CN112152978B - Key management method, device, equipment and storage medium - Google Patents

Key management method, device, equipment and storage medium Download PDF

Info

Publication number
CN112152978B
CN112152978B CN201910576599.6A CN201910576599A CN112152978B CN 112152978 B CN112152978 B CN 112152978B CN 201910576599 A CN201910576599 A CN 201910576599A CN 112152978 B CN112152978 B CN 112152978B
Authority
CN
China
Prior art keywords
key
identification information
central server
information
edge node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910576599.6A
Other languages
Chinese (zh)
Other versions
CN112152978A (en
Inventor
王永强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Kingsoft Cloud Network Technology Co Ltd
Beijing Kingsoft Cloud Technology Co Ltd
Original Assignee
Beijing Kingsoft Cloud Network Technology Co Ltd
Beijing Kingsoft Cloud Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Kingsoft Cloud Network Technology Co Ltd, Beijing Kingsoft Cloud Technology Co Ltd filed Critical Beijing Kingsoft Cloud Network Technology Co Ltd
Priority to CN201910576599.6A priority Critical patent/CN112152978B/en
Priority to PCT/CN2020/098174 priority patent/WO2020259606A1/en
Publication of CN112152978A publication Critical patent/CN112152978A/en
Application granted granted Critical
Publication of CN112152978B publication Critical patent/CN112152978B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying

Abstract

The embodiment of the invention provides a key management method, a device, equipment and a storage medium, wherein the method comprises the following steps: an edge node in a Content Delivery Network (CDN) determines identification information corresponding to a domain name of a key to be obtained, and sends a request message carrying the identification information corresponding to the domain name of the key to be obtained to a central server in the CDN; the central server in the CDN receives a request message which is sent by an edge node in the CDN and carries identification information corresponding to a domain name of a key to be obtained, and returns information; and the edge node in the CDN receives the information returned by the central server and stores the secret key into a preset storage area under the condition that the information comprises the secret key corresponding to the identification information. The embodiment of the invention can improve the security of key storage.

Description

Key management method, device, equipment and storage medium
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a method, an apparatus, a device, and a storage medium for managing keys.
Background
With the development of information technology, a user can store data such as source codes and data in a cloud storage system, the data are generally stored in the cloud storage system in a form of ciphertext after being encrypted, a corresponding secret key is stored in other equipment, and the ciphertext and the secret key corresponding to the data are stored separately to improve the security of the data. In cryptography, a key (key) refers to a secret information used to perform cryptographic applications such as encryption, decryption, integrity verification, etc.
In the prior art, a storage method for a secret key is as follows: the key is stored in a configuration file of a CDN (Content Delivery Network) edge node in a direct display manner or through simple symmetric encryption. For example, a secret key sadgsdafbgxcnhfg corresponding to a client domain name a.com is stored in a configuration file nginx _ a _ com.conf corresponding to the client domain name in a direct display manner or through simple symmetric encryption, wherein nginx is a high-performance HTTP (HyperText Transfer Protocol) and reverse proxy Web (World Wide Web) server; conf is an abbreviation of config, i.e., configuration file, configuration information such as installation of hardware driver mostly used for accessing edge node.
In the prior art, a key is stored in a configuration file corresponding to a customer domain name in a CDN edge node, however, when the configuration file is leaked, the key of the customer stored in the configuration file may be leaked, so that security of key storage is low, and further when the key of the customer is leaked, relevant data of the customer is leaked, which causes potential loss to the customer.
Disclosure of Invention
Embodiments of the present invention provide a key management method, device, apparatus, and storage medium, so as to improve security of key storage. The specific technical scheme is as follows:
in a first aspect, an embodiment of the present invention provides a key management method, which is applied to an edge node in a content delivery network CDN, and the method includes:
determining identification information corresponding to a domain name of a key to be acquired;
sending a request message to a central server in the CDN, wherein the request message carries the identification information; the identification information is used for the central server to determine a secret key corresponding to the identification information based on a corresponding relation between an identification and a secret key stored in advance by the central server;
receiving information returned by the central server, and storing the secret key into a preset storage area under the condition that the information comprises the secret key corresponding to the identification information; the preset storage area is an area without a file system in the storage medium of the edge node.
Optionally, the step of determining the identification information corresponding to the domain name of the key to be acquired includes:
and determining the identification information according to the domain name of the key to be acquired and the corresponding relationship between the domain name and the identification which are stored in the edge node in advance.
Optionally, the step of sending the request packet to a central server in the CDN includes:
determining whether an encryption key corresponding to the domain name of the encryption key to be acquired is stored in the preset storage area;
under the condition that the secret key exists, judging whether the valid period of the secret key exceeds a preset valid period or not, and under the condition that the valid period exceeds the preset valid period, sending the request message to the central server, wherein the request message is used for requesting the central server to verify whether the secret key corresponding to the identification information is updated or not;
and sending the request message to the central server under the condition that the secret key does not exist, wherein the request message is used for requesting the secret key from the central server.
Optionally, the step of receiving information returned by the central server includes:
receiving information returned by the central server under the condition that the key is determined to be stored and the central server verifies that the key corresponding to the identification information is updated, wherein the information comprises: the updated secret key corresponding to the identification information;
receiving information returned by the central server under the condition that the key is determined to be stored and the central server verifies that the key corresponding to the identification information is not updated, wherein the information comprises: the first appointed code is used for indicating that the secret key corresponding to the identification information is not updated;
receiving information returned by the central server under the condition that the secret key does not exist, wherein the information comprises: and the key corresponding to the identification information.
Optionally, the step of determining whether to store the key corresponding to the domain name of the key to be acquired in the preset storage area includes:
and detecting whether the preset storage area stores the key corresponding to the domain name of the key to be acquired every a first preset time period.
Optionally, the step of determining whether the validity period of the key exceeds a preset validity period includes:
and judging whether the valid period of the secret key exceeds a preset valid period every second preset time period.
Optionally, the information further includes: and after receiving the information returned by the central server, the method further comprises the following steps:
and determining whether the source of the information is legal or not according to the legality verification identifier.
In a second aspect, an embodiment of the present invention provides a key management method, which is applied to a central server in a content delivery network CDN, and the method includes:
receiving a request message sent by an edge node in the CDN, wherein the request message carries identification information corresponding to a domain name of a key to be acquired; the identification information is used for the central server to determine a secret key corresponding to the identification information based on a corresponding relation between an identification and a secret key stored in advance by the central server;
returning information to the edge node, and storing the secret key into a preset storage area of the edge node under the condition that the information comprises the secret key corresponding to the identification information; the preset storage area is an area without a file system in the storage medium of the edge node.
Optionally, after receiving the request packet sent by the edge node in the CDN, the method further includes: under the condition that the request message is used for requesting to verify whether the secret key corresponding to the identification information is updated or not, verifying whether the secret key corresponding to the identification information is updated or not;
the step of returning information to the edge node includes:
and returning information to the edge node under the condition that the key corresponding to the identification information is verified to be updated, wherein the information comprises: the updated secret key corresponding to the identification information;
and returning information to the edge node under the condition that the key corresponding to the identification information is not updated, wherein the information comprises: and the first appointed code is used for indicating that the key corresponding to the identification information is not updated.
Optionally, when the request packet is used to request the key, the information returned to the edge node includes: and the key corresponding to the identification information.
Optionally, the request packet further includes: verifying the identification information, and after receiving a request message sent by an edge node in the CDN, the method further includes:
determining whether the request message is legal or not according to the verification identification information;
and when the request message is verified to be legal, returning information to the edge node, wherein the information comprises a legality verification identifier which is used for enabling the edge node to determine whether the source of the information is legal or not based on the legality verification identifier.
Optionally, the secret key includes multiple sub-secret keys, and different sub-secret keys correspond to different validity periods, and the method further includes:
generating a new key after receiving an operation instruction for the key, the operation instruction including: a sub-key deleting instruction, a sub-key adding instruction, or a sub-key modifying instruction;
and updating the sub-key with the shortest validity period from the preset validity period in the plurality of groups of sub-keys by using the new key.
In a third aspect, an embodiment of the present invention provides a key management apparatus, which is applied to an edge node in a content delivery network CDN, and the apparatus includes:
the determining module is used for determining the identification information corresponding to the domain name of the key to be acquired;
a first sending module, configured to send a request message to a central server in the CDN, where the request message carries the identification information, and the identification information is used for the central server to determine, based on a correspondence between an identifier and a key that are pre-stored by the central server, a key corresponding to the identification information;
the first receiving module is configured to receive information returned by the central server, where the information includes a key corresponding to the identification information, and the key is stored in a preset storage area, where the preset storage area is an area in the storage medium of the edge node that does not have a file system.
Optionally, the determining module is specifically configured to:
and determining the identification information according to the domain name of the key to be acquired and the corresponding relationship between the domain name and the identification which are stored in the edge node in advance.
Optionally, the first sending module includes:
the first determining submodule is used for determining whether the key corresponding to the domain name of the key to be acquired is stored in the preset storage area;
the first sending submodule is used for judging whether the valid period of the secret key exceeds a preset valid period or not under the condition that the secret key is determined to exist, and sending the request message to the central server under the condition that the valid period exceeds the preset valid period, wherein the request message is used for requesting the central server to verify whether the secret key corresponding to the identification information is updated or not;
and a second sending submodule, configured to send the request packet to the central server under a condition that it is determined that the key does not exist, where the request packet is used to request the central server for the key.
Optionally, the first receiving module includes:
a first receiving submodule, configured to receive information returned by the central server when it is determined that the key is stored and the central server verifies that the key corresponding to the identification information is updated, where the information includes: the updated secret key corresponding to the identification information;
a second receiving submodule, configured to receive information returned by the central server when it is determined that the key is stored and the central server verifies that the key corresponding to the identification information is not updated, where the information includes: the first appointed code is used for indicating that the secret key corresponding to the identification information is not updated;
a third receiving submodule, configured to receive, when it is determined that the key does not exist, information returned by the central server, where the information includes: and the key corresponding to the identification information.
Optionally, the first determining submodule is specifically configured to:
and detecting whether the preset storage area stores the key corresponding to the domain name of the key to be acquired every a first preset time period.
Optionally, the first sending submodule is specifically configured to:
and judging whether the valid period of the secret key exceeds a preset valid period every second preset time period.
Optionally, the information further includes: a validity verification identification, the apparatus further comprising:
and the first verification module is used for determining whether the source of the information is legal or not according to the legality verification identifier.
In a fourth aspect, an embodiment of the present invention provides a key management apparatus, which is applied to a central server in a content delivery network CDN, where the apparatus includes:
the second receiving module is used for receiving a request message sent by an edge node in the CDN; the request message carries identification information corresponding to a domain name of a key to be acquired, and the identification information is used for the central server to determine the key corresponding to the identification information based on a corresponding relation between an identification and the key stored in the central server in advance;
a second sending module, configured to return information to the edge node, where the information includes a key corresponding to the identification information, so that the key is stored in a preset storage area of the edge node; the preset storage area is an area without a file system in the storage medium of the edge node.
Optionally, the apparatus further comprises:
the second verification module is configured to verify whether the secret key corresponding to the identification information is updated or not when the request message is used to request to verify whether the secret key corresponding to the identification information is updated or not;
the second sending module includes:
a third sending submodule, configured to return information to the edge node when it is verified that the key corresponding to the identification information is updated, where the information includes: the updated secret key corresponding to the identification information;
a fourth sending submodule, configured to return information to the edge node when it is verified that the key corresponding to the identification information is not updated, where the information includes: and the first appointed code is used for indicating that the key corresponding to the identification information is not updated.
Optionally, when the request packet is used to request the key, the information returned to the edge node includes: and the key corresponding to the identification information.
Optionally, the request packet further includes: verifying the identification information, the apparatus further comprising:
a third verification module, configured to determine whether the request packet is legal according to the verification identification information;
and a third sending module, configured to, when the request packet is verified to be legitimate, return information to the edge node, where the information includes a legitimacy verification identifier, and the legitimacy verification identifier is used to enable the edge node to determine, based on the legitimacy verification identifier, whether a source of the information is legitimate.
Optionally, the secret key includes multiple sub-secret keys, and different sub-secret keys correspond to different validity periods, and the apparatus further includes:
a generating module, configured to generate a new key after receiving an operation instruction for the key, where the operation instruction includes: a sub-key deleting instruction, a sub-key adding instruction, or a sub-key modifying instruction;
and the updating module is used for updating the sub-secret keys with the valid periods closest to the preset valid period in the plurality of groups of sub-secret keys by using the new secret key.
In a fifth aspect, an embodiment of the present invention provides an edge node server apparatus, including a processor and a machine-readable storage medium, where the machine-readable storage medium stores machine-executable instructions executable by the processor, and the processor executes the machine-executable instructions to implement the method steps of the key management method provided in the first aspect.
In a sixth aspect, an embodiment of the present invention provides a central server device, which includes a processor and a machine-readable storage medium, where the machine-readable storage medium stores machine-executable instructions executable by the processor, and the processor executes the machine-executable instructions to implement the method steps of the key management method provided in the second aspect.
In a seventh aspect, an embodiment of the present invention provides a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and when the computer program is executed by a processor, the method steps of the key management method provided in the first aspect are implemented.
In an eighth aspect, an embodiment of the present invention provides a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and when the computer program is executed by a processor, the method steps of the key management method provided in the second aspect are implemented.
In a ninth aspect, an embodiment of the present invention further provides a computer program product including instructions, which when run on a computer, causes the computer to perform the method steps of the key management method provided in the first aspect.
In a tenth aspect, embodiments of the present invention further provide a computer program product including instructions, which, when run on a computer, cause the computer to perform the method steps of the key management method provided in the second aspect.
In an eleventh aspect, an embodiment of the present invention further provides a computer program, which, when run on a computer, causes the computer to perform the method steps of the key management method provided in the first aspect.
In a twelfth aspect, an embodiment of the present invention further provides a computer program, which, when running on a computer, causes the computer to execute the method steps of the key management method provided in the second aspect.
When the method, the device, the equipment and the storage medium are applied to an edge node in a CDN (content delivery network), identification information corresponding to a domain name of a key to be acquired is determined, a request message carrying the identification information is sent to a central server, information returned by the central server is received, the key is stored in a preset storage area under the condition that the information comprises the key corresponding to the identification information, and the preset storage area is an area without a file system in the storage medium of the edge node, so that the storage area can only be identified and accessed by the edge node and cannot be identified by other equipment, and therefore, the safety of the stored key can be improved.
When the method, the device, the equipment and the storage medium for managing the secret key are applied to a central server of a CDN (content distribution network), the central server determines the secret key corresponding to identification information based on a corresponding relation between pre-stored identification and the secret key by receiving a request message which is sent by an edge node in the CDN and carries the identification information corresponding to a domain name of the secret key to be obtained, returns information to the edge node in the CDN, and stores the secret key into a preset storage area of the edge node under the condition that the information comprises the secret key corresponding to the identification information. Because the secret key corresponding to the identification information is determined based on the identification information carried in the request message and returned to the edge node, the edge node can store the secret key in the preset storage area of the edge node, and because the preset storage area is an area without a file system in the storage medium of the edge node, the storage area can only be identified and accessed by the edge node and cannot be identified by other equipment, the security of secret key storage can be improved.
Of course, it is not necessary for any product or method of practicing the invention to achieve all of the above-described advantages at the same time.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a key management method according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating an embodiment of requesting a key according to the present invention;
fig. 3 is a flowchart illustrating an embodiment of receiving a key according to the present invention;
fig. 4 is a flowchart illustrating another key management method according to an embodiment of the present invention;
fig. 5 is a flowchart illustrating an implementation of sending a key according to an embodiment of the present invention;
fig. 6 is a flowchart illustrating an implementation of a verification request according to an embodiment of the present invention;
fig. 7 is a flowchart illustrating a key update implementation according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of a key management apparatus according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of an apparatus for requesting a key according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of an implementation apparatus for receiving a key according to an embodiment of the present invention;
fig. 11 is a schematic structural diagram of another key management apparatus according to an embodiment of the present invention;
fig. 12 is a schematic structural diagram of an implementation apparatus for sending a key according to an embodiment of the present invention;
fig. 13 is a schematic structural diagram of an apparatus for performing an authentication request according to an embodiment of the present invention;
fig. 14 is a schematic structural diagram of a key update implementation apparatus according to an embodiment of the present invention;
fig. 15 is a schematic structural diagram of an edge node server device according to an embodiment of the present invention;
fig. 16 is a schematic structural diagram of a central server device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the prior art, a secret key is stored in a configuration file corresponding to a customer domain name in a CDN edge node, and since the secret key is stored in the configuration file corresponding to the customer domain name, updating the secret key means modifying the secret key, and modifying the secret key means that the configuration file needs to be modified. When the configuration file is leaked, the client key stored in the configuration file may be leaked, so that the security of the key storage is low, and further, when the client key is leaked, the client related information is leaked, resulting in potential loss to the client.
With reference to this, an embodiment of the present invention first provides a key management method, as shown in fig. 1, where the key management method provided in the embodiment of the present invention is applied to an edge node in a CDN, and the method may include the following steps:
s101, determining identification information corresponding to the domain name of the key to be acquired.
In the embodiment of the present invention, the correspondence between the domain name and the identifier may be stored in advance in an edge node in the CDN. When a key needs to be used or managed, identification information corresponding to a domain name to be obtained may be determined by the domain name of the key, where one embodiment of determining the identification information may be:
and determining identification information according to the domain name of the key to be acquired and the corresponding relationship between the domain name and the identification which are stored in the edge node in advance.
Specifically, the identifier corresponding to the domain name of the key to be acquired may be searched in the correspondence between the domain name and the identifier pre-stored in the edge node, so as to determine the identifier information. For example, the domain name may specifically be a user domain name or a client domain name, for example: baidu.com, ksyun.com, souhu.com, etc. The identification information may be A, B, C or 1, 2, 3, etc., and specifically, the representation form of the domain name and the identification information, which is not limited herein in the embodiment of the present invention.
In the embodiment of the invention, the corresponding relation between the domain name and the identifier is stored in the edge node in the CDN, and the corresponding relation between the identifier and the secret key is stored in the central server, namely, the two corresponding relations are stored separately, so that when the central server is attacked, the corresponding relation between the identifier and the secret key is revealed, even if an attacker can take the secret key, the attacker only can know which identifier the secret key is, and cannot know which domain name the secret key is, and the security is further improved.
S102, sending a request message to a central server in the CDN, wherein the request message carries identification information.
After determining the identification information corresponding to the domain name of the key to be acquired, sending a request message carrying the identification information to a central server in the CDN, where the identification information carried in the request message is used for the central server to determine the key corresponding to the identification information based on a correspondence between an identification and a key that are pre-stored by the central server, so that the central server finds the key corresponding to the identification information according to the identification information.
In the embodiment of the present invention, an implementation manner of sending a request packet to a central server in a CDN may refer to fig. 2, where the implementation manner may include:
s1021, whether the key corresponding to the domain name of the key to be acquired is stored in the preset storage area or not is determined.
In the embodiment of the present invention, it may be determined whether the key corresponding to the domain name of the key to be acquired is stored in the preset storage area in a detection manner, and specifically, one embodiment of detecting whether the key is stored may be:
every other first preset time period, whether a preset storage area stores a key corresponding to a domain name of the key to be acquired is detected.
In the embodiment of the invention, whether the key corresponding to the domain name of the key to be acquired is stored in the preset storage area can be detected every first preset time period according to the domain name of the key to be acquired, so as to determine whether the key corresponding to the domain name of the key to be acquired is stored. The preset storage area may be an area in a storage medium of the CDN edge node, and each edge node may have a plurality of preset storage areas. The first preset time period may be a preset time period, or a time period agreed by an edge node and a central server in the CDN, for example, 20 minutes, 30 minutes, 60 minutes, and the like, and when a secret key is stored in the preset storage area, the first preset time period may also be an effective period of the stored secret key, for example, the effective period of the secret key may be 1 hour or 2 hours, and specifically, a person skilled in the art may set the first preset time period according to actual requirements.
The method comprises the following steps that an edge node in the CDN detects whether a preset storage area stores a key corresponding to a domain name of the key to be acquired: one is that: the detection result is that it is determined that the preset storage area has the key corresponding to the domain name of the key to be acquired, at this time, it is determined whether the validity period of the key exceeds the preset validity period, and if the validity period exceeds the preset validity period, step S1022 is executed. The other is as follows: as a result of the detection, it is determined that the preset storage area does not have the key corresponding to the domain name of the key to be obtained, and step S1023 is executed.
S1022, in a case where it is determined that the secret key exists, determining whether the validity period of the secret key exceeds a preset validity period, and in a case where the validity period exceeds the preset validity period, sending a request message to the central server.
Under the condition that the key corresponding to the domain name of the key to be acquired exists in the preset storage area, whether the valid period of the key exceeds the preset valid period can be judged. The predetermined validity period may be a validity period of a key generated when the key is generated, for example, the validity period may be 1 hour or 2 hours. One embodiment of determining whether the validity period of the key exceeds the preset validity period may be:
and judging whether the valid period of the secret key exceeds a preset valid period every second preset time period.
When the key corresponding to the domain name of the key to be acquired is stored in the preset storage area, because the key has a valid period in practical application, in order to ensure that the key is a valid key or that the key is a latest key, the valid period of the key can be judged every second preset time period. For example, it may be determined whether the remaining valid time of the key exceeds a predetermined valid period. The second preset time period may be a preset time period, or a time period agreed by the edge node and the central server in the CDN, for example, 20 minutes, 30 minutes, 60 minutes, and the like, or a preset validity period of the stored key, and the second preset time period may be the same as the first preset time period, and specifically, a person skilled in the art may set the second preset time period according to actual needs.
If the validity period of the key exceeds a predetermined validity period, it indicates that the key is not already a valid key or is not the most recent key. At this time, a request message is sent to the central server, and the request message is used for requesting the central server to verify whether the secret key corresponding to the identification information is updated, so that the central server verifies whether the secret key corresponding to the identification information in the request message is updated.
As an optional implementation manner of the embodiment of the present invention, sending a request message carrying identification information to a central server in the CDN may be: based on the request message of HTTPS (Hypertext Transfer Protocol over Secure Socket Layer or Hypertext Transfer Protocol Secure), to increase the security of the request message. The request message carries a header label of the HTTPS protocol, for example, the header label may be If-Modified-nonce, so that the central server verifies whether the key is updated after receiving the request message. For example, the HTTPS protocol header tag If-Modified-nonce may function as: when the HTTPS request message is sent, the last modification time of the secret key stored in the preset storage area of the edge node is sent to the central server together, so that the central server compares the last modification time with the actual last modification time of the secret key on the central server to verify whether the secret key is updated or not.
If the validity period of the key does not exceed the preset validity period, the key is still a valid key, and at this time, a request message does not need to be sent to the central server.
S1023, sending a request message to the central server when determining that the key does not exist.
Under the condition that the key corresponding to the domain name of the key to be acquired does not exist in the preset storage area, a request message can be sent to the central server, and the request message is used for requesting the key from the central server.
Referring to fig. 1, S103, receiving information returned by the central server, and storing the key in a preset storage area when the information includes a key corresponding to the identification information.
After sending a request message carrying identification information to a central server in the CDN, the central server returns corresponding information in response to the request message, and at this time, receives information returned by the central server. And storing the secret key into a preset storage area under the condition that the information returned by the central server comprises the secret key corresponding to the identification information. The preset storage area is an area without a file system in the storage medium of the edge node. For example, the area of the storage medium of the edge node without the file system may be a bare disk of the edge node, and each edge node may have a plurality of bare disks.
In the embodiment of the invention, the secret key is stored in the preset storage area, and the preset storage area is an area without a file system in the storage medium of the edge node, so that the storage area can only be identified and accessed by the edge node and cannot be identified by other equipment, and the safety of the stored secret key can be improved.
In the embodiment of the present invention, an implementation manner of receiving information returned by the central server may be as shown in fig. 3, and the implementation manner may include:
and S1031, receiving the information returned by the central server when the key is determined to be stored and the key corresponding to the identification information is verified to be updated by the central server.
Receiving information returned by a central server under the condition that the key corresponding to the domain name of the key to be acquired exists in a preset storage area and the central server verifies that the key corresponding to the identification information is updated, wherein the information may include: and identifying the updated key corresponding to the information. Further, the secret key stored in the preset storage area may be replaced with the updated secret key, so as to ensure that the secret key stored in the preset storage area is consistent with the secret key stored in the central server and is the latest secret key.
As an optional implementation manner of the present invention, in a case that it is determined that a preset storage area has a key corresponding to a domain name of a key to be acquired, and the central server verifies that the key corresponding to the identification information is updated, information including a second assigned code returned by the central server is received, where the second assigned code is used to notify the CND edge node that the key stored in the preset storage area is not the latest and the key stored in the preset storage area needs to be updated. Illustratively, the second designated code may be a 200 state code.
And S1032, receiving the information returned by the central server under the condition that the key is stored and the key corresponding to the identification information is not updated by the central server.
Receiving information returned by a central server under the condition that the key corresponding to the domain name of the key to be acquired exists in a preset storage area and the central server verifies that the key corresponding to the identification information is not updated, wherein the information may include: a first designation code. The first specific code is used for indicating that the key corresponding to the identification information is not updated, and at this time, the key stored in the preset storage area does not need to be updated. Illustratively, the first designated code may be a 304 state code.
And S1033, receiving the information returned by the central server under the condition that the secret key does not exist.
Under the condition that the key corresponding to the domain name of the key to be acquired does not exist in the preset storage area, the key needs to be acquired from the central server, and information returned by the central server is received. Wherein, the information may include: and identifying the key corresponding to the information so as to store the key which is not stored in the preset storage area.
On the basis of the above embodiment, the information returned by the central server may further include: and after receiving the information returned by the central server, the legality verification identifier can also determine whether the source of the information is legal or not according to the legality verification identifier.
Illustratively, the validity verification identifier may be an identifier of a CND vendor, and the like, and if the information returned by the central server includes the identifier of the CND vendor, it indicates that the source of the information is valid, and the key included in the information is also valid.
The key management method provided by the embodiment of the invention is characterized in that identification information corresponding to a domain name of a key to be acquired is determined, a request message carrying the identification information is sent to a central server, information returned by the central server is received, the key is stored in a preset storage area under the condition that the information comprises the key corresponding to the identification information, and the preset storage area is an area without a file system in a storage medium of an edge node, so that the storage area can only be identified and accessed by the edge node and cannot be identified by other equipment, and therefore, the security of the stored key can be improved.
It should be noted that the central server according to the embodiment of the present invention may be a server for storing a key, and further, the central server may be a key server in the CDN, or may be a combination of a central control server and a key server.
An embodiment of the present invention further provides a key management method, and as shown in fig. 4, the key management method provided in the embodiment of the present invention is applied to a central server in a content delivery network CDN, and the method may include the following steps:
s201, receiving a request message sent by an edge node in the CDN, wherein the request message carries identification information corresponding to a domain name of a key to be acquired.
The method includes the steps that a central server receives a request message which is sent by an edge node in the CDN and carries identification information corresponding to a domain name of a key to be obtained, wherein the identification information can be used for the central server to determine the key corresponding to the identification information based on a corresponding relation between an identification and the key stored in the central server in advance.
The central server may pre-store a correspondence between the identifier and the key, and when receiving a request packet which is sent by an edge node in the CDN and carries identifier information corresponding to a domain name of the key to be obtained, the central server may search for a correspondence between the pre-stored identifier and the key based on the identifier information, and further determine the key corresponding to the identifier information, that is, determine the key corresponding to the identifier information corresponding to the domain name of the key to be obtained.
S202, returning information to the edge node, and storing the key into a preset storage area of the edge node under the condition that the information comprises the key corresponding to the identification information.
After receiving a request message which is sent by an edge node in the CDN and carries identification information corresponding to a domain name of a key to be obtained, making a corresponding response to the request message, returning information to the edge node, and under the condition that the returned information comprises the key corresponding to the identification information, storing the key into a preset storage area of the edge node. The preset storage area is an area without a file system in the storage medium of the edge node.
In this embodiment of the present invention, after receiving the request packet sent by the edge node in the CDN, the method may further include:
and under the condition that the request message is used for requesting whether the secret key corresponding to the verification identification information is updated, verifying whether the secret key corresponding to the verification identification information is updated.
When the central server receives a request message requesting for verifying whether the key corresponding to the identification information is updated, the central server indicates that the key is stored in the edge node, and at the moment, the central server verifies whether the key corresponding to the identification information is updated.
Illustratively, the request message is a request message based on an HTTPS protocol, and the request message carries a protocol header tag If-Modified-nonce, when the edge node sends the request message, the last modification time of the key corresponding to the identification information carried in the request message is also sent to the central server, and the central server compares the last modification time carried in the request message with the actual modification time of the key stored in the central server to verify whether the key is updated. When the last modification time carried in the request message is the same as the actual modification time of the secret key stored in the central server, the secret key is not updated; when the last modification time carried in the request message is different from the actual modification time of the key stored in the central server, the key is updated.
In the embodiment of the invention, the corresponding relation between the identifier and the secret key is stored in the central server, when the central server is attacked, the corresponding relation between the identifier and the secret key is revealed, and the domain name corresponding to the identifier is not clear, so that even if the secret key is lost, the secret key corresponding to which domain name is not clear, and the security of the secret key is ensured.
On the basis of the above embodiment, referring to fig. 5, an implementation of returning information to an edge node may include:
s2021, if it is verified that the key corresponding to the identifier information is updated, returns information to the edge node.
Under the condition that the key corresponding to the identification information carried in the request message sent by the edge node is verified to be updated, returning information to the edge node, wherein the information may include: and identifying the updated key corresponding to the information. The method and the device facilitate the edge node to update the secret key stored in the preset storage area of the edge node, and ensure that the secret key stored in the preset storage area of the edge node is consistent with the secret key stored in the central server and is the latest secret key.
As an optional implementation manner of the present invention, the request message is a request message based on an HTTPS protocol, and when the central server verifies that the key corresponding to the identification information requested to be verified by the edge node is updated, the central server may send information including a second assigned code to the edge node, where the second assigned code is used to notify the CND edge node that the key stored in the preset storage area is not the latest and needs to be updated. Illustratively, the second designated code may be a 200 state code.
S2022, if it is verified that the key corresponding to the identifier information is not updated, returns information to the edge node.
Under the condition that the key corresponding to the identification information carried in the request message sent by the edge node is not updated, returning information to the edge node, wherein the information may include: and the first appointed code is used for indicating that the secret key corresponding to the identification information is not updated, and at the moment, the edge node does not need to update the secret key stored in the preset storage area. Illustratively, the first designated code may be a 304 state code.
In the embodiment of the present invention, in a case where the request packet is used to request a key, information returned to the edge node includes: and identifying the key corresponding to the information.
When the central server receives a request message requesting for a key, it indicates that the key is not stored in the preset storage area of the edge node, and at this time, returns information to the edge node, where the information may include: and identifying the key corresponding to the information so that the preset storage area of the edge node stores the key.
On the basis of the foregoing embodiment, the request packet sent by the edge node in the CDN may further include: after verifying the identification information and receiving a request message sent by an edge node in the CDN, as shown in fig. 6, the embodiment of the present invention may further include the following steps:
s203, determining whether the request message is legal or not according to the verification identification information.
And determining whether the request message sent by the edge node is legal or not according to verification identification information in the request message sent by the edge node in the CDN. Illustratively, the authentication identification information may be an IP (Internet Protocol Address) Address of the edge node that transmits the request message. A certain number of IP addresses which represent legality can be prestored in the central server, when a request message sent by the edge node is received, whether the IP address in the request message is the prestored IP address which represents legality is verified, if so, the request message is represented to be legal, and at the moment, response return information can be sent to the edge node which sends the request message; if not, the request message is not legal, and at this time, information informing that the request message is not legal may be returned to the edge node sending the request message, or no information may be returned.
And S204, when the verification request message is legal, returning information to the edge node.
When the verification request message is legal, information may be returned to the edge node, where the information may include: and the legality verification identifier is used for enabling the edge node to determine whether the source of the information is legal or not based on the legality verification identifier.
For example, the storage manner of the key corresponding to the identification information in the central server may be represented as:
{"code":"ksyun","key":["617dbc2b71c7c49af684158536124ee8","de9980f4bda e847eb3a80d4686bbac7c","265bc318a9eb1dd8bfd0b7303760b713"]}。
wherein code represents that the code is followed by a legality verification identifier, ksyun represents that the legality verification identifier is ksyun, key represents that the key is followed by a secret key, "617dbc2b71c7c49af684158536124ee8",
"de9980f4bdae847eb3a80d4686bbac7c", and
"265bc318a9eb1dd8bfd0b7303760b713" represents the child keys, respectively.
For example, the request message may be represented as:
http://www.ksyun.get.key.com/1.keydomainid=1234。
and when the IP address in the request message is judged to be the prestored IP address representing legality, the request message is indicated to be legal, and response information is returned to the edge node sending the request message.
For example, the information returned to the edge node may be represented as:
{"code":"ksyun","key":["617dbc2b71c7c49af684158536124ee8","de9980f4bda e847eb3a80d4686bbac7c","265bc318a9eb1dd8bfd0b7303760b713"]}。
in the embodiment of the present invention, the key may include a plurality of sub-keys, each sub-key corresponds to a validity period, and when the key needs to be updated, one sub-key in the key may be updated each time to implement smooth transition of key update, so that different sub-keys in the key correspond to different validity periods.
As an optional implementation manner of the embodiment of the present invention, after receiving an operation instruction for a key, as shown in fig. 7, the key management method according to the embodiment of the present invention may further include:
and S205, generating a new secret key.
In the embodiment of the invention, the user can interact with the central server, the user can send the operation instruction aiming at the secret key to the central server, and the central server receives the operation instruction aiming at the secret key sent by the user. The operation instructions may include: a sub-key deleting instruction, a sub-key adding instruction, or a sub-key modifying instruction.
It should be noted that the central server according to the embodiment of the present invention may be a key server in the CDN, or may be a combination of a central control server and a key server, for example, when the central server may be considered as a combination of the central control server and the key server, the user may interact with the central server to appear as: the user can interact with the central control server, and the central control server interacts with the secret key server; but is not limited thereto.
As an optional implementation manner of the embodiment of the present invention, after the central server receives the operation instruction for the key, a new key may be generated. Illustratively, if a sub-key deleting instruction for the key is received, the aimed sub-key is deleted, and a new key is generated, wherein the generated new key does not include the deleted sub-key; if a sub-key adding instruction for the key is received, adding a new sub-key in the key and generating a new key, wherein the generated new key comprises the newly added sub-key; if a sub-key modification instruction for the key is received, modifying the aimed sub-key and generating a new key, wherein the generated new key comprises the modified sub-key.
S206, updating the sub-key with the validity period closest to the preset validity period in the plurality of sets of sub-keys by using the new key.
In the embodiment of the present invention, a new key generated according to an operation instruction for the key sent by a user may be used to replace a sub-key having a validity period closest to a preset validity period in a plurality of groups of sub-keys included in the key, so as to update the key. The preset validity period may be a validity time generated when the key is generated.
Illustratively, the key includes 3 sub-keys, which are expressed as: { "key" { key1, key2, key3} }, 3 sets of sub-keys included in the key are also stored in the preset storage area of the edge node of the CDN, and when one set of the 3 sets of sub-keys in the key is updated, the updated key is represented as: { "key" { key2, key3, key4, }. Because the time for the edge node to send the request message is different, the keys stored in the preset storage area of the edge node may also be different, for example, the keys stored in the preset storage area of the edge node 1 are { "key": { key1, key2, key3}, and the keys stored in the preset storage area of the edge node 2 are { "key": { key2, key3, key4 }, but since the keys all include key2 and key3, the keys 2 and key3 may be used to encrypt or decrypt, so as to implement smooth transition of key update.
The key management method provided by the embodiment of the invention receives a request message which is sent by an edge node in a CDN and carries identification information corresponding to a domain name of a key to be acquired, a central server determines the key corresponding to the identification information based on a corresponding relation between a pre-stored identification and the key, returns information to the edge node in the CDN, and stores the key into a preset storage area of the edge node under the condition that the information comprises the key corresponding to the identification information. Because the secret key corresponding to the identification information is determined based on the identification information carried in the request message and returned to the edge node, the edge node can store the secret key in the preset storage area of the edge node, and because the preset storage area is an area without a file system in the storage medium of the edge node, the storage area can only be identified and accessed by the edge node and cannot be identified by other equipment, the security of secret key storage can be improved. And the central server can interact with the user, the user operates the secret key stored on the central server to update the secret key, and the central server sends the updated secret key to the edge node to improve the real-time property of secret key updating.
Corresponding to the method embodiment shown in fig. 1, the embodiment of the present invention also provides a corresponding apparatus embodiment.
As shown in fig. 8, an embodiment of the present invention provides a key management apparatus, which is applied to an edge node in a content delivery network CDN, and the apparatus may include:
the determining module 301 is configured to determine identification information corresponding to a domain name of the key to be obtained.
A first sending module 302, configured to send a request message to a central server in the CDN, where the request message carries identification information; the identification information is used for the central server to determine the key corresponding to the identification information based on the corresponding relation between the identification and the key stored in the central server in advance.
The first receiving module 303 is configured to receive information returned by the central server, and store the key into a preset storage area when the information includes the key corresponding to the identification information; the preset storage area is an area without a file system in the storage medium of the edge node.
When the key management device is applied to an edge node in a CDN, the device determines identification information corresponding to a domain name of a key to be acquired, sends a request message carrying the identification information to a central server, receives information returned by the central server, and stores the key in a preset storage area when the information includes the key corresponding to the identification information.
It should be noted that the apparatus according to the embodiment of the present invention corresponds to the key management method shown in fig. 1, and all embodiments of the key management method shown in fig. 1 are applicable to the apparatus and all can achieve the same advantageous effects.
Optionally, the determining module 301 is specifically configured to:
and determining identification information according to the domain name of the key to be acquired and the corresponding relationship between the domain name and the identification which are stored in the edge node in advance.
Optionally, as shown in fig. 9, the first sending module 302 includes:
the first determining submodule 3021 is configured to determine whether a key corresponding to a domain name of a key to be acquired is stored in a preset storage area.
The first sending submodule 3022 is configured to, when it is determined that the key exists, determine whether the validity period of the key exceeds a preset validity period, and send a request message to the central server when the validity period of the key exceeds the preset validity period, where the request message is used to request the central server to verify whether the key corresponding to the identification information is updated.
The second sending submodule 3023 is configured to send, to the central server, a request message when it is determined that the key does not exist, where the request message is used to request the central server for the key.
Optionally, as shown in fig. 10, the first receiving module 303 includes:
the first receiving submodule 3031 is configured to receive, when it is determined that the key is stored and the key corresponding to the identification information is updated by the central server, information returned by the central server, where the information includes: and identifying the updated key corresponding to the information.
The second receiving submodule 3032 is configured to receive information returned by the central server when it is determined that the key is stored and the key corresponding to the identification information is not updated by the central server, where the information includes: and the first appointed code is used for indicating that the key corresponding to the identification information is not updated.
A third receiving submodule 3033, configured to receive, in a case that it is determined that the key does not exist, information returned by the central server, where the information includes: and identifying the key corresponding to the information.
Optionally, the first determining submodule 3021 is specifically configured to:
every other first preset time period, whether a preset storage area stores a key corresponding to a domain name of the key to be acquired is detected.
Optionally, the first sending submodule 3022 is specifically configured to:
and judging whether the valid period of the secret key exceeds a preset valid period every second preset time period.
Optionally, the information further comprises: the validity verification mark, the device also includes:
and the first verification module is used for determining whether the source of the information is legal or not according to the legality verification identifier. This module is not shown in the figure.
Corresponding to the method embodiment shown in fig. 4, the embodiment of the present invention further provides a corresponding apparatus embodiment. As shown in fig. 11, an embodiment of the present invention provides a key management apparatus, which is applied to a central server in a content delivery network CDN, and the apparatus may include:
a second receiving module 401, configured to receive a request message sent by an edge node in the CDN, where the request message carries identification information corresponding to a domain name of a key to be obtained; the identification information is used for the central server to determine the key corresponding to the identification information based on the corresponding relation between the identification and the key stored in the central server in advance.
A second sending module 402, configured to return information to the edge node, so that the key is stored in a preset storage area of the edge node when the information includes a key corresponding to the identification information; the preset storage area is an area without a file system in the storage medium of the edge node.
When the key management device is applied to a central server of a CDN, the central server determines a key corresponding to identification information based on a pre-stored correspondence between an identifier and a key by receiving a request message that is sent by an edge node in the CDN and carries the identification information corresponding to a domain name of the key to be obtained, returns information to the edge node in the CDN, and stores the key into a preset storage area of the edge node when the information includes the key corresponding to the identifier information. Because the secret key corresponding to the identification information is determined based on the identification information carried in the request message and returned to the edge node, the edge node can store the secret key in the preset storage area of the edge node, and because the preset storage area is an area without a file system in the storage medium of the edge node, the storage area can only be identified and accessed by the edge node and cannot be identified by other equipment, the security of secret key storage can be improved.
It should be noted that the apparatus according to the embodiment of the present invention corresponds to the key management method shown in fig. 4, and all embodiments of the key management method shown in fig. 4 are applicable to the apparatus and all can achieve the same advantageous effects.
Optionally, the apparatus further comprises:
and the second verification module is used for verifying whether the secret key corresponding to the identification information is updated or not under the condition that the request message is used for requesting to verify whether the secret key corresponding to the identification information is updated or not. This module is not shown in the figure.
As shown in fig. 12, the second sending module 402 includes:
the third sending submodule 4021 is configured to, in the case that the key corresponding to the verification identification information is updated, return information to the edge node, where the information includes: and identifying the updated key corresponding to the information.
The fourth sending submodule 4022 is configured to, when the key corresponding to the verification identification information is not updated, return information to the edge node, where the information includes: and the first appointed code is used for indicating that the key corresponding to the identification information is not updated.
Optionally, in a case that the request packet is used to request a key, the information returned to the edge node includes: and identifying the key corresponding to the information.
On the basis of the apparatus shown in fig. 11, as shown in fig. 13, fig. 13 is a schematic structural diagram of an apparatus for implementing an authentication request according to an embodiment of the present invention, and the apparatus may further include:
and a third verifying module 404, configured to determine whether the request packet is legal according to the verification identifier information.
A third sending module 405, configured to, when the verification request packet is legal, return information to the edge node, where the information includes a validity verification identifier, and the validity verification identifier is used to enable the edge node to determine whether a source of the information is legal based on the validity verification identifier.
Optionally, on the basis of the apparatus shown in fig. 11 or 13, the key may include multiple sets of sub-keys, and different sub-keys correspond to different validity periods, as shown in fig. 14, fig. 14 is a schematic structural diagram of an apparatus for implementing key update according to an embodiment of the present invention, and the apparatus may further include:
a generating module 406, configured to generate a new key after receiving an operation instruction for the key, where the operation instruction includes: a sub-key deleting instruction, a sub-key adding instruction, or a sub-key modifying instruction.
The updating module 407 is configured to update, by using the new key, the sub-key with the validity period closest to the preset validity period in the plurality of sets of sub-keys.
An embodiment of the present invention further provides an edge node server apparatus, as shown in fig. 15, the apparatus 500 includes a processor 501 and a machine-readable storage medium 502, where the machine-readable storage medium stores machine-executable instructions capable of being executed by the processor, and the processor executes the machine-executable instructions to implement the key management method applied to an edge node in a content delivery network CDN, which is provided in an embodiment of the present invention.
When the edge node server device provided in the embodiment of the present invention is applied to an edge node in a CDN, the device determines identification information corresponding to a domain name of a key to be obtained, sends a request packet carrying the identification information to a central server, receives information returned by the central server, and stores the key in a preset storage area when the information includes the key corresponding to the identification information.
An embodiment of the present invention further provides a central server apparatus, as shown in fig. 16, the apparatus 600 includes a processor 601 and a machine-readable storage medium 602, where the machine-readable storage medium stores machine-executable instructions capable of being executed by the processor, and the processor executes the machine-executable instructions to implement the key management method applied to the central server in the content delivery network CDN provided in the embodiment of the present invention.
When the central server device provided by the embodiment of the present invention is applied to a central server of a CDN, the central server determines, based on a correspondence between a pre-stored identifier and a key, a key corresponding to identifier information by receiving a request packet that is sent by an edge node in the CDN and carries identifier information corresponding to a domain name of a key to be obtained, returns information to the edge node in the CDN, and stores the key in a preset storage area of the edge node when the information includes the key corresponding to the identifier information. Because the secret key corresponding to the identification information is determined based on the identification information carried in the request message and returned to the edge node, the edge node can store the secret key in the preset storage area of the edge node, and because the preset storage area is an area without a file system in the storage medium of the edge node, the storage area can only be identified and accessed by the edge node and cannot be identified by other equipment, the security of secret key storage can be improved.
The machine-readable storage medium may include a Random Access Memory (RAM) or a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the Integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, or a discrete hardware component.
The embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and when the computer program is executed by a processor, the computer program is used to execute the steps of the key management method applied to the edge node in the content delivery network CDN provided in the embodiment of the present invention.
When the computer-readable storage medium provided in the embodiment of the present invention is applied to an edge node in a CDN, the identification information corresponding to a domain name of a key to be obtained is determined, a request packet carrying the identification information is sent to a central server, information returned by the central server is received, and the key is stored in a preset storage area when the information includes the key corresponding to the identification information.
The embodiment of the present invention further provides another computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and when the computer program is executed by a processor, the computer program is used to execute the steps of the key management method applied to the central server in the content delivery network CDN provided in the embodiment of the present invention.
When the computer-readable storage medium provided in the embodiment of the present invention is applied to a central server of a CDN, the central server determines, based on a correspondence between a pre-stored identifier and a key, a key corresponding to identifier information by receiving a request packet that is sent by an edge node in the CDN and carries identifier information corresponding to a domain name of a key to be obtained, returns information to the edge node in the CDN, and stores the key in a preset storage area of the edge node when the information includes the key corresponding to the identifier information. Because the secret key corresponding to the identification information is determined based on the identification information carried in the request message and returned to the edge node, the edge node can store the secret key in the preset storage area of the edge node, and because the preset storage area is an area without a file system in the storage medium of the edge node, the storage area can only be identified and accessed by the edge node and cannot be identified by other equipment, the security of secret key storage can be improved.
Embodiments of the present invention further provide a computer program product containing instructions, which when run on a computer, cause the computer to perform the steps of the key management method applied to an edge node in a content delivery network CDN provided in an embodiment of the present invention.
When the computer program product including the instruction provided in the embodiment of the present invention is applied to an edge node in a CDN, the computer program product is configured to send a request packet carrying identification information to a central server by determining identification information corresponding to a domain name of a key to be obtained, receive information returned by the central server, and store the key in a preset storage area when the information includes the key corresponding to the identification information.
Embodiments of the present invention further provide a computer program product containing instructions, which when run on a computer, cause the computer to perform the steps of the key management method applied to the central server in the content delivery network CDN provided in the embodiments of the present invention.
When the computer program product containing the instruction provided by the embodiment of the present invention is applied to a central server of a CDN, the central server determines, based on a correspondence between a pre-stored identifier and a key, a key corresponding to identifier information by receiving a request packet that is sent by an edge node in the CDN and carries identifier information corresponding to a domain name of a key to be obtained, returns information to the edge node in the CDN, and stores the key in a preset storage area of the edge node when the information includes the key corresponding to the identifier information. Because the secret key corresponding to the identification information is determined based on the identification information carried in the request message and returned to the edge node, the edge node can store the secret key in the preset storage area of the edge node, and because the preset storage area is an area without a file system in the storage medium of the edge node, the storage area can only be identified and accessed by the edge node and cannot be identified by other equipment, the security of secret key storage can be improved.
The embodiment of the present invention further provides a computer program, which when running on a computer, causes the computer to execute the steps of the key management method applied to the edge node in the content delivery network CDN provided in the embodiment of the present invention.
When the computer program including the instruction provided in the embodiment of the present invention is applied to an edge node in a CDN, the computer program determines identification information corresponding to a domain name of a key to be obtained, sends a request packet carrying the identification information to a central server, receives information returned by the central server, and stores the key in a preset storage area when the information includes the key corresponding to the identification information.
The embodiment of the present invention further provides a computer program, which when running on a computer, causes the computer to execute the steps of the key management method applied to the central server in the content delivery network CDN provided in the embodiment of the present invention.
When the computer program including the instruction provided in the embodiment of the present invention is applied to a central server of a CDN, the central server determines, based on a correspondence between a pre-stored identifier and a key, a key corresponding to identifier information by receiving a request packet that is sent by an edge node in the CDN and carries identifier information corresponding to a domain name of a key to be obtained, returns information to the edge node in the CDN, and stores the key in a preset storage area of the edge node when the information includes the key corresponding to the identifier information. Because the secret key corresponding to the identification information is determined based on the identification information carried in the request message and returned to the edge node, the edge node can store the secret key in the preset storage area of the edge node, and because the preset storage area is an area without a file system in the storage medium of the edge node, the storage area can only be identified and accessed by the edge node and cannot be identified by other equipment, the security of secret key storage can be improved.
For the apparatus/device/storage medium embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and for the relevant points, reference may be made to some descriptions of the method embodiments.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus/device/storage medium/system embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and in relation to the description, reference may be made to part of the description of the method embodiment.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (18)

1. A key management method is applied to an edge node in a Content Delivery Network (CDN), and comprises the following steps:
determining identification information corresponding to a domain name of a key to be acquired;
sending a request message to a central server in the CDN, wherein the request message carries the identification information; the identification information is used for the central server to determine a secret key corresponding to the identification information based on a corresponding relation between an identification and a secret key stored in advance by the central server;
receiving information returned by the central server, and storing the secret key into a preset storage area under the condition that the information comprises the secret key corresponding to the identification information; the preset storage area is an area without a file system in the storage medium of the edge node.
2. The method according to claim 1, wherein the step of determining the identification information corresponding to the domain name of the key to be obtained includes:
and determining the identification information according to the domain name of the key to be acquired and the corresponding relationship between the domain name and the identification which are stored in the edge node in advance.
3. The method of claim 1, wherein the step of sending the request message to a central server in the CDN comprises:
determining whether an encryption key corresponding to the domain name of the encryption key to be acquired is stored in the preset storage area;
under the condition that the secret key exists, judging whether the valid period of the secret key exceeds a preset valid period or not, and under the condition that the valid period exceeds the preset valid period, sending the request message to the central server, wherein the request message is used for requesting the central server to verify whether the secret key corresponding to the identification information is updated or not;
and sending the request message to the central server under the condition that the secret key does not exist, wherein the request message is used for requesting the secret key from the central server.
4. The method of claim 3, wherein the step of receiving the information returned by the central server comprises:
receiving information returned by the central server under the condition that the key is determined to be stored and the central server verifies that the key corresponding to the identification information is updated, wherein the information comprises: the updated secret key corresponding to the identification information;
receiving information returned by the central server under the condition that the key is determined to be stored and the central server verifies that the key corresponding to the identification information is not updated, wherein the information comprises: the first appointed code is used for indicating that the secret key corresponding to the identification information is not updated;
receiving information returned by the central server under the condition that the secret key does not exist, wherein the information comprises: and the key corresponding to the identification information.
5. The method according to claim 3, wherein the step of determining whether the key corresponding to the domain name from which the key is to be obtained is stored in the preset storage area comprises:
and detecting whether the preset storage area stores the key corresponding to the domain name of the key to be acquired every a first preset time period.
6. The method of claim 3, wherein the step of determining whether the validity period of the key exceeds a preset validity period comprises:
and judging whether the valid period of the secret key exceeds a preset valid period every second preset time period.
7. The method of claim 1, wherein the information further comprises: and after receiving the information returned by the central server, the method further comprises the following steps:
and determining whether the source of the information is legal or not according to the legality verification identifier.
8. A key management method is applied to a central server in a Content Delivery Network (CDN), and comprises the following steps:
receiving a request message sent by an edge node in the CDN, wherein the request message carries identification information corresponding to a domain name of a key to be acquired; the identification information is used for the central server to determine a secret key corresponding to the identification information based on a corresponding relation between an identification and a secret key stored in advance by the central server;
returning information to the edge node, and storing the secret key into a preset storage area of the edge node under the condition that the information comprises the secret key corresponding to the identification information; the preset storage area is an area without a file system in the storage medium of the edge node.
9. The method of claim 8, wherein after receiving the request packet sent by the edge node in the CDN, the method further comprises: under the condition that the request message is used for requesting to verify whether the secret key corresponding to the identification information is updated or not, verifying whether the secret key corresponding to the identification information is updated or not;
the step of returning information to the edge node includes:
and returning information to the edge node under the condition that the key corresponding to the identification information is verified to be updated, wherein the information comprises: the updated secret key corresponding to the identification information;
and returning information to the edge node under the condition that the key corresponding to the identification information is not updated, wherein the information comprises: and the first appointed code is used for indicating that the key corresponding to the identification information is not updated.
10. The method according to claim 8, wherein in a case where the request packet is used to request the key, the information returned to the edge node comprises: and the key corresponding to the identification information.
11. The method of claim 8, wherein the request message further comprises: verifying the identification information, and after receiving a request message sent by an edge node in the CDN, the method further includes:
determining whether the request message is legal or not according to the verification identification information;
and when the request message is verified to be legal, returning information to the edge node, wherein the information comprises a legality verification identifier which is used for enabling the edge node to determine whether the source of the information is legal or not based on the legality verification identifier.
12. The method of claim 10, wherein the key comprises a plurality of sub-keys, and different sub-keys correspond to different validity periods, and the method further comprises:
generating a new key after receiving an operation instruction for the key, the operation instruction including: a sub-key deleting instruction, a sub-key adding instruction or a sub-key modifying instruction;
updating the sub-secret keys with the valid periods closest to the preset valid periods in the plurality of groups of sub-secret keys by using the new secret keys;
wherein, using the new key to update the sub-key with the validity period closest to the preset validity period in the plurality of groups of sub-keys comprises:
and replacing the sub-key with the shortest validity period from the preset validity period in a plurality of groups of sub-keys contained in the key by using the new key so as to update the key.
13. A key management apparatus, applied to an edge node in a content delivery network CDN, the apparatus comprising:
the determining module is used for determining the identification information corresponding to the domain name of the key to be acquired;
the first sending module is used for sending a request message to a central server in the CDN, wherein the request message carries the identification information; the identification information is used for the central server to determine a secret key corresponding to the identification information based on a corresponding relation between an identification and a secret key stored in advance by the central server;
the first receiving module is used for receiving information returned by the central server, and storing the secret key into a preset storage area under the condition that the information comprises the secret key corresponding to the identification information; the preset storage area is an area without a file system in the storage medium of the edge node.
14. A key management apparatus, applied to a central server in a content delivery network CDN, the apparatus comprising:
the second receiving module is used for receiving a request message sent by an edge node in the CDN, where the request message carries identification information corresponding to a domain name of a key to be obtained; the identification information is used for the central server to determine a secret key corresponding to the identification information based on a corresponding relation between an identification and a secret key stored in advance by the central server;
a second sending module, configured to return information to the edge node, where the information includes a key corresponding to the identification information, so that the key is stored in a preset storage area of the edge node; the preset storage area is an area without a file system in the storage medium of the edge node.
15. An edge node server device comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor to perform method steps of a key management method according to any one of claims 1 to 7.
16. A central server apparatus comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor to perform method steps of a key management method according to any one of claims 8 to 12.
17. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the method steps of the key management method according to any one of claims 1 to 7.
18. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the method steps of the key management method according to any one of claims 8 to 12.
CN201910576599.6A 2019-06-28 2019-06-28 Key management method, device, equipment and storage medium Active CN112152978B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201910576599.6A CN112152978B (en) 2019-06-28 2019-06-28 Key management method, device, equipment and storage medium
PCT/CN2020/098174 WO2020259606A1 (en) 2019-06-28 2020-06-24 Key management method and apparatus, device, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910576599.6A CN112152978B (en) 2019-06-28 2019-06-28 Key management method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN112152978A CN112152978A (en) 2020-12-29
CN112152978B true CN112152978B (en) 2021-07-20

Family

ID=73869432

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910576599.6A Active CN112152978B (en) 2019-06-28 2019-06-28 Key management method, device, equipment and storage medium

Country Status (2)

Country Link
CN (1) CN112152978B (en)
WO (1) WO2020259606A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114257503A (en) * 2021-11-19 2022-03-29 网宿科技股份有限公司 Method, server, system and storage medium for accelerating domain name deployment
CN114268467B (en) * 2021-12-03 2023-09-05 中国联合网络通信集团有限公司 Key updating processing method, device, system, equipment and storage medium
CN115987691B (en) * 2023-03-20 2023-06-16 成都蓝瑟回音文化传媒有限公司 Mobile application management system and method based on cloud computing and pervasive computing

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1499396A (en) * 2002-10-24 2004-05-26 �Ҵ���˾ Method and device for maintaining internet field names data
CN101193024A (en) * 2006-11-24 2008-06-04 鸿富锦精密工业(深圳)有限公司 Network access device, mobile communication device, secret key setting method and mobile communication system
CN101567784A (en) * 2008-04-21 2009-10-28 成都市华为赛门铁克科技有限公司 Method, system and equipment for acquiring key
CN101877693A (en) * 2009-04-29 2010-11-03 华为技术有限公司 Method, device and system for obtaining public key
CN103036684A (en) * 2012-12-28 2013-04-10 武汉理工大学 Identity-based encryption (IBE) data encryption system and method capable of lowering damages of master key crack and disclosure
US9202215B2 (en) * 2009-12-04 2015-12-01 Akamai Technologies, Inc. Method and system for handling sensitive data in a content delivery network
CN107666383A (en) * 2016-07-29 2018-02-06 阿里巴巴集团控股有限公司 Message processing method and device based on HTTPS agreements

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103107995B (en) * 2013-02-06 2015-11-25 中电长城网际系统应用有限公司 A kind of cloud computing environment date safety storing system and method
US10225238B2 (en) * 2016-04-11 2019-03-05 Facebook, Inc. Data security for content delivery networks
CN108418678B (en) * 2017-02-10 2019-05-07 贵州白山云科技股份有限公司 A kind of method and device of private key secure storage and distribution
CN109842664A (en) * 2017-11-29 2019-06-04 苏宁云商集团股份有限公司 A kind of CDN of the safety without private key of High Availabitity supports the system and method for HTTPS
CN109040318B (en) * 2018-09-25 2021-05-04 网宿科技股份有限公司 HTTPS connection method of CDN (content delivery network) and CDN node server

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1499396A (en) * 2002-10-24 2004-05-26 �Ҵ���˾ Method and device for maintaining internet field names data
CN101193024A (en) * 2006-11-24 2008-06-04 鸿富锦精密工业(深圳)有限公司 Network access device, mobile communication device, secret key setting method and mobile communication system
CN101567784A (en) * 2008-04-21 2009-10-28 成都市华为赛门铁克科技有限公司 Method, system and equipment for acquiring key
CN101877693A (en) * 2009-04-29 2010-11-03 华为技术有限公司 Method, device and system for obtaining public key
US9202215B2 (en) * 2009-12-04 2015-12-01 Akamai Technologies, Inc. Method and system for handling sensitive data in a content delivery network
CN103036684A (en) * 2012-12-28 2013-04-10 武汉理工大学 Identity-based encryption (IBE) data encryption system and method capable of lowering damages of master key crack and disclosure
CN107666383A (en) * 2016-07-29 2018-02-06 阿里巴巴集团控股有限公司 Message processing method and device based on HTTPS agreements

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于多信任机制DNS安全扩展的设计与研究;尹卫星;《苏州大学学报(工科版)》;20071231;全文 *

Also Published As

Publication number Publication date
CN112152978A (en) 2020-12-29
WO2020259606A1 (en) 2020-12-30

Similar Documents

Publication Publication Date Title
US10642969B2 (en) Automating internet of things security provisioning
EP3257192B1 (en) Secure and delegated distribution of private keys via domain name service
CN112152978B (en) Key management method, device, equipment and storage medium
US8681995B2 (en) Supporting DNS security in a multi-master environment
US10554417B2 (en) Script verification using a hash
KR102219277B1 (en) System and method for controlling the delivery of authenticated content
US10333716B2 (en) Script verification using a digital signature
US20150271679A1 (en) System and method of verifying integrity of software
Kuppusamy et al. Diplomat: Using delegations to protect community repositories
US20180020008A1 (en) Secure asynchronous communications
CN111064569B (en) Cluster key obtaining method and device of trusted computing cluster
KR20150141362A (en) Network node and method for operating the network node
US9942050B2 (en) Method and apparatus for bulk authentication and load balancing of networked devices
CN106790296B (en) Domain name record verification method and device
US11463431B2 (en) System and method for public API authentication
US11917081B2 (en) Issuing device and method for issuing and requesting device and method for requesting a digital certificate
CN109819068A (en) User terminal and its block chain domain name analytic method
CN112311769B (en) Method, system, electronic device and medium for security authentication
CN105243074A (en) System and method for parallel secure content bootstrapping in content-centric networks
CN109951481B (en) Information processing method and system based on block chain network adjacent nodes
CN110188545B (en) Data encryption method and device based on chained database
CN111431957B (en) File processing method, device, equipment and system
CN110771087B (en) Private key update
CN112306970B (en) Processing method, device, equipment and storage medium of container mirror warehouse
Kang Efficient botnet herding within the Tor network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant