CN112118245A - Key management method, system and equipment - Google Patents

Key management method, system and equipment Download PDF

Info

Publication number
CN112118245A
CN112118245A CN202010948890.4A CN202010948890A CN112118245A CN 112118245 A CN112118245 A CN 112118245A CN 202010948890 A CN202010948890 A CN 202010948890A CN 112118245 A CN112118245 A CN 112118245A
Authority
CN
China
Prior art keywords
internet
entity
things
public key
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010948890.4A
Other languages
Chinese (zh)
Other versions
CN112118245B (en
Inventor
黄珂
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202010948890.4A priority Critical patent/CN112118245B/en
Publication of CN112118245A publication Critical patent/CN112118245A/en
Application granted granted Critical
Publication of CN112118245B publication Critical patent/CN112118245B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Storage Device Security (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method, a system and equipment for managing a secret key. The method comprises the following steps: responding to a key application message sent by the first block link node equipment, and acquiring digital identity information of a first Internet of things entity contained in the key application message; generating a public key and a private key of a first Internet of things entity corresponding to the digital identity information; determining a public key hash value of a first Internet of things entity, coding the public key hash value to obtain a public key storage address of the first Internet of things entity, and storing the public key of the first Internet of things entity to a specified storage medium at the bottom layer of a block chain according to the public key storage address of the first Internet of things entity; and sending the private key of the first Internet of things entity and the public key storage address of the first Internet of things entity to the first block chain node point equipment. According to the method provided by the embodiment of the invention, the safety of the Internet of things entity and the Internet of things data can be ensured.

Description

Key management method, system and equipment
Technical Field
The invention relates to the technical field of Internet of things, in particular to a key management method, a key management system and key management equipment.
Background
In recent years, internet of things and services are rapidly developed, the existing network and service platform are remodeled by the internet of everything, and meanwhile, the internet of things and the service platform face huge challenges.
At present, in the traditional internet of things system taking an internet of things platform as a center, the safety of all internet of things equipment and data is converged to the internet of things platform for management, with the arrival of the era of the internet of things, the future internet of things service and the internet of things data are increased in geometric progression, the key management workload of the internet of things platform is large, and the safety of internet of things entities and the internet of things data cannot be safely and efficiently guaranteed.
Disclosure of Invention
Therefore, the invention provides a key management method, a key management system and key management equipment, which are used for solving the safety problem of an Internet of things entity and Internet of things data caused by the increase of the Internet of things data in the prior art.
In order to achieve the above object, a first aspect of the present invention provides a key management method, including: responding to a key application message sent by the first block link node equipment, and acquiring digital identity information of a first Internet of things entity contained in the key application message; generating a public key and a private key of a first Internet of things entity corresponding to the digital identity information; determining a public key hash value of a first Internet of things entity, coding the public key hash value to obtain a public key storage address of the first Internet of things entity, and storing the public key of the first Internet of things entity to a specified storage medium at the bottom layer of a block chain according to the public key storage address of the first Internet of things entity; and sending the private key of the first Internet of things entity and the public key storage address of the first Internet of things entity to the first block chain node point equipment.
A second aspect of the present invention provides a key management system, including: the receiving module is used for responding to a key application message sent by the first block link node equipment and acquiring digital identity information of a first Internet of things entity contained in the key application message; the generating module is used for generating a public key and a private key of a first Internet of things entity corresponding to the digital identity information; the storage module is used for determining a public key hash value of the first Internet of things entity, coding the public key hash value to obtain a public key storage address of the first Internet of things entity, and storing the public key of the first Internet of things entity to a specified storage medium at the bottom layer of the block chain according to the public key storage address of the first Internet of things entity; the sending module is used for sending the private key of the first internet of things entity and the public key storage address of the first internet of things entity to the first block chain node point equipment.
A third aspect of the present invention provides a key management apparatus comprising: the key management system comprises a processor, a memory and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the computer program to realize the key management method of the embodiment of the invention.
The invention has the following advantages: according to the key management method, the key management system and the key management device in the embodiment of the invention, the current block chain node device can respond to the key application message of the first block chain node device in the block chain system, generate the public key and the private key of the first block chain node device, encode the generated public key, store the encoded public key in the block chain system, and send the generated private key to the first block chain node device.
In the key management method, key application, deployment, storage and other management can be completed on block chain link points by combining a block chain technology and an Internet of things technology, so that the safety interaction, fraud prevention, tampering prevention and hijacking prevention of an Internet of things system are realized, the safety of Internet of things entities and Internet of things data is guaranteed, the pressure of an Internet of things platform is relieved, and the safe and efficient operation of the Internet of things block chain is guaranteed.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention.
Fig. 1 is a schematic flowchart of a key management method according to an embodiment of the present invention.
Fig. 2 is a schematic flowchart of a key generation method according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of a key using method according to an embodiment of the present invention;
fig. 4 is a schematic flowchart of a key verification method according to an embodiment of the present invention;
FIG. 5 is a flowchart illustrating a key management system according to an embodiment of the present invention;
FIG. 6 is a flowchart illustrating a key management system according to another embodiment of the present invention;
fig. 7 is a block diagram of an exemplary hardware architecture of a computing device of the key management method and system of embodiments of the present invention.
Detailed Description
The following detailed description of embodiments of the invention refers to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present invention, are given by way of illustration and explanation only, not limitation. It will be apparent to one skilled in the art that the present invention may be practiced without some of these specific details. The following description of the embodiments is merely intended to provide a better understanding of the present invention by illustrating examples of the present invention.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
In the embodiment of the invention, under the condition that the business of the Internet of things and the data of the Internet of things are increased in a geometric progression, the platform of the Internet of things is difficult to bear the management work of related keys, meanwhile, the safety problem of the Internet of things is highlighted, a centralized management mode cannot be self-proved and can bring a devastating disaster to the whole Internet of things system once a database collapses.
The embodiment of the invention provides a block chain-based key management method for the Internet of things, which can manage keys running on a block chain of the Internet of things on the basis of a block chain technology and an Internet of things technology and ensure the safety of an Internet of things entity and Internet of things data.
For better understanding of the present invention, a key management method according to an embodiment of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that these examples are not intended to limit the scope of the present disclosure.
Fig. 1 is a flowchart illustrating a key management method according to an embodiment of the present invention. As shown in fig. 1, the key management method in the embodiment of the present invention includes the following steps:
s110, in response to the key application message sent by the first block link node device, obtain the digital identity information of the first internet of things entity included in the key application message.
And S120, generating a public key and a private key of the first Internet of things entity corresponding to the digital identity information.
S130, determining a public key hash value of the first Internet of things entity, encoding the public key hash value to obtain a public key storage address of the first Internet of things entity, and storing the public key of the first Internet of things entity to a designated storage medium at the bottom layer of the block chain according to the public key storage address of the first Internet of things entity.
And S140, sending the private key of the first Internet of things entity and the public key storage address of the first Internet of things entity to the first block chain node point equipment.
According to the key management method provided by the embodiment of the invention, the current block chain node device can respond to the key application message of the first block chain node device in the block chain system, generate the public key and the private key of the first block chain node device, encode the generated public key and store the encoded public key in the block chain system, and send the generated private key to the first block chain node device. In the key management method, the application, deployment and storage of the key can be completed by combining the block chain technology and the Internet of things technology, so that the safety of an Internet of things entity and Internet of things data is guaranteed, the pressure of an Internet of things platform is relieved, and the block chain of the Internet of things can run safely and efficiently.
In step S110, the digital identity information of the first internet of things entity may be information obtained by registering with a designated authority server according to entity information of the first internet of things entity when the first internet of things entity device is started for the first time.
In an embodiment of the present invention, the entity information of the internet of things entity includes one or more of the following information items: internet of things address, device type and real identity information.
In the embodiment of the invention, when the first internet of things entity is started for the first time, a representative identity and a digital identity containing authority information can be registered and generated in an authority department according to one or more of an internet of things address, an equipment type and real identity information, and a first block chain node and a key management system running on the first block chain node are downloaded, installed and deployed.
In one embodiment, the local blockchain node device responding to the key application message is a blockchain node device selected from a plurality of blockchain node devices of the blockchain system according to a contention mechanism.
In this embodiment, the first internet of things entity may connect to a first blockchain endpoint device in the blockchain system through the key management system, and send a first application message containing the digital identity to the blockchain system, applying for an asymmetric key pair for encryption and decryption operations, and the blockchain system may select a second blockchain endpoint device for responding to the first application message according to a contention mechanism.
In an embodiment, the step S120 may specifically include: s11, performing one-way hash operation on the digital identity information of the first Internet of things entity by using a first random function to obtain a private key of the first Internet of things entity; and S12, generating a public key of the first Internet of things entity by using an asymmetric one-way encryption method according to the private key of the first Internet of things entity.
Through the above steps S11-S12, in the tile link point device responding to the first application message, the public key and the private key corresponding to the digital identity information of the first internet of things entity are generated according to the digital identity information of the first internet of things entity.
In an embodiment, the step S130 of determining a public key hash value of the first internet of things entity, and encoding the public key hash value to obtain a public key storage address of the first internet of things entity may specifically include: s21, performing one-way hash operation on the public key of the first Internet of things entity by using a second random function to obtain a public key hash value of the first Internet of things entity; and S22, encoding the public key hash value of the first Internet of things entity by using a one-way encoding algorithm to obtain a public key storage address of the first Internet of things entity.
Through the steps S21-S22, the public key of the first internet of things entity is processed to obtain the public key storage address of the first internet of things entity.
In one embodiment, the key management method may further include the following steps.
S150, processing first data to be sent to a second networking entity by using the private key of the networking entity and a third random function to obtain a digital signature.
And S151, attaching the digital signature and the third random function to the first data to obtain second data.
S152, encrypting the second data through the specified symmetric encryption key to obtain a first ciphertext, and encrypting the specified symmetric encryption key by using a public key decryption channel corresponding to the public key address of the second networking entity in the block chain system to obtain a second ciphertext.
And S153, sending the encrypted first ciphertext and the encrypted second ciphertext to the second networking entity.
Through the steps S150 to S153, when the entity of the current internet of things needs to send data, the data that needs to be sent is processed by using the private key of the entity of the current internet of things and the public key stored in the block chain system, so as to obtain the corresponding first ciphertext and the second ciphertext.
In one embodiment, step S150 may specifically include: s31, performing one-way hash operation on the first data by using a third random function to obtain a first information abstract; and S32, encrypting the first information summary by using the private key of the entity of the Internet of things to obtain a digital signature.
Through the steps S31-S32, the first data to be sent are processed according to the random function and the private key of the current Internet of things entity, and the digital signature of the current Internet of things entity on the first data is obtained.
In one embodiment, the specified symmetric Encryption key may be a randomly generated symmetric Encryption key and the second ciphertext is a Data Encryption Standard (DES) ciphertext.
In this embodiment, the step S152 of encrypting the specified symmetric encryption key by using the public key decryption channel corresponding to the public key address of the second networking entity in the blockchain system to obtain the second ciphertext may specifically include: s41, according to the public key storage address of the second networking entity, obtaining the public key of the second networking entity from the specified storage medium at the bottom layer of the blockchain system; and S42, performing DES encryption on the randomly generated symmetric encryption key by using a decryption channel corresponding to the public key of the second networking entity to obtain a DES ciphertext.
Through the above steps S41-S42, the public key decryption channel of the second networking entity can be obtained from the blockchain by using the public key storage address of the second networking entity, and the randomly generated symmetric encryption key is encrypted to obtain the DES ciphertext.
In one embodiment, the key management method may further include the following steps.
And S160, when the first ciphertext and the second ciphertext transmitted by the third Internet of things entity are received, the received second ciphertext is decrypted by using the private key of the Internet of things entity to obtain the symmetric encryption key.
And S161, decrypting the received first ciphertext by using the decrypted symmetric encryption key to obtain second data, wherein the second data comprises the first data from the third Internet of things entity, the digital signature and a third random function.
And S162, carrying out hash operation on the first data by using a third random function to obtain a second information abstract, and decrypting the digital signature by using a public key decryption channel corresponding to the public key storage address of the third Internet of things entity in the block chain system to obtain a third information abstract.
And S163, if the second information abstract and the third information abstract are completely consistent, determining that the first data from the third Internet of things entity is not tampered.
In step S163, if the second information digest and the third information digest are not identical, it is determined that the first data from the third internet of things entity is tampered.
Through the steps S160 to S163, when the current internet of things entity receives the first ciphertext and the second ciphertext, the current internet of things entity decrypts and verifies the data of the received first ciphertext and the second ciphertext by using the private key of the current internet of things entity and the public key of the opposite-end internet of things entity stored in the block chain system, and determines the security of the first data according to the verification result.
Fig. 2 is a schematic flowchart of a key generation method according to an embodiment of the present invention. As shown in fig. 2, in an embodiment, the key generation method may specifically include the following steps.
S201, the first Internet of things entity generates digital identity information of the first Internet of things entity.
In the step, when the first internet of things entity is started for the first time, a representative identity and a digital identity containing authority information are registered and generated in an authority department according to the internet of things address, the equipment type and the real identity information, and a first block chain node and a key management system running on the first block chain node are downloaded, installed and deployed.
S202, the first Internet of things entity sends a key application message to the block chain system.
In this step, the first internet of things device may connect to the first blockchain node through the key management system, and send a key application message containing digital identity information to the blockchain system, where the key application message is used to encrypt and decrypt an asymmetric key pair for operation.
And S203, the second block chain node responds to the key application message and generates a private key of the first Internet of things entity.
In this step, the blockchain system may select a second blockchain node responding to the first application message according to a contention mechanism, and the second blockchain node performs a one-way hash operation on the digital identity of the first internet of things entity by using a first random function to obtain a private key of the first internet of things entity.
And S204, generating a public key of the first Internet of things entity by the second block chain node.
In this step, the second block link point generates the public key of the first internet of things entity using an asymmetric one-way encryption algorithm according to the private key of the first internet of things entity.
And S205, the second blockchain node calculates the public key hash value of the first Internet of things entity.
In this step, the second block link point performs one-way hash operation on the public key of the first internet of things entity by using a second random function to obtain a public key hash value.
And S206, the second block chain node calculates the public key storage address of the first Internet of things entity.
In this step, the second block link point encodes the public key hash value using a one-way encoding algorithm to obtain a storage address.
And S207, the second block chain link point stores the public key of the first Internet of things entity into a readable and writable storage medium at the bottom layer of the block chain according to the storage address.
And S208, the second block chain node sends the private key and the public key storage address of the first Internet of things entity to the first block chain node equipment.
Through the steps S201 to S208, the first internet of things entity is linked to the first blockchain node, when a key needs to be applied, the key application message is sent to the blockchain system, the blockchain system selects the second blockchain node responding to the first application message according to a competition mechanism, the second blockchain node generates the private key and the public key of the first internet of things entity, and calculates the public key storage address of the first internet of things entity, so that the public key of the first internet of things entity is stored in the readable and writable storage medium at the bottom layer of the blockchain, and the generated private key and public key of the first internet of things entity are sent to the first blockchain node, so as to be sent to the first internet of things entity connected to the first blockchain node for encryption and verification of data.
Fig. 3 is a flowchart illustrating a key using method according to an embodiment of the present invention. As shown in fig. 3, in an embodiment, the key using method may be applied to a data sending end, for example, a first internet of things entity, and may include the following steps.
S301, a first information abstract is calculated for first data needing to be sent to a second networking entity.
In this step, the first internet of things entity performs one-way hash operation on first data to be sent to the second internet of things entity by using a third random function, so as to obtain a first information abstract.
S302, the first information abstract is encrypted by using the private key of the first Internet of things entity to obtain a digital signature.
And S303, attaching the digital signature and the third random function to the back of the first data to obtain second data.
S304, a symmetric encryption key is randomly generated, and the symmetric encryption key is used for encrypting the second data to obtain a first ciphertext.
S305, a public key decryption channel of the second networking entity is obtained from the block chain by using the public key storage address of the second networking entity, and the randomly generated symmetric encryption key is encrypted to obtain a DES ciphertext.
And S306, sending the first ciphertext and the DES ciphertext to a second networking entity.
Through the above steps S301 to S306, when the first internet of things entity needs to send the first data to the second internet of things entity, the private key of the first internet of things entity and the public key of the second internet of things entity corresponding to the public key storage address of the second internet of things entity stored in the block chain system are used to perform data encryption processing, and the obtained ciphertext is sent to the second internet of things entity.
Fig. 4 is a flowchart illustrating a key verification method according to an embodiment of the present invention. As shown in fig. 4, in one embodiment, the key verification method is applied to a third internet of things entity and may include the following steps.
S401, when a first ciphertext and a DES ciphertext from a first Internet of things are received, the received DES ciphertext is decrypted by using a private key of an entity of the Internet of things to obtain a symmetric encryption key.
S402, decrypting the first ciphertext by using the symmetric encryption key to obtain second data, wherein the second data comprises the first data, the digital signature and a third random function.
And S403, performing hash operation on the first data by using a third random function to obtain a second information summary.
S404, a public key decryption channel of the first Internet of things entity is obtained from the block chain by using the public key storage address of the first Internet of things entity, and the digital signature obtained in the step S402 is decrypted to obtain a third information abstract.
S405, comparing the second information abstract with the third information abstract, and if the second information abstract and the third information abstract are completely consistent, proving that the first data is not tampered.
Through the steps S401 to S405, when the current internet of things entity receives the first ciphertext and the second ciphertext, the current internet of things entity decrypts and verifies the data of the received first ciphertext and the second ciphertext by using the private key of the current internet of things entity and the public key of the opposite-end internet of things entity stored in the block chain system, and determines the security of the first data according to the verification result.
In the embodiment of the invention, an entity of the internet of things can connect the block chain nodes through a key management system to jointly complete management of key application, deployment, storage, use, verification and the like, and a receiving module is used for receiving data or instructions sent by other nodes of the block chain; the generating module is used for generating a public key and a private key according to information such as a block chain address of an entity of the Internet of things; the storage module is used for storing the key or the identity information of the entity of the Internet of things; the verification module is used for verifying the correctness and integrity of data or instructions sent by the entity of the Internet of things; the sending module is used for sending data or instructions to other block chain nodes.
For a better understanding of the present invention, a key management system according to an embodiment of the present invention will be described in detail below with reference to the accompanying drawings.
Fig. 5 is a flowchart illustrating a key management system according to an embodiment of the present invention. As shown in FIG. 5, in one embodiment, a key management system may include the following modules.
The receiving module 510 is configured to, in response to a key application message sent by the first block link node device, obtain digital identity information of a first internet of things entity included in the key application message.
The generating module 520 is configured to generate a public key and a private key of the first internet of things entity corresponding to the digital identity information.
The storage module 530 is configured to determine a public key hash value of the first internet of things entity, encode the public key hash value to obtain a public key storage address of the first internet of things entity, and store the public key of the first internet of things entity to a specified storage medium on the bottom layer of the block chain according to the public key storage address of the first internet of things entity;
the sending module 540 is configured to send the private key of the first internet of things entity and the public key storage address of the first internet of things entity to the first block link node device.
In one embodiment, the generating module 520 may include: the private key generation unit is used for performing one-way hash operation on the digital identity information of the first Internet of things entity by using a first random function to obtain a private key of the first Internet of things entity; and the public key generating unit is used for generating the public key of the first Internet of things entity by using an asymmetric one-way encryption method according to the private key of the first Internet of things entity.
In one embodiment, the storage module 530 may include: the public key hash value calculation unit is used for performing one-way hash operation on the public key of the first Internet of things entity by using a second random function to obtain a public key hash value of the first Internet of things entity; and the encoding unit is used for encoding the public key hash value of the first Internet of things entity by using a one-way encoding algorithm to obtain a public key storage address of the first Internet of things entity.
In one embodiment, the local blockchain node device responding to the key application message is a blockchain node device selected from a plurality of blockchain node devices of the blockchain system according to a contention mechanism.
In one embodiment, the digital identity information of the first internet of things entity is information obtained by registering the first internet of things entity equipment with a designated authority server according to the entity information of the first internet of things entity when the first internet of things entity equipment is started for the first time; wherein the entity information comprises one or more of the following information items: internet of things address, device type and real identity information.
According to the key management system provided by the embodiment of the invention, the application, deployment and storage of the key can be completed by combining the block chain technology and the Internet of things technology, so that the safety of an Internet of things entity and Internet of things data is ensured, the pressure of an Internet of things platform is reduced, and the block chain of the Internet of things can operate safely and efficiently.
Fig. 6 is a flowchart of a key management system according to another embodiment of the present invention. The same or equivalent structures in fig. 6 and 5 are given the same reference numerals. The key management system shown in fig. 6 is substantially the same as the key management system shown in fig. 5, except that the key management system further includes a use module 550 and an authentication module 560.
In one embodiment, the usage module 550 may specifically include the following elements.
The digital signature unit is used for processing first data to be sent to a second networking entity by using a private key of the networking entity and a third random function to obtain a digital signature;
and the data generation unit is used for attaching the digital signature and the third random function to the first data to obtain second data.
And the data encryption unit is used for encrypting the second data through the specified symmetric encryption key to obtain a first ciphertext, and encrypting the specified symmetric encryption key by using a public key decryption channel corresponding to the public key address of the second networking entity in the block chain system to obtain a second ciphertext.
The sending module 540 is further configured to send the encrypted first ciphertext and the second ciphertext to the second networking entity.
In an embodiment, the digital signature unit is specifically configured to perform a one-way hash operation on the first data by using a third random function to obtain a first message digest; and encrypting the first information abstract by using a private key of the entity of the Internet of things to obtain a digital signature.
In one embodiment, the specified symmetric encryption key is a randomly generated symmetric encryption key and the second ciphertext is a data encryption standard DES ciphertext.
In this embodiment, when the data encryption unit encrypts the specified symmetric encryption key by using the public key decryption channel corresponding to the public key address of the second networking entity in the blockchain system to obtain the second ciphertext, the data encryption unit is specifically configured to: acquiring a public key of the second networking entity from a specified storage medium at the bottom layer of the block chain system according to the public key storage address of the second networking entity; and performing DES encryption on the randomly generated symmetric encryption key by using a decryption channel corresponding to the public key of the second networking entity to obtain a DES ciphertext.
In this embodiment, when the current internet of things entity needs to send the first data to the second internet of things entity, data encryption is performed using the private key of the current internet of things entity and the public key of the second internet of things entity corresponding to the public key storage address of the second internet of things entity stored in the block chain system, and the obtained ciphertext is sent to the second internet of things entity.
In one embodiment, the verification module 560 may specifically include the following elements.
And the first decryption unit is used for decrypting the received second ciphertext by using the private key of the entity of the internet of things to obtain the symmetric encryption key when receiving the first ciphertext and the second ciphertext which are sent by the third entity of the internet of things.
And the second decryption unit is used for decrypting the received first ciphertext by using the decrypted symmetric encryption key to obtain second data, wherein the second data comprises the first data from the third Internet of things entity, the digital signature and a third random function.
And the abstract acquisition unit is used for carrying out Hash operation on the first data by using a third random function to obtain a second information abstract, and decrypting the digital signature by using a public key decryption channel corresponding to the public key storage address of the third Internet of things entity in the block chain system to obtain a third information abstract.
The verification module 560 is further configured to determine that the first data from the third internet of things entity has not been tampered with if the second message digest and the third message digest are identical.
In this embodiment, when the current internet of things entity receives the first ciphertext and the second ciphertext, the current internet of things entity decrypts and verifies the data of the received first ciphertext and the second ciphertext by using the private key of the current internet of things entity and the public key of the opposite-end internet of things entity stored in the block chain system, and determines the security of the first data according to the verification result.
The key management method and the key management system can operate on the block chain nodes, and the key operating on the block chain of the Internet of things is managed, so that an Internet of things entity of the Internet of things system can apply, deploy, store, execute and verify the key on the block chain, thereby realizing the safe interaction, fraud prevention, tampering prevention and hijacking prevention of the Internet of things system, ensuring the safety of the Internet of things entity and the Internet of things data, reducing the pressure of an Internet of things platform and ensuring the safe and efficient operation of the Internet of things block chain.
It is to be understood that the invention is not limited to the particular arrangements and instrumentality described in the above embodiments and shown in the drawings. For convenience and brevity of description, detailed description of a known method is omitted here, and for the specific working processes of the system, the module and the unit described above, reference may be made to corresponding processes in the foregoing method embodiments, which are not described herein again.
Fig. 7 is a block diagram of an exemplary hardware architecture of a computing device of the key management method and system of embodiments of the present invention.
As shown in fig. 7, computing device 700 includes an input device 701, an input interface 702, a central processor 703, a memory 704, an output interface 705, and an output device 706. The input interface 702, the central processing unit 703, the memory 704, and the output interface 705 are connected to each other via a bus 710, and the input device 701 and the output device 706 are connected to the bus 710 via the input interface 702 and the output interface 705, respectively, and further connected to other components of the computing device 700.
Specifically, the input device 701 receives input information from the outside, and transmits the input information to the central processor 703 through the input interface 702; the central processor 703 processes input information based on computer-executable instructions stored in the memory 704 to generate output information, stores the output information temporarily or permanently in the memory 704, and then transmits the output information to the output device 706 through the output interface 705; the output device 706 outputs output information external to the computing device 700 for use by a user.
In one embodiment, the computing device 700 shown in fig. 7 may be implemented as a key management device that may include: a memory configured to store a program; a processor configured to execute the program stored in the memory to perform the key management method described in the above embodiments.
According to an embodiment of the invention, the process described above with reference to the flow chart may be implemented as a computer software program. For example, embodiments of the invention include a computer program product comprising a computer program tangibly embodied on a machine-readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network, and/or installed from a removable storage medium.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product comprises one or more computer instructions which, when run on a computer, cause the computer to perform the methods described in the various embodiments above. The procedures or functions described in accordance with the embodiments of the invention are all or partially effected when the computer program instructions are loaded and executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid state disk), among others.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
It will be understood that the above embodiments are merely exemplary embodiments taken to illustrate the principles of the present invention, which is not limited thereto. It will be apparent to those skilled in the art that various modifications and improvements can be made without departing from the spirit and substance of the invention, and these modifications and improvements are also considered to be within the scope of the invention.

Claims (10)

1. A key management method, comprising:
responding to a key application message sent by a first block chain node device, and acquiring digital identity information of a first Internet of things entity contained in the key application message;
generating a public key and a private key of a first Internet of things entity corresponding to the digital identity information;
determining a public key hash value of the first Internet of things entity, coding the public key hash value to obtain a public key storage address of the first Internet of things entity, and storing the public key of the first Internet of things entity to a specified storage medium at the bottom layer of a block chain according to the public key storage address of the first Internet of things entity;
and sending the private key of the first Internet of things entity and the public key storage address of the first Internet of things entity to the first block chain node point equipment.
2. The method of claim 1, wherein generating a public key and a private key of a first internet of things entity corresponding to the digital identity information comprises:
performing one-way hash operation on the digital identity information of the first Internet of things entity by using a first random function to obtain a private key of the first Internet of things entity;
and generating a public key of the first Internet of things entity by using an asymmetric one-way encryption method according to the private key of the first Internet of things entity.
3. The method of claim 1, wherein the determining a public key hash value of the first internet of things entity, and encoding the public key hash value to obtain a public key storage address of the first internet of things entity comprises:
performing one-way hash operation on the public key of the first Internet of things entity by using a second random function to obtain a public key hash value of the first Internet of things entity;
and encoding the public key hash value of the first Internet of things entity by using a one-way encoding algorithm to obtain a public key storage address of the first Internet of things entity.
4. The method according to any one of claims 1 to 3,
the local block chain node device responding to the key application message is a block chain node device selected from a plurality of block chain node devices of a block chain system according to a competition mechanism;
the digital identity information of the first internet of things entity is information obtained by registering to a server of a specified authority department according to the entity information of the first internet of things entity when the first internet of things entity equipment is started for the first time; wherein the entity information comprises one or more of the following information items: internet of things address, device type and real identity information.
5. The method according to any one of claims 1-3, further comprising:
processing first data to be sent to a second networking entity by using a private key of the networking entity and a third random function to obtain a digital signature;
attaching the digital signature and the third random function to the first data to obtain second data;
encrypting the second data through a specified symmetric encryption key to obtain a first ciphertext, and encrypting the specified symmetric encryption key by using a public key decryption channel corresponding to the public key address of the second networking entity in the block chain system to obtain a second ciphertext;
and sending the first ciphertext and the second ciphertext obtained by encryption to the second networking entity.
6. The method according to claim 5, wherein the processing the first data to be sent to the second networking entity by using the private key of the local networking entity and the third random function to obtain the digital signature comprises:
performing one-way hash operation on the first data by using a third random function to obtain a first information abstract;
and encrypting the first information abstract by using a private key of the entity of the Internet of things to obtain a digital signature.
7. The method according to claim 5, wherein the specified symmetric encryption key is a randomly generated symmetric encryption key, and the second ciphertext is a Data Encryption Standard (DES) ciphertext; the encrypting the specified symmetric encryption key by using a public key decryption channel corresponding to the public key address of the second networking entity in the block chain system to obtain a second ciphertext comprises:
acquiring the public key of the second networking entity from a specified storage medium at the bottom layer of the block chain system according to the public key storage address of the second networking entity;
and performing DES encryption on the randomly generated symmetric encryption key by using a decryption channel corresponding to the public key of the second networking entity to obtain the DES ciphertext.
8. The method according to any one of claims 1-3, further comprising:
when the first ciphertext and the second ciphertext transmitted by the third internet of things entity are received, the received second ciphertext is decrypted by using the private key of the internet of things entity to obtain a symmetric encryption key;
decrypting the received first ciphertext by using the decrypted symmetric encryption key to obtain second data, wherein the second data comprises the first data from the third internet of things entity, a digital signature and a third random function;
performing hash operation on the first data by using a third random function to obtain a second information abstract, and decrypting the digital signature by using a public key decryption channel corresponding to a public key storage address of the third Internet of things entity in a block chain system to obtain a third information abstract;
and if the second information abstract and the third information abstract are completely consistent, determining that the first data from the third Internet of things entity is not tampered.
9. A key management system, comprising:
the receiving module is used for responding to a key application message sent by the first block link node equipment and acquiring digital identity information of a first Internet of things entity contained in the key application message;
the generating module is used for generating a public key and a private key of a first Internet of things entity corresponding to the digital identity information;
the storage module is used for determining a public key hash value of the first internet of things entity, coding the public key hash value to obtain a public key storage address of the first internet of things entity, and storing the public key of the first internet of things entity to a specified storage medium at the bottom layer of the block chain according to the public key storage address of the first internet of things entity;
the sending module is used for sending the private key of the first internet of things entity and the public key storage address of the first internet of things entity to the first block chain node point equipment.
10. A key management device, characterized by comprising: a processor, a memory, and a computer program stored on the memory and executable on the processor, wherein,
the processor, when executing the computer program, implements the method of any of claims 1 to 8.
CN202010948890.4A 2020-09-10 2020-09-10 Key management method, system and equipment Active CN112118245B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010948890.4A CN112118245B (en) 2020-09-10 2020-09-10 Key management method, system and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010948890.4A CN112118245B (en) 2020-09-10 2020-09-10 Key management method, system and equipment

Publications (2)

Publication Number Publication Date
CN112118245A true CN112118245A (en) 2020-12-22
CN112118245B CN112118245B (en) 2023-01-10

Family

ID=73803535

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010948890.4A Active CN112118245B (en) 2020-09-10 2020-09-10 Key management method, system and equipment

Country Status (1)

Country Link
CN (1) CN112118245B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112564906A (en) * 2020-12-28 2021-03-26 广东长盈科技股份有限公司 Block chain-based data security interaction method and system
CN114006740A (en) * 2021-10-26 2022-02-01 杭州产链数字科技有限公司 Block chain-based Internet of things equipment digital identity management method and application
CN114024710A (en) * 2021-09-27 2022-02-08 中诚信征信有限公司 Data transmission method, device, system and equipment
CN115549897A (en) * 2022-09-13 2022-12-30 上海万向区块链股份公司 Internet of things equipment identity management system and method based on block chain

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109104311A (en) * 2018-08-06 2018-12-28 腾讯科技(深圳)有限公司 Device management method, device, medium and electronic equipment based on block chain
CN109639714A (en) * 2019-01-02 2019-04-16 浙江师范大学 A kind of Internet of Things identity registration and verification method based on block chain
CN109714174A (en) * 2019-02-18 2019-05-03 中国科学院合肥物质科学研究院 A kind of internet of things equipment digital identity management system and its method based on block chain
CN109768988A (en) * 2019-02-26 2019-05-17 安捷光通科技成都有限公司 Decentralization Internet of Things security certification system, facility registration and identity identifying method
WO2019137564A2 (en) * 2019-04-26 2019-07-18 Alibaba Group Holding Limited Securely executing smart contract operations in a trusted execution environment
CN110113164A (en) * 2019-04-24 2019-08-09 深圳前海微众银行股份有限公司 A kind of IOT device management method and device based on block chain
WO2019200505A1 (en) * 2018-04-16 2019-10-24 深圳前海达闼云端智能科技有限公司 Block chain-based information issuing and obtaining method and device and block chain node
CN110601830A (en) * 2019-09-16 2019-12-20 腾讯科技(深圳)有限公司 Key management method, device, equipment and storage medium based on block chain
CN110691088A (en) * 2019-09-29 2020-01-14 广东电网有限责任公司 Block chain-based Internet of things equipment authentication method

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019200505A1 (en) * 2018-04-16 2019-10-24 深圳前海达闼云端智能科技有限公司 Block chain-based information issuing and obtaining method and device and block chain node
CN109104311A (en) * 2018-08-06 2018-12-28 腾讯科技(深圳)有限公司 Device management method, device, medium and electronic equipment based on block chain
CN109639714A (en) * 2019-01-02 2019-04-16 浙江师范大学 A kind of Internet of Things identity registration and verification method based on block chain
CN109714174A (en) * 2019-02-18 2019-05-03 中国科学院合肥物质科学研究院 A kind of internet of things equipment digital identity management system and its method based on block chain
CN109768988A (en) * 2019-02-26 2019-05-17 安捷光通科技成都有限公司 Decentralization Internet of Things security certification system, facility registration and identity identifying method
CN110113164A (en) * 2019-04-24 2019-08-09 深圳前海微众银行股份有限公司 A kind of IOT device management method and device based on block chain
WO2019137564A2 (en) * 2019-04-26 2019-07-18 Alibaba Group Holding Limited Securely executing smart contract operations in a trusted execution environment
CN110601830A (en) * 2019-09-16 2019-12-20 腾讯科技(深圳)有限公司 Key management method, device, equipment and storage medium based on block chain
CN110691088A (en) * 2019-09-29 2020-01-14 广东电网有限责任公司 Block chain-based Internet of things equipment authentication method

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112564906A (en) * 2020-12-28 2021-03-26 广东长盈科技股份有限公司 Block chain-based data security interaction method and system
CN114024710A (en) * 2021-09-27 2022-02-08 中诚信征信有限公司 Data transmission method, device, system and equipment
CN114024710B (en) * 2021-09-27 2024-04-16 中诚信征信有限公司 Data transmission method, device, system and equipment
CN114006740A (en) * 2021-10-26 2022-02-01 杭州产链数字科技有限公司 Block chain-based Internet of things equipment digital identity management method and application
CN114006740B (en) * 2021-10-26 2024-02-09 杭州产链数字科技有限公司 Management method and application of digital identity of Internet of things equipment based on blockchain
CN115549897A (en) * 2022-09-13 2022-12-30 上海万向区块链股份公司 Internet of things equipment identity management system and method based on block chain

Also Published As

Publication number Publication date
CN112118245B (en) 2023-01-10

Similar Documents

Publication Publication Date Title
CN112118245B (en) Key management method, system and equipment
JP6547079B1 (en) Registration / authorization method, device and system
CN110750803B (en) Method and device for providing and fusing data
CN112131316B (en) Data processing method and device applied to block chain system
CN111556025A (en) Data transmission method, system and computer equipment based on encryption and decryption operations
US11831753B2 (en) Secure distributed key management system
US11050745B2 (en) Information processing apparatus, authentication method, and recording medium for recording computer program
KR101982237B1 (en) Method and system for data sharing using attribute-based encryption in cloud computing
CN109981255B (en) Method and system for updating key pool
CN111294203B (en) Information transmission method
CN110362984B (en) Method and device for operating service system by multiple devices
KR20110028968A (en) Method for verifying the integrity of a user's data in remote computing and system thereof
CN111008400A (en) Data processing method, device and system
CN117240625B (en) Tamper-resistant data processing method and device and electronic equipment
CN116155483A (en) Block chain signing machine safety design method and signing machine
KR102282788B1 (en) Blockchain system for supporting change of plain text data included in transaction
Yasmin et al. Decentralized Entrance Power with Secret Endorsement of Data Stored in Clouds
JP5945525B2 (en) KEY EXCHANGE SYSTEM, KEY EXCHANGE DEVICE, ITS METHOD, AND PROGRAM
KR102526114B1 (en) Apparatus and method for encryption and decryption
KR20160128170A (en) Device, server and method for providing a secret key encryption and restore
CN112769560B (en) Key management method and related device
JP2013179473A (en) Account generation management system, account generation management server, account generation management method, account generation management program
CN116561820B (en) Trusted data processing method and related device
CN113064761B (en) Data recovery method, server, encryption device, terminal and medium
CN116933317A (en) Data desensitizing method and related device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant