CN111988260B - Symmetric key management system, transmission method and device - Google Patents
Symmetric key management system, transmission method and device Download PDFInfo
- Publication number
- CN111988260B CN111988260B CN201910423265.5A CN201910423265A CN111988260B CN 111988260 B CN111988260 B CN 111988260B CN 201910423265 A CN201910423265 A CN 201910423265A CN 111988260 B CN111988260 B CN 111988260B
- Authority
- CN
- China
- Prior art keywords
- key
- symmetric key
- symmetric
- service
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0852—Quantum cryptography
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Electromagnetism (AREA)
- Theoretical Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a symmetric key management system, comprising: the system comprises a symmetric key management service master module, a symmetric key management service submodule, an application service agent module and a key source infrastructure, wherein: the symmetric key management service general module is used for issuing a corresponding key management strategy to the symmetric key management service sub-modules; the symmetric key management service submodule is used for generating a service key pool from the symmetric key acquired from the key source infrastructure according to the corresponding key management strategy; the application service agent module is used for transmitting the symmetric key in the service key pool to a storage space of a corresponding application platform through a preset interface; the key source infrastructure is to generate a symmetric key. The system realizes the unified management of the symmetric keys in different services, and avoids the problems that the island-type key management method cannot carry out unified safety supervision and is easy to generate the short plate effect of the barrel.
Description
Technical Field
The present invention relates to the technical field of key management, and in particular, to a symmetric key management system, a transmission method, and an apparatus.
Background
The core of the symmetric encryption system lies in the management and protection of keys, which must ensure the key synchronization between communication nodes and the security of keys in the processes of generation, storage and use.
The inventor researches the existing symmetric key management process to find that the island type key management method cannot carry out uniform safety supervision and is easy to generate a barrel short plate effect.
Disclosure of Invention
In view of the above, the present invention provides a symmetric key management system, a transmission method and an apparatus thereof, so as to solve the problems that in the prior art, an island-type key management method cannot perform uniform security supervision, and is easy to generate a wooden barrel short plate effect. The specific scheme is as follows:
a symmetric key management system, comprising: the system comprises a symmetric key management service master module, a symmetric key management service sub-module, an application service agent module and a key source infrastructure, wherein:
the symmetric key management service master module is connected with the symmetric key management service submodules and used for generating key management strategies and sending the corresponding key management strategies to the symmetric key management service submodules;
the symmetric key management service submodule is connected with the key source infrastructure and used for generating a business key pool from the symmetric key acquired from the key source infrastructure according to the corresponding key management strategy;
the application service agent module is connected with the symmetric key management service submodule and used for transmitting the symmetric keys in the service key pool to the storage space of the corresponding application platform through a preset interface;
the key source infrastructure is to generate a symmetric key.
In the foregoing system, optionally, the symmetric key management service module includes: the system comprises an application registration sub-module, an information auditing sub-module, a strategy issuing sub-module and a synchronous confirmation sub-module, wherein:
the application registration submodule is used for registering the application in the management system;
the information auditing submodule is used for auditing the registration information;
the strategy issuing submodule is used for selecting and issuing a key management strategy corresponding to the current registered user;
and the synchronous confirming submodule is used for confirming whether the key management strategies in the symmetrical key management service submodules are the same or not when the same application exists in the symmetrical key management service submodules and confirming whether the symmetrical keys adopted in the symmetrical key management service submodules are synchronous or not.
In the above system, optionally, the symmetric key management service sub-module includes: a service key pool layer, a key strategy processing layer and a basic key pool layer, wherein:
the basic key pool layer is used for acquiring a symmetric key of the key source infrastructure;
the key strategy processing layer is connected with the basic key pool layer and is used for processing the acquired symmetric key according to the corresponding key management strategy;
and the service key pool layer is connected with the key strategy processing layer and is used for distributing the processed symmetric keys to the corresponding service key pools.
Optionally, in the system described above, the symmetric key management service submodule further includes: a backup submodule, wherein:
the backup submodule is connected with the basic key pool layer and the service key pool layer and is used for backing up the symmetric keys of the basic key pool layer and the service key pool layer.
Optionally, in the system described above, the symmetric key management service sub-module further includes: updating the submodule, wherein:
and the updating submodule is connected with the basic key pool layer and the service key pool layer and is used for updating the symmetric keys of the basic key pool layer and the service key pool layer.
The above system, optionally, the key source infrastructure includes: quantum key source infrastructure and traditional algorithmic key source infrastructure.
A symmetric key transmission method adopted in the management system includes:
when a target symmetric key transmission request is received, encrypting the target symmetric key by adopting a first transmission encryption key to obtain a first symmetric key;
in the symmetric key management service submodule, decrypting the first symmetric key by adopting a first transmission decryption key to obtain a target symmetric key, encrypting the target symmetric key by adopting a first saved encryption key to obtain a second symmetric key, decrypting the second symmetric key by adopting the first saved decryption key to obtain a target symmetric key, and encrypting the target symmetric key by adopting the second transmission encryption key to obtain a third symmetric key;
and transmitting the third symmetric key to the application service agent module for decryption by the corresponding application to obtain a target symmetric key.
The above method, optionally, further includes:
and storing the second symmetric key in the symmetric key management service submodule.
Optionally, in the foregoing method, the transmitting the third symmetric key to the application service agent module for decryption by a corresponding application, to obtain a target symmetric key includes:
when a transfer instruction is received, transferring the third symmetric key to a corresponding application;
and in the corresponding application, decrypting the third symmetric key by adopting a second transmission decryption key to obtain a target symmetric key, encrypting the target symmetric key by adopting a second storage encryption key to obtain a fourth symmetric key, and decrypting the fourth symmetric key by adopting a second storage decryption key to obtain the target symmetric key.
A symmetric key transmission apparatus used in the management system includes:
the encryption unit is used for encrypting the target symmetric key by adopting a first transmission encryption key when receiving a target symmetric key transmission request to obtain a first symmetric key;
the encryption and decryption unit is used for decrypting the first symmetric key by adopting a first transmission decryption key in the symmetric key management service submodule to obtain a target symmetric key, encrypting the target symmetric key by adopting a first saved encryption key to obtain a second symmetric key, decrypting the second symmetric key by adopting the first saved decryption key to obtain a target symmetric key, and encrypting the target symmetric key by adopting a second transmission encryption key to obtain a third symmetric key;
and the decryption unit is used for transmitting the third symmetric key to the application service agent module for decryption by the corresponding application to obtain a target symmetric key.
Compared with the prior art, the invention has the following advantages:
the invention discloses a symmetric key management system, comprising: the system comprises a symmetric key management service master module, a symmetric key management service submodule, an application service agent module and a key source infrastructure, wherein: the symmetric key management service master module is used for issuing the corresponding key management strategy to the symmetric key management service submodules; the symmetric key management service submodule is used for generating a service key pool from the symmetric key acquired from the key source infrastructure according to the corresponding key management strategy; the application service agent module is used for transmitting the symmetric key in the service key pool to a storage space of a corresponding application platform through a preset interface; the key source infrastructure is to generate a symmetric key. The management system realizes unified management of the symmetric keys in different services, and avoids the problems that an island type key management method cannot carry out unified safety supervision and is easy to generate a barrel short plate effect.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic diagram of a symmetric key management system disclosed in an embodiment of the present application;
FIG. 2 is a further schematic diagram of a symmetric key management system according to an embodiment of the present disclosure;
fig. 3 is a flowchart of a symmetric key transmission method disclosed in an embodiment of the present application;
fig. 4 is a block diagram of a symmetric key transmission apparatus according to an embodiment of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention discloses a management system of a symmetric key, which is applied to the management of the symmetric key among different services. The management system mainly comprises: the method comprises the steps of generation, extraction, storage and safety isolation of various symmetric key sources, management and control of a key life cycle, definition and distribution of key IDs, management of an encryption algorithm and the like. The symmetric key application service mainly comprises key application, verification, inquiry and tracing, encryption and decryption service calling, synchronous distribution protocol service, customized key application strategies and the like. And realizing the management of the symmetric keys in different services based on the management system. The schematic structural diagram of the management system is shown in fig. 1, and includes: the system comprises a symmetric key management service master module, a symmetric key management service sub-module, an application service agent module and a key source infrastructure, wherein:
the symmetric key management service master module is connected with the symmetric key management service submodules and used for generating key management strategies and sending the corresponding key management strategies to the symmetric key management service submodules;
in the embodiment of the present invention, the symmetric key management service master module: and the system is mutually communicated with each sub-module network, accepts and examines application related registration information, generates a key management strategy required by each application at the same time, sends the key management strategy to each sub-module node, and is responsible for coordinating the sub-module nodes to synchronously provide a symmetric key for an application system so as to ensure the interconnection and intercommunication of application encryption services. The key management strategy is pre-established and comprises parameters such as the type of a key source (quantum key and D-H key \8230;), key life cycle management (theoretically, the key is consistent with the life cycle of encrypted data for future reference; target symmetric key/Nth key can be backed up at a certain time at each node of the system, such as a plurality of nodes of the key source, a key management submodule, an application proxy server and the like, the key management strategy comprises the time for each node to store the key), key length (encryption key length, such as 128/256/1024 and the like), key updating frequency (determining the time for applying a group of keys or the size of encrypted data quantity), and key freshness (ensuring that an expired key is not used, namely, the key with the generation time exceeding a threshold value) and the like. The policy issuing principle is set according to the specific registered user requirement or the type of the service application.
Wherein the symmetric key management service master module comprises: the system comprises an application registration sub-module, an information auditing sub-module, a strategy issuing sub-module and a synchronous confirmation sub-module, wherein:
the application registration submodule is used for registering the application in the management system;
the information auditing submodule is used for auditing the registration information;
the strategy issuing submodule is used for selecting and issuing a key management strategy corresponding to the current registered user;
and the synchronous confirming submodule is used for confirming whether the key management strategies in the symmetrical key management service submodules are the same or not when the same application exists in the symmetrical key management service submodules and confirming whether the symmetrical keys adopted in the symmetrical key management service submodules are synchronous or not.
In the implementation of the present invention, the same application may exist in different symmetric key management service sub-modules, and in order to ensure that the same service application in different sub-modules adopts the same key management strategy, the synchronous confirmation sub-module is required to confirm the same application.
The symmetric key management service submodule is connected with the key source infrastructure and used for generating a business key pool from the symmetric key acquired from the key source infrastructure according to the corresponding key management strategy;
in the embodiment of the invention, a symmetric key management service submodule: corresponding symmetric keys are extracted from key source infrastructure, a service key pool is generated according to the key management strategy customized by each application, key updating work in the service key pool is further completed, and key related operations are completed by matching with service applications. In practical applications, the symmetric key is used as a resource similar to water resource or electric resource. The basic key resources are generally universal attributes, cannot be directly matched with the application services for use, and can be directly called for use after being completely matched with the requirements of the application services through secondary or multiple processing. In the embodiment of the invention, the key pool can realize the processing of basic key resources. Wherein, the symmetric key management service submodule comprises: a structure block diagram of the service key pool layer, the key policy processing layer, and the basic key pool layer is shown in fig. 2, where:
the basic key pool layer is used for acquiring a symmetric key of the key source infrastructure;
in the embodiment of the invention, the symmetric key is safely extracted from the key source layer and is effectively managed. The key source layer is generally an independent complex system, the service key pool layer also has strict properties, and the fusion between the service key pool layer and the service key pool layer is completed by the basic key pool layer. The basic key pool layer also plays the role of logical isolation and buffering between the key source layer and the service key pool layer. The keys of the base key pool layer are typically provided with point-to-point geographical attributes and stored in a database. The basic key pool layer shown in fig. 2 is described by taking a regional key pool as an example, for example, a large organization has its own service system in important cities such as beijing or shanghai, and manages according to the method shown in fig. 2. There may also be: basic key pools among different services, such as basic key pools of operation and maintenance networks, office networks and production networks in a large-scale organization; for example, the transaction service system is divided into a basic key pool of small payment, large payment, domestic and foreign currency payment, a third party payment system and the like; for a basic key pool of different key sources, a certain service system needs to use two or more key sources, such as a DH key source (symmetric key source is generated by using DH algorithm on both sides of communication), a quantum key source, etc., which also have independent key management systems.
The key strategy processing layer is connected with the basic key pool layer and is used for processing the acquired symmetric key according to the corresponding key management strategy;
in the embodiment of the invention, the key is extracted from the basic key pool layer, the extracted key is encrypted and decrypted according to the preset service key attribute and the processing strategy, and the processed key is transmitted to the service key pool layer.
And the service key pool layer is connected with the key strategy processing layer and is used for distributing the processed symmetric keys to the corresponding service key pools.
In the embodiment of the invention, the service key pool layer can extract corresponding attribute keys from the key strategy processing layer and the basic key pool layer, and the service key pool layer is closely linked with the application service agent module, has higher calling frequency and generally performs virtual distribution in a memory area. The service key pool layer supports multiple applications, namely, the service key pool is customized for each application, and the application attributes of the key pool comprise point-to-point, point-to-multipoint, multipoint-to-multipoint and other symmetric key service attributes. The called key in the service key pool is filed in the database, and the life cycle of the key is consistent with the encrypted service data, so that the key can be traced.
Wherein, the symmetric key management service submodule further comprises: a backup submodule, wherein:
the backup submodule is connected with the basic key pool layer and the service key pool layer and is used for backing up the symmetric keys of the basic key pool layer and the service key pool layer, wherein the keys in the basic key pool layer are backed up in a key pool data table, and the keys in the service key pool layer are backed up in a historical key data table.
Wherein, the symmetric key management service submodule further comprises: updating the sub-module, wherein:
and the updating submodule is connected with the basic key pool layer and the service key pool layer and is used for updating the symmetric keys of the basic key pool layer and the service key pool layer.
The application service agent module is connected with the symmetric key management service submodule and is used for transmitting the symmetric key in the service key pool to the storage space of the corresponding application platform through a preset interface;
in the embodiment of the present invention, the application service agent module may provide an interface function (e.g., key acquisition, key query, key verification, encryption/decryption interface, etc.) of a service class for an application, and is responsible for communicating with the symmetric key management service sub-module nodes, synchronously issuing a symmetric key to a storage space of a corresponding application platform, and ensuring consistency of the symmetric key of the application.
The key source infrastructure is to generate a symmetric key.
In an embodiment of the present invention, the key source infrastructure module is a software module or a hardware facility (for example, a quantum key distribution terminal, a quantum random number generator, a classical password generation device, and the like) for generating a symmetric key.
The invention discloses a symmetric key management system, comprising: the system comprises a symmetric key management service master module, a symmetric key management service sub-module, an application service agent module and a key source infrastructure, wherein: the symmetric key management service master module is used for issuing the corresponding key management strategy to the symmetric key management service submodules; the symmetric key management service submodule is used for generating a service key pool from the symmetric key acquired from the key source infrastructure according to the corresponding key management strategy; the application service agent module is used for transmitting the symmetric key in the service key pool to a storage space of a corresponding application platform through a preset interface; the key source infrastructure is to generate a symmetric key. The management system realizes the unified management of the symmetric keys in different services, and avoids the problems that the island type key management method cannot carry out unified safety supervision and is easy to generate the wooden barrel short plate effect.
Furthermore, the symmetric key management system has expandability and can fuse different symmetric key sources including quantum key sources formed by quantum key distribution technology and the like.
In the embodiment of the invention, according to the existing related safety standard, the transmission link and the storage link of the secret key must have corresponding transmission protection secret keys and storage protection secret keys for encryption protection, so that the secret key is not exposed in a plaintext mode in the passing link and the system.
The communication cryptographic service is based on a safety device (HSM), and the HSM is used as a computing platform of the communication cryptographic service and is responsible for completing encryption and decryption and cryptographic computation of a secret key and ensuring that the secret key is not leaked. Namely, the HSM receives the cipher text and the service data of the key, completes the cipher processing in the HSM, returns the calculation result, and after the calculation is completed, the HSM does not cache the key data any more.
The method flow of the management system in the process of key transmission is shown in fig. 3, and includes the steps of:
s101, when a target symmetric key transmission request is received, encrypting the target symmetric key by adopting a first transmission encryption key to obtain a first symmetric key;
in the embodiment of the invention, the target symmetric key is a symmetric key to be transmitted currently, the target symmetric key is obtained, the target symmetric key is encrypted according to the first transmission encryption key to obtain a first symmetric key, and the encryption process is carried out in the corresponding HSM. The first transmission encryption key is an encryption key corresponding to the target symmetric key, and a first transmission decryption key corresponding to the first transmission encryption key is stored in a symmetric key management service submodule, wherein the first transmission encryption key and the first transmission decryption key are defined as a key group.
S102, in the symmetric key management service submodule, decrypting the first symmetric key by adopting a first transmission decryption key to obtain a target symmetric key, encrypting the target symmetric key by adopting a first saved encryption key to obtain a second symmetric key, decrypting the second symmetric key by adopting the first saved decryption key to obtain the target symmetric key, and encrypting the target symmetric key by adopting a second transmission encryption key to obtain a third symmetric key;
in the embodiment of the invention, the first symmetric key is transmitted to a symmetric key management service submodule, in an HSM of the symmetric key management service submodule, the first symmetric key is decrypted according to the first transmission decryption key to obtain a target symmetric key, the target symmetric key is encrypted by using a first stored encryption key to obtain a second symmetric key, the second symmetric key is decrypted by using the first stored decryption key to obtain a target symmetric key, and the target symmetric key is encrypted by using a second transmission encryption key to obtain a third symmetric key, wherein the second symmetric key is stored in the symmetric key management service submodule.
S103, transmitting the third symmetric key to the application service agent module for decryption of the corresponding application to obtain a target symmetric key.
In the embodiment of the invention, when a transmission instruction is received, the third symmetric key is transmitted to a corresponding application; and in the corresponding application, decrypting the third symmetric key by adopting a second transmission decryption key to obtain a target symmetric key, encrypting the target symmetric key by adopting a second storage encryption key to obtain a fourth symmetric key, and decrypting the fourth symmetric key by adopting a second storage decryption key to obtain the target symmetric key. The transfer instruction may be a synchronization instruction of each application service agent module, and the transfer instruction is not specifically limited in this embodiment of the present invention.
In the embodiment of the invention, the transmission method supports the access of various key sources and the coexistence of a quantum key source and a traditional algorithm key source. And a point-to-point, point-to-multipoint and multipoint-to-multipoint symmetric key synchronous distribution mechanism is supported.
In the embodiment of the invention, the transmission method further comprises the step of distributing a corresponding protection key group for each key source to perform encryption and decryption under the condition that the target symmetric key comprises a plurality of key sources, so as to ensure the safety isolation of different key sources, and the key groups can be stored in the HSM in a pre-loading mode.
Based on the foregoing transmission method, in an embodiment of the present invention, a symmetric key transmission apparatus is further provided, and a structural block diagram of the transmission apparatus is shown in fig. 4, where the symmetric key transmission apparatus includes:
an encryption unit 201, an encryption/decryption unit 202, and a decryption unit 203.
Wherein the content of the first and second substances,
an encrypting unit 201, configured to encrypt a target symmetric key with a first transmission encryption key when receiving a target symmetric key transmission request, to obtain a first symmetric key;
an encryption and decryption unit 202, configured to decrypt, in the symmetric key management service submodule, the first symmetric key with a first transmission decryption key to obtain a target symmetric key, encrypt, with a first saved encryption key, the target symmetric key to obtain a second symmetric key, decrypt, with the first saved decryption key, the second symmetric key to obtain a target symmetric key, encrypt, with a second transmission encryption key, the target symmetric key to obtain a third symmetric key;
and the decryption unit 203 is configured to transmit the third symmetric key to the application service agent module for decryption by a corresponding application, so as to obtain a target symmetric key.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
It should be noted that, in this specification, each embodiment is described in a progressive manner, and each embodiment focuses on differences from other embodiments, and portions that are the same as and similar to each other in each embodiment may be referred to. For the device-like embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising one of 8230; \8230;" 8230; "does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functions of the units may be implemented in the same software and/or hardware or in a plurality of software and/or hardware when implementing the invention.
From the above description of the embodiments, it is clear to those skilled in the art that the present invention can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the present invention may be embodied in the form of software products, which may be stored in a storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and include instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The above detailed description is made on a symmetric key management system, a transmission method and a device provided by the present invention, and a specific example is applied in the present document to explain the principle and the implementation of the present invention, and the description of the above embodiment is only used to help understanding the method and the core idea of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, the specific embodiments and the application range may be changed, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (8)
1. A symmetric key management system is characterized in that the system is applied to the management of symmetric keys among different services, and the management system establishes a uniform symmetric key management platform and a symmetric key application service system on the basis of a symmetric key security system, and comprises: the system comprises a symmetric key management service master module, a symmetric key management service submodule, an application service agent module and a key source infrastructure, wherein:
the symmetric key management service general module is connected with the symmetric key management service sub-modules and used for accepting and checking application related registration information, generating key management strategies required by each application at the same time, issuing the corresponding key management strategies to the symmetric key management service sub-modules, and coordinating the sub-modules to synchronously provide symmetric keys for application systems so as to ensure interconnection and intercommunication of application encryption services, wherein the strategy issuing principle is set according to specific registered user requirements or types of service applications;
the symmetric key management service submodule is connected with the key source infrastructure and used for acquiring a symmetric key from the key source infrastructure, generating a service key pool according to each customized key management strategy of each application, completing key updating work in the service key pool and completing key related operation by matching with service application;
the application service agent module is connected with the symmetric key management service submodule and used for transmitting the symmetric keys in the service key pool to the storage space of the corresponding application platform through a preset interface;
the key source infrastructure is used for generating a symmetric key;
wherein, the symmetric key management service submodule comprises: a service key pool layer, a key strategy processing layer and a basic key pool layer, wherein:
the basic key pool layer is used for acquiring a symmetric key of the key source infrastructure, wherein the basic key pool layer plays roles of logical isolation and buffering between the key source layer and the service key pool layer;
the key strategy processing layer is connected with the basic key pool layer and is used for extracting keys from the basic key pool layer, carrying out encryption and decryption protection on the extracted keys according to a preset service key attribute and a processing strategy and transmitting the processed keys to the service key pool layer;
the service key pool layer is connected with the key strategy processing layer and is used for distributing the processed symmetric keys to corresponding service key pools, extracting corresponding attribute keys from the key strategy processing layer and the basic key pool layer at the lower part, closely linking the upper part with the application service agent module and performing virtual distribution in a memory area; the service key pool is used for storing the service key, wherein the service key pool is used for storing the service key, and the service key is used for storing the service key;
wherein the key source infrastructure comprises: quantum key source infrastructure and traditional algorithmic key source infrastructure.
2. The system of claim 1, wherein the symmetric key management service broker module comprises: the system comprises an application registration sub-module, an information auditing sub-module, a strategy issuing sub-module and a synchronous confirmation sub-module, wherein:
the application registration submodule is used for registering the application in the management system;
the information auditing submodule is used for auditing the registration information;
the strategy issuing submodule is used for selecting and issuing a key management strategy corresponding to the current registered user;
and the synchronous confirming submodule is used for confirming whether the key management strategies in the symmetrical key management service submodules are the same or not when the same application exists in the symmetrical key management service submodules and confirming whether the symmetrical keys adopted in the symmetrical key management service submodules are synchronous or not.
3. The system of claim 1, wherein the symmetric key management service sub-module further comprises: a backup submodule, wherein:
and the backup submodule is connected with the basic key pool layer and the service key pool layer and is used for backing up the symmetric keys of the basic key pool layer and the service key pool layer.
4. The system of claim 1, wherein the symmetric key management service sub-module further comprises: updating the submodule, wherein:
and the updating submodule is connected with the basic key pool layer and the service key pool layer and is used for updating the symmetric keys of the basic key pool layer and the service key pool layer.
5. A symmetric key transmission method employed in the management system according to any one of claims 1 to 4, comprising:
when a target symmetric key transmission request is received, encrypting the target symmetric key by adopting a first transmission encryption key to obtain a first symmetric key;
in the symmetric key management service submodule, decrypting the first symmetric key by adopting a first transmission decryption key to obtain a target symmetric key, encrypting the target symmetric key by adopting a first saved encryption key to obtain a second symmetric key, decrypting the second symmetric key by adopting the first saved decryption key to obtain the target symmetric key, and encrypting the target symmetric key by adopting the second transmission encryption key to obtain a third symmetric key;
and transmitting the third symmetric key to the application service agent module for decryption by the corresponding application to obtain a target symmetric key.
6. The method of claim 5, further comprising:
and storing the second symmetric key in the symmetric key management service submodule.
7. The method according to claim 5 or 6, wherein passing the third symmetric key to the application service agent module for decryption by the corresponding application to obtain a target symmetric key comprises:
when a transfer instruction is received, transferring the third symmetric key to a corresponding application;
and in the corresponding application, decrypting the third symmetric key by adopting a second transmission decryption key to obtain a target symmetric key, encrypting the target symmetric key by adopting a second storage encryption key to obtain a fourth symmetric key, and decrypting the fourth symmetric key by adopting a second storage decryption key to obtain the target symmetric key.
8. A symmetric-key transmission apparatus employed in the management system according to any one of claims 1 to 4, comprising:
the encryption unit is used for encrypting the target symmetric key by adopting a first transmission encryption key when receiving a target symmetric key transmission request to obtain a first symmetric key;
the encryption and decryption unit is used for decrypting the first symmetric key by adopting a first transmission decryption key in the symmetric key management service submodule to obtain a target symmetric key, encrypting the target symmetric key by adopting a first saved encryption key to obtain a second symmetric key, decrypting the second symmetric key by adopting the first saved decryption key to obtain a target symmetric key, and encrypting the target symmetric key by adopting a second transmission encryption key to obtain a third symmetric key;
and the decryption unit is used for transmitting the third symmetric key to the application service agent module for decryption by the corresponding application to obtain a target symmetric key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910423265.5A CN111988260B (en) | 2019-05-21 | 2019-05-21 | Symmetric key management system, transmission method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910423265.5A CN111988260B (en) | 2019-05-21 | 2019-05-21 | Symmetric key management system, transmission method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111988260A CN111988260A (en) | 2020-11-24 |
| CN111988260B true CN111988260B (en) | 2023-01-31 |
Family
ID=73435906
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910423265.5A Active CN111988260B (en) | 2019-05-21 | 2019-05-21 | Symmetric key management system, transmission method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111988260B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113541937A (en) * | 2021-06-25 | 2021-10-22 | 华东师范大学 | Cipher key management method based on cipher strategy |
| CN114520740B (en) * | 2022-02-16 | 2023-01-10 | 慕思健康睡眠股份有限公司 | Encryption method, device, equipment and storage medium |
| CN114785596A (en) * | 2022-04-22 | 2022-07-22 | 贵州爱信诺航天信息有限公司 | Industrial control service platform, method and storage medium based on domestic password |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016078382A1 (en) * | 2014-11-20 | 2016-05-26 | 中兴通讯股份有限公司 | Hsm enciphered message synchronization implementation method, apparatus and system |
| WO2018017168A2 (en) * | 2016-04-21 | 2018-01-25 | Alibaba Group Holding Limited | System and method for encryption and decryption based on quantum key distribution |
| CN109660340A (en) * | 2018-12-11 | 2019-04-19 | 北京安御道合科技有限公司 | A kind of application system and its application method based on quantum key |
| CN109728902A (en) * | 2018-06-01 | 2019-05-07 | 平安科技(深圳)有限公司 | Key management method, equipment, storage medium and device |
-
2019
- 2019-05-21 CN CN201910423265.5A patent/CN111988260B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016078382A1 (en) * | 2014-11-20 | 2016-05-26 | 中兴通讯股份有限公司 | Hsm enciphered message synchronization implementation method, apparatus and system |
| WO2018017168A2 (en) * | 2016-04-21 | 2018-01-25 | Alibaba Group Holding Limited | System and method for encryption and decryption based on quantum key distribution |
| CN109728902A (en) * | 2018-06-01 | 2019-05-07 | 平安科技(深圳)有限公司 | Key management method, equipment, storage medium and device |
| CN109660340A (en) * | 2018-12-11 | 2019-04-19 | 北京安御道合科技有限公司 | A kind of application system and its application method based on quantum key |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111988260A (en) | 2020-11-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Wang et al. | A blockchain-based framework for data sharing with fine-grained access control in decentralized storage systems | |
| US20210160227A1 (en) | Blockchain-based service data encryption methods and apparatuses | |
| US9923877B2 (en) | External indexing and search for a secure cloud collaboration system | |
| CN101286840B (en) | Key distributing method and system using public key cryptographic technique | |
| CN106452741B (en) | The communication system and communication means of the transmission of information encryption and decryption are realized based on quantum network | |
| CN101286842B (en) | Method for distributing key using public key cryptographic technique and on-line updating of the public key | |
| CN109858258A (en) | Government data based on block chain exchanges method and device | |
| CN111988260B (en) | Symmetric key management system, transmission method and device | |
| CN109495592A (en) | Data collaborative method and electronic equipment | |
| CN108540436B (en) | Communication system and communication method for realizing information encryption and decryption transmission based on quantum network | |
| CN101005357A (en) | Method and system for updating certification key | |
| CN108847928B (en) | Communication system and communication method for realizing information encryption and decryption transmission based on group type quantum key card | |
| CN112966022B (en) | Information query method, device and system of data transaction platform | |
| Lin et al. | Secure deduplication schemes for content delivery in mobile edge computing | |
| CN114173328A (en) | Key exchange method and device and electronic equipment | |
| CN101364866B (en) | Entity secret talk establishing system based on multiple key distribution centers and method therefor | |
| CN103916237A (en) | Method and system for managing user encrypted-key retrieval | |
| CN114760602B (en) | Holographic communication method, device, system and computer readable storage medium | |
| CN207251667U (en) | A kind of data safety service platform | |
| CN114154185A (en) | Data encryption storage method based on national cryptographic algorithm | |
| Chen et al. | An edge computing oriented unified cryptographic key management service for financial context | |
| Silambarasan et al. | Attribute-based convergent encryption key management for secure deduplication in cloud | |
| Bai | Comparative research on two kinds of certification systems of the public key infrastructure (PKI) and the identity based encryption (IBE) | |
| CN114567426B (en) | Data sharing method and system | |
| CN115208630B (en) | Block chain-based data acquisition method and system and block chain system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |