be added with an identity authentication mode with a higher authority level than the identity authentication mode, and an identity authentication mode with a lower authority level or equal to the higher authority level needs to be added through a higher authority level in the plurality of identity authentication modes. In this embodiment, since the first identity authentication mode is the only identity authentication mode, when an identity authentication mode with a higher authority level than that of the first identity authentication mode is added, the first role decryption key may be obtained through the first identity authentication mode, and then the authority of the first role decryption key is obtained through the identity authentication mode with the higher authority level, and meanwhile, the authority of the second role decryption key may be obtained through the identity authentication mode with the higher authority level by generating the second role decryption key.

An exemplary embodiment of the present application provides a key management method, which may be performed by an electronic device, such as a mobile phone, and may be specifically performed by a client corresponding to a digital identity on the electronic device. The key management method relates to a process of changing the authority level of a third identity authentication mode through a first identity authentication mode, and specifically comprises the following steps: and deleting the initial encrypted second role decryption key corresponding to the third identity authentication mode so as to reduce the permission level of the third identity authentication mode.

The digital identity at least comprises a first identity authentication mode and a third identity authentication mode, wherein the first identity authentication mode corresponds to a first authority level in a plurality of authority levels of the digital identity, the third identity authentication mode corresponds to a third authority level in the plurality of authority levels, the third authority level is equal to or lower than the first authority level, and the third authority level has authority for managing assets corresponding to a second role in a first role and at least one role.

If the third identity authentication mode and the first identity authentication mode correspond to the same electronic equipment of the same user, the initial encryption second role decryption key corresponding to the third identity authentication mode is stored on the electronic equipment and can be directly deleted through the electronic equipment. If the third identity authentication mode corresponds to a different user from the first identity authentication mode, the initial encryption second role decryption key corresponding to the third identity authentication mode is stored on the electronic equipment corresponding to the third identity authentication mode, and the electronic equipment corresponding to the first identity authentication mode can send an instruction to the electronic equipment corresponding to the third identity authentication mode so as to delete the instruction. And if the initial encryption second role decryption key corresponding to the third identity authentication mode is stored locally, the electronic equipment directly deletes the initial encryption second role decryption key. And if the initial encryption second role decryption key corresponding to the third identity authentication mode is stored in the server side, the electronic equipment corresponding to the first identity authentication mode deletes the initial encryption second role decryption key by sending an instruction to the server side.

In this embodiment, the initial encrypted second role decryption key corresponding to the third identity authentication mode is deleted to reduce the permission level of the third identity authentication mode, and only the key corresponding to the third identity authentication mode may be involved without affecting keys corresponding to other identity authentication modes. The method can be better suitable for the condition that the identity authentication modes corresponding to the digital identity are more, and can quickly realize the reduction of the authority level of the third identity authentication mode.

In another embodiment, the third identity authentication mode may be deleted from the digital identity by further deleting the initial encrypted first role decryption key corresponding to the third identity authentication mode.

The deleting process of the initial encryption first role decryption key corresponding to the third identity authentication mode is similar to the deleting process of the initial encryption second role decryption key corresponding to the third identity authentication mode.

Fig. 8 is a flowchart illustrating a key management method according to another exemplary embodiment of the present application, where the method in fig. 8 may be performed by an electronic device, for example, a mobile phone, and in particular, may be performed by a client corresponding to a digital identity on the electronic device. As shown in fig. 8, the key management method relates to a process of changing the authority level of the third identity authentication method through the first identity authentication method, and specifically includes the following steps.

S810: a new second role decryption key is generated.

S820: and encrypting the new second role decryption key by using the first authentication encryption key corresponding to the first authentication decryption key to obtain a new initial encryption second role decryption key corresponding to the first identity authentication mode so as to reduce the authority level of the third identity authentication mode.

The first authentication decryption key is used for decrypting a new initial encryption second role decryption key corresponding to the first authentication mode to obtain a new second role decryption key, the new second role decryption key corresponds to the second role and is used for decrypting the encrypted second target key to obtain a second target key, and the second target key is used for managing assets corresponding to the second role.

In this embodiment, the authority level of the third identity authentication method is reduced by generating a new role decryption key, and the key corresponding to the third identity authentication method may not be involved. The method can be better suitable for the condition that the identity authentication modes corresponding to the digital identity are few, and the interaction between the two identity authentication modes can be avoided, so that the reduction of the authority level of the third identity authentication mode can be quickly realized.

In an embodiment, a new second role decryption key may be generated at the same time as a new second role encryption key is generated.

In an embodiment, a new initial encrypted first role decryption key corresponding to the first identity authentication method may be obtained by generating a new first role decryption key and encrypting the new first role decryption key with a first authentication encryption key corresponding to the first authentication decryption key, so as to delete the third identity authentication method from the digital identity.

Fig. 9 is a flowchart illustrating a key management method according to another exemplary embodiment of the present application, where the method of fig. 9 may be performed by an electronic device, for example, a mobile phone, and in particular, may be performed by a client corresponding to a digital identity on the electronic device. As shown in fig. 9, the key management method relates to a process of changing the authority level of the third identity authentication method through the first identity authentication method, and specifically includes the following steps.

S910: and acquiring a third authentication encryption key corresponding to the third identity authentication mode.

The generation and obtaining process of the third authenticated encryption key may refer to the generation and obtaining process of the second authenticated encryption key in the embodiment of fig. 5, and in order to avoid repetition, details are not described here again.

S920: and decrypting the initial encrypted second role decryption key corresponding to the first identity authentication mode by using the first authentication decryption key to obtain a second role decryption key.

S930: and encrypting the second role decryption key by using the third authentication encryption key to obtain an initial encrypted second role decryption key corresponding to the third identity authentication mode so as to improve the authority level of the third identity authentication mode.

The digital identity at least comprises a first identity authentication mode and a third identity authentication mode, wherein the first identity authentication mode corresponds to a first authority level in a plurality of authority levels of the digital identity, the third identity authentication mode corresponds to a third authority level in the plurality of authority levels, the third authority level is lower than the first authority level, the first authority level has authority for managing assets corresponding to a first role and a second role in at least one role, and the third authority level has authority for managing assets corresponding to the first role.

The third authentication decryption key corresponds to the third authentication encryption key and is used for decrypting the initial encryption second role decryption key corresponding to the third identity authentication mode to obtain a second role decryption key, the second role decryption key corresponds to the second role and is used for decrypting the encrypted second target key to obtain a second target key, and the second target key is used for managing assets corresponding to the second role.

In this embodiment, the authority level of the third identity authentication mode is improved by the first identity authentication mode, so that each identity authentication mode has more flexibility in managing all assets under the digital identity.

Exemplary devices

Fig. 10 is a schematic structural diagram of a key management device 1000 according to an exemplary embodiment of the present application. As shown in fig. 10, the apparatus 1000 includes: a first obtaining module 1010 and a first encrypting module 1020.

The first obtaining module 1010 is configured to obtain authorization of a user through a first identity authentication manner to generate a first authentication encryption key, where the first identity authentication manner is used to log in a digital identity. The first encryption module 1020 is configured to encrypt at least one role decryption key by using a first authentication encryption key to obtain at least one initial encrypted role decryption key corresponding to the first identity authentication method, where the at least one role decryption key corresponds to at least one role of the digital identity one to one, and is configured to decrypt at least one encrypted target key to obtain at least one target key.

The embodiment of the application provides a key management device, which encrypts at least one role decryption key under a digital identity by using a first authentication encryption key through generating the first authentication encryption key corresponding to a first identity authentication mode, wherein the at least one role decryption key is used for decrypting an encrypted target key to obtain at least one target key, so that the identity authentication mode and the target key can be associated, and the management and the use process of the target key are facilitated.

According to an embodiment of the present invention, the apparatus 1000 further comprises: a first generating module 1030, configured to generate a third storage key based on the identity authentication information corresponding to the first identity authentication manner, and generate a first authentication decryption key corresponding to the first authentication encryption key; the second encryption module 1040 is configured to encrypt the first authentication decryption key with the third storage key to obtain an encrypted first authentication decryption key.

According to an embodiment of the present invention, the identity authentication information is non-public identity authentication information, wherein the first generating module 1030 is configured to generate a third storage key based on the non-public identity authentication information and a parent name of the user corresponding to the first identity authentication mode.

According to an embodiment of the present invention, the apparatus 1000 further comprises: the sending module 1050 is configured to submit the encrypted first authentication decryption key to the server, and submit at least one initial encryption role decryption key to the server.

According to an embodiment of the present invention, the apparatus 1000 further comprises: the third encryption module 1060 is configured to encrypt at least one target key by using at least one role encryption key, respectively, to obtain at least one encrypted target key.

According to an embodiment of the present invention, the apparatus 1000 further comprises: the storage module 1070 is configured to store the at least one encrypted target key locally.

According to an embodiment of the present invention, the apparatus 1000 further comprises: a second generating module 1080, configured to randomly generate at least one role decryption key.

It should be understood that, in the above embodiments, the operations and functions of the first obtaining module 1010, the first encrypting module 1020, the first generating module 1030, the second encrypting module 1040, the sending module 1050, the third encrypting module 1060, the storing module 1070, and the second generating module 1080 may refer to the description of the key management method provided in the above embodiments of fig. 2 to fig. 4, and are not described herein again to avoid repetition.

Fig. 11 is a schematic structural diagram of a key management device 1100 according to another exemplary embodiment of the present application. As shown in fig. 11, the apparatus 1100 includes: a first obtaining module 1110, a second obtaining module 1120, a first decrypting module 1130, and a first encrypting module 1140.

The first obtaining module 1110 is configured to obtain a first authentication decryption key corresponding to a first identity authentication method of a digital identity. The second obtaining module 1120 is configured to obtain a second authentication encryption key corresponding to a second identity authentication method to be added to the digital identity. The first decryption module 1130 is configured to decrypt the initial encrypted first role decryption key corresponding to the first identity authentication method by using the first authentication decryption key, so as to obtain the first role decryption key. The first encryption module 1140 is configured to encrypt the first role decryption key by using the second authentication encryption key to obtain an initial encrypted first role decryption key corresponding to the second identity authentication method, where the first role decryption key corresponds to a first role in at least one role of the digital identity, and is configured to decrypt the encrypted first target key to obtain a first target key.

The embodiment of the application provides a key management device, and a second identity authentication mode is added to a digital identity through a first identity authentication mode, so that classified management of keys can be realized, and diversification of a key management process is realized.

According to an embodiment of the present invention, the first identity authentication method corresponds to a first authority level of a plurality of authority levels of the digital identity, the second identity authentication method corresponds to a second authority level of the plurality of authority levels, and the first authority level has an authority to manage assets corresponding to the first role, wherein the apparatus 1100 further includes: the first determining module 1150 is configured to determine a second permission level of the second identity authentication method before the first decrypting module 1130 decrypts the initial encrypted first role decrypting key corresponding to the first identity authentication method by using the first authentication decrypting key.

According to an embodiment of the present invention, the first permission level is higher than the second permission level, the first permission level further has a permission to manage an asset corresponding to a second role of the at least one role, and the second permission level has a permission to manage an asset corresponding to the first role.

According to an embodiment of the present invention, the first permission level is equal to the second permission level, and the first permission level further has a permission to manage an asset corresponding to a second role in the at least one role, wherein the first decryption module 1130 is further configured to decrypt an initial encrypted second role decryption key corresponding to the first identity authentication method by using the first authentication decryption key, so as to obtain a second role decryption key; the first encryption module 1140 is further configured to encrypt a second role decryption key by using a second authentication encryption key to obtain an initial encrypted second role decryption key corresponding to the second identity authentication method, where the second role decryption key corresponds to the second role and is used to decrypt an encrypted second target key to obtain a second target key, where the first target key is used to manage the asset corresponding to the first role, and the second target key is used to manage the asset corresponding to the second role.

According to an embodiment of the present invention, the first permission level is lower than a second permission level, and the second permission level has a permission to manage assets corresponding to the first role and a second role of the at least one role, wherein the apparatus 1100 further includes: a first generation module 1160 for generating a second role decryption key; and a second encryption module 1170, configured to encrypt a second role decryption key by using a second authentication encryption key to obtain an initial encrypted second role decryption key corresponding to the second identity authentication method, where the second role decryption key corresponds to the second role and is used to decrypt an encrypted second target key to obtain a second target key, where the first target key is used to manage the asset corresponding to the first role, and the second target key is used to manage the asset corresponding to the second role.

According to an embodiment of the invention, the apparatus 1100 further comprises: the first storage module 1180 is configured to store the initial encrypted first role decryption key corresponding to the second identity authentication method to the server or the client corresponding to the second identity authentication method.

According to an embodiment of the present invention, the digital identity further includes a third identity authentication manner, the first identity authentication manner corresponds to a first authority level of a plurality of authority levels of the digital identity, the third identity authentication manner corresponds to a third authority level of the plurality of authority levels, the third authority level is equal to or lower than the first authority level, and the third authority level has an authority to manage assets corresponding to a first role and a second role of at least one role, wherein the apparatus 1100 further includes: the first deleting module 1181 is configured to delete the initial encrypted second role decryption key corresponding to the third identity authentication method, so as to reduce the permission level of the third identity authentication method.

According to an embodiment of the present invention, the first deleting module 1181 is further configured to delete the initial encrypted first role decryption key corresponding to the third identity authentication method, so as to delete the third identity authentication method from the digital identity.

According to an embodiment of the present invention, the digital identity further includes a third identity authentication manner, the first identity authentication manner corresponds to a first authority level of a plurality of authority levels of the digital identity, the third identity authentication manner corresponds to a third authority level of the plurality of authority levels, the third authority level is equal to or lower than the first authority level, and the third authority level has an authority to manage assets corresponding to a first role and a second role of at least one role, wherein the apparatus 1100 further includes: a second generating module 1182, configured to generate a new second role decryption key; a third encryption module 1183, configured to encrypt a new second role decryption key by using a first authentication encryption key corresponding to the first authentication decryption key, to obtain a new initial encrypted second role decryption key corresponding to the first identity authentication method, so as to reduce the permission level of the third identity authentication method, where the new second role decryption key corresponds to the second role, and is configured to decrypt the encrypted second target key to obtain a second target key, where the first target key is used to manage the asset corresponding to the first role, and the second target key is used to manage the asset corresponding to the second role.

According to an embodiment of the present invention, the second generating module 1182 is further configured to generate a new first role decryption key; the third encryption module 1183 is further configured to encrypt the new first role decryption key by using the first authentication encryption key corresponding to the first authentication decryption key, to obtain a new initial encrypted first role decryption key corresponding to the first identity authentication method, so as to delete the third identity authentication method from the digital identity.

According to an embodiment of the present invention, the digital identity further includes a third identity authentication manner, the first identity authentication manner corresponds to a first authority level of a plurality of authority levels of the digital identity, the third identity authentication manner corresponds to a third authority level of the plurality of authority levels, the third authority level is lower than the first authority level, the first authority level has an authority to manage assets corresponding to a second role of the first role and the at least one role, and the third authority level has an authority to manage assets corresponding to the first role, wherein the apparatus 1100 further includes: a third obtaining module 1184, configured to obtain a third authentication encryption key corresponding to the third identity authentication method, where the first decryption module 1130 is further configured to decrypt the initial encrypted second role decryption key corresponding to the first identity authentication method by using the first authentication decryption key, so as to obtain a second role decryption key; a fourth encryption module 1185, configured to encrypt the second role decryption key by using the third authentication encryption key to obtain an initial encrypted second role decryption key corresponding to the third identity authentication method, so as to raise the permission level of the third identity authentication method, where the second role decryption key corresponds to the second role, and is used to decrypt the encrypted second target key to obtain a second target key, where the first target key is used to manage the asset corresponding to the first role, and the second target key is used to manage the asset corresponding to the second role.

It should be understood that, in the above embodiments, operations and functions of the first obtaining module 1110, the second obtaining module 1120, the first decrypting module 1130, the first encrypting module 1140, the first determining module 1150, the first generating module 1160, the second encrypting module 1170, the first storing module 1180, the first deleting module 1181, the second generating module 1182, the third encrypting module 1183, the third obtaining module 1184, and the fourth encrypting module 1185 may refer to the description in the key management method provided in the above embodiments of fig. 5 to 9, and are not described herein again to avoid repetition.

Fig. 12 is a block diagram of an electronic device 1200 for key management provided in an exemplary embodiment of the present application.

Referring to fig. 12, the electronic device 1200 includes a processor 1210, and memory resources, represented by memory 1220, for storing instructions, such as application programs, that are executable by the processor 1210. The application programs stored in memory 1220 may include one or more modules that each correspond to a set of instructions. Further, the processor 1210 is configured to execute instructions to perform the key management method described above.

The electronic device 1200 may also includeIncluding a power supply component configured to perform power management of the electronic device 1200, a wired or wireless network interface configured to connect the electronic device 1200 to a network, and an input-output (I/O) interface. The electronic device 1200, such as a Windows Server, may be operated based on an operating system stored in the memory 1220^TM，Mac OS X^TM，Unix^TM，Linux^TM，FreeBSD^TMOr the like.

A non-transitory computer readable storage medium having instructions stored thereon, which when executed by a processor of the electronic device 1200, enable the electronic device 1200 to perform a key management method. The key management method comprises the following steps: obtaining the authorization of a user through a first identity authentication mode to generate a first authentication encryption key, wherein the first identity authentication mode is used for logging in a digital identity; and encrypting the at least one role decryption key by using the first authentication encryption key to obtain at least one initial encrypted role decryption key corresponding to the first identity authentication mode, wherein the at least one role decryption key corresponds to the at least one role of the digital identity one to one and is used for decrypting the at least one encrypted target key to obtain at least one target key. Or, the key management method includes: acquiring a first authentication decryption key corresponding to a first identity authentication mode of the digital identity; acquiring a second authentication encryption key corresponding to a second identity authentication mode to be added for the digital identity; decrypting the initial encrypted first role decryption key corresponding to the first identity authentication mode by using the first authentication decryption key to obtain a first role decryption key; and encrypting the first role decryption key by using the second authentication encryption key to obtain an initial encrypted first role decryption key corresponding to the second identity authentication mode, wherein the first role decryption key corresponds to the first role in at least one role of the digital identity and is used for decrypting the encrypted first target key to obtain the first target key.

All the above-mentioned optional technical solutions can be combined arbitrarily to form the optional embodiments of the present invention, and are not described herein again.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program check codes, such as a U disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk.

It should be noted that the terms "first," "second," "third," and the like in the description of the present invention are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. In addition, in the description of the present invention, "a plurality" means two or more unless otherwise specified.

The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and the like that are within the spirit and principle of the present invention are included in the present invention.

Claims

1. A key management method, comprising:

obtaining the authorization of a user through a first identity authentication mode to generate a first authentication encryption key, wherein the first identity authentication mode is used for logging in a digital identity;

encrypting at least one role decryption key by using the first authentication encryption key to obtain at least one initial encryption role decryption key corresponding to the first authentication mode, wherein,

the at least one role decryption key corresponds to the at least one role of the digital identity one to one and is used for decrypting the at least one encrypted target key to obtain at least one target key.

2. The key management method according to claim 1, further comprising:

generating a third storage key based on the identity authentication information corresponding to the first identity authentication mode;

generating a first authentication decryption key corresponding to the first authentication encryption key;

and encrypting the first authentication decryption key by using the third storage key to obtain the encrypted first authentication decryption key.

3. The key management method according to claim 2, wherein the identity authentication information is non-public identity authentication information, and wherein the generating a third storage key based on the identity authentication information corresponding to the first identity authentication method includes:

and generating the third storage key based on the non-public identity authentication information and the parent name of the user corresponding to the first identity authentication mode.

4. The key management method according to claim 2, further comprising:

submitting the encrypted first authentication decryption key to a server side;

and submitting the at least one initial encryption role decryption key to the server side.

5. The key management method according to claim 2, further comprising:

and respectively encrypting the at least one target key by using at least one role encryption key to obtain the at least one encrypted target key.

6. The key management method according to claim 5, further comprising:

and storing the at least one encrypted target key locally.

7. The key management method according to any one of claims 1 to 6, further comprising:

the at least one role decryption key is randomly generated.

8. A key management apparatus, characterized by comprising:

the system comprises a first obtaining module, a first encryption module and a second encryption module, wherein the first obtaining module is used for obtaining the authorization of a user through a first identity authentication mode so as to generate a first authentication encryption key, and the first identity authentication mode is used for logging in a digital identity;

a first encryption module, configured to encrypt at least one role decryption key by using the first authentication encryption key to obtain at least one initial encrypted role decryption key corresponding to the first authentication manner, where,

9. An electronic device, comprising:

a processor;

memory, wherein the memory is to store instructions executable by the processor, which when executed by the processor, cause the processor to perform the key management method of any of claims 1 to 7.

10. A computer readable storage medium comprising computer instructions stored thereon, which when executed by a processor, cause the processor to perform the key management method of any of claims 1 to 7.