CN112350822A - Key distribution method, device and equipment - Google Patents

Key distribution method, device and equipment Download PDF

Info

Publication number
CN112350822A
CN112350822A CN201910726913.4A CN201910726913A CN112350822A CN 112350822 A CN112350822 A CN 112350822A CN 201910726913 A CN201910726913 A CN 201910726913A CN 112350822 A CN112350822 A CN 112350822A
Authority
CN
China
Prior art keywords
key
final
information
seed
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910726913.4A
Other languages
Chinese (zh)
Inventor
李飒祎
杨灿美
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Quantumctek Co Ltd
Original Assignee
Quantumctek Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Quantumctek Co Ltd filed Critical Quantumctek Co Ltd
Priority to CN201910726913.4A priority Critical patent/CN112350822A/en
Priority to CN202311757115.0A priority patent/CN117527232A/en
Publication of CN112350822A publication Critical patent/CN112350822A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms

Abstract

The invention discloses a method, a device and a device for distributing a secret key, wherein the method comprises the following steps: acquiring a final secret key to be transmitted; encrypting the final key by using a key seed; the final key after encryption processing is transmitted to a key management system, so that the final key transmitted in the system through an intranet is not easily stolen by third-party equipment, the security of the transmission of the final key in the intranet environment and the security and confidentiality of the whole information transmission are ensured, and the method can be applied to a quantum key distribution system.

Description

Key distribution method, device and equipment
Technical Field
The present application relates to the field of quantum key distribution technologies, and in particular, to a method, an apparatus, and a device for key distribution.
Background
With the rapid development of Quantum communication technology, Quantum Key Distribution (QKD) gradually becomes a mature application technology. The technology is based on the quantum unclonable principle and the uncertainty principle, and the generated secret key has theoretical unconditional security and is mainly applied to places with higher requirements on confidentiality grade.
The quantum key distribution system comprises a first quantum key distribution terminal (Alice), a second quantum key distribution terminal (Bob) and a key management system, and the working principle of the quantum key distribution system is mainly to realize the secure key distribution of two communication parties by utilizing the principle characteristics that a single photon is not separable and a quantum state is not reproducible. At present, when a Final Key (Final Key) is transmitted by a system, the Final Key is generally transmitted through an intranet in a special connection, and the Final Key is simply processed to form an internal protocol frame and then transmitted to a Key management system. The transmission process of the Final Key is restrained by the safety of an intranet environment, namely the safety of the Final Key is based on the safety that data or information of the intranet is not easy to intercept, and the safety dependence is strong.
Disclosure of Invention
In view of this, the present application provides a key distribution method, device and apparatus, which can solve the problem of potential safety hazard existing in the prior art on the basis that the secure transmission of the final key is only based on the intranet security.
A first aspect of an embodiment of the present application provides a key distribution method, which is applied to a first terminal, and the method includes:
acquiring a final secret key to be transmitted;
encrypting the final key by using a key seed;
and transmitting the final key after the encryption processing to a key management system.
Optionally, the encrypting the final key by using the key seed further includes:
acquiring initial key information, wherein the initial key information comprises hardware curing information and dynamic information issued by the key management system;
encrypting the initial key information by using a first preset algorithm to obtain a first key sequence;
and generating the key seed according to the first key sequence.
Optionally, the first preset algorithm is an SM3 cryptographic hash algorithm.
Optionally, the encrypting the final key by using the key seed specifically includes:
and encrypting the final key by using the key seed by using a second preset algorithm.
Optionally, the second preset algorithm is an SM4 block cipher algorithm.
A second aspect of the embodiments of the present application provides a key distribution method, which is applied to a key management system, and the method includes:
receiving a final key after encryption processing; the final key after the encryption processing is obtained by using any one of the key distribution methods provided in the first aspect of the embodiments of the present application;
and decrypting the encrypted final key by using the key seed to obtain the final key.
Optionally, the decrypting the final key after the encryption processing by using the key seed further includes:
acquiring initial key information, wherein the initial key information comprises the dynamic information and hardware curing information;
encrypting the initial key information by using a first preset algorithm to obtain a second key sequence;
and generating the key seed according to the second key sequence.
Optionally, the first preset algorithm is an SM3 cryptographic hash algorithm.
Optionally, the decrypting the final key after the encryption by using the key seed specifically includes:
and decrypting the encrypted final key by using the key seed by using a second preset algorithm.
Optionally, the second preset algorithm is an SM4 block cipher algorithm.
A third aspect of the embodiments of the present application provides a key distribution apparatus, which is applied to a first terminal, and the apparatus includes: the device comprises a key acquisition module, a first encryption module and a transmission module;
the key acquisition module is used for acquiring a final key to be transmitted;
the first encryption module is used for encrypting the final key by using a key seed;
and the transmission module is used for transmitting the final key after encryption processing to the key management system.
Optionally, the apparatus further includes: the device comprises an information acquisition module, a second encryption module and a seed generation module;
the information acquisition module is further configured to acquire initial key information, where the initial key information includes hardware curing information and dynamic information issued by the key management system;
the second encryption module is used for encrypting the initial key information by using a first preset algorithm to obtain a first key sequence;
the seed generation module is configured to generate the key seed according to the first key sequence.
Optionally, the first encryption module is specifically configured to:
and encrypting the final key by using the key seed by using a second preset algorithm.
A fourth aspect of the embodiments of the present application provides a key distribution apparatus, which is applied to a key management system, and the apparatus includes: a key receiving module and a decryption module;
the key receiving module is used for receiving the final key after encryption processing; the final key after the encryption processing is obtained by using any one of the key distribution methods provided in the first aspect of the embodiments of the present application;
and the decryption module is used for decrypting the encrypted final key by using the key seed to obtain the final key.
Optionally, the apparatus further includes: the device comprises an acquisition module, an encryption module and a generation module;
the acquiring module is used for acquiring initial key information, wherein the initial key information comprises the dynamic information and hardware curing information;
the encryption module is used for encrypting the initial key information by using a first preset algorithm to obtain a second key sequence;
and the generating module is used for generating the key seed according to the second key sequence.
Optionally, the decryption module is specifically configured to:
and decrypting the encrypted final key by using the key seed by using a second preset algorithm.
A fifth aspect of embodiments of the present application provides an apparatus, including: a memory and a processor;
the memory for storing program code;
the processor is configured to acquire the program code stored in the memory, and execute any one of the key distribution methods provided in the first aspect and the second aspect of the embodiments of the present application according to an instruction of the program code.
Optionally, the memory and the processor are both disposed on the FPGA board.
Compared with the prior art, the method has the advantages that:
in the embodiment of the application, before the final key is sent to the key management system, the key seed is used for encrypting the final key to be transmitted, and the encrypted final key is transmitted to the key management system, so that the final key transmitted by an intranet is not easily stolen by third-party equipment, and the security of the transmission of the final key in the intranet environment and the security and confidentiality of the whole information transmission are ensured.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic flowchart of a key distribution method according to an embodiment of the present application;
fig. 2 is a schematic flowchart of a key distribution method according to an embodiment of the present application;
fig. 3 is a schematic flowchart of another key distribution method provided in an embodiment of the present application;
fig. 4 is a schematic flowchart of another key distribution method according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a key distribution apparatus according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of another key distribution apparatus provided in an embodiment of the present application;
fig. 7 is a schematic structural diagram of an apparatus according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions of the present application better understood, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Because Alice or Bob in the current system only simply processes the Final secret Key to form an internal protocol frame and then transmits the internal protocol frame to the secret Key management system, the transmission process of the Final secret Key (Final Key) is only restricted by the security of an intranet, the security of the Final secret Key (Final Key) is only established on the basis of the security of the intranet, and once the intranet is invaded by a third party terminal (EVE), the EVE can easily capture and steal the Final Key. The method has the advantages that the Final Key is completely exposed to the EVE in the process of internal network transmission, the EVE can decrypt encrypted information of the whole communication system according to the stolen Final Key, the safety and confidentiality of information transmission are harmed, and all early-stage confidentiality measures are invalid.
Therefore, in the embodiment of the application, the Final Key is encrypted again and then transmitted to the Key management system through the intranet, so that the security of Final Key transmission and the security and confidentiality of whole information transmission in the intranet environment are ensured.
Based on the above-mentioned ideas, in order to make the above-mentioned objects, features and advantages of the present application more comprehensible, specific embodiments of the present application are described in detail below with reference to the accompanying drawings.
It should be noted that, the key distribution method provided in the embodiment of the present application is not only applicable to the quantum key distribution process, but also applicable to any other form of key distribution process in the data transmission process, and is not listed here. The following description takes quantum key distribution as an example, and other forms of key distribution are similar to the quantum key distribution, which may be specifically referred to in the related description, and are not described again.
Referring to fig. 1, the figure is a schematic flowchart of a key distribution method provided in an embodiment of the present application.
The key distribution method provided in the embodiment of the present application is applied to a first terminal (e.g., Alice), and may specifically include the following steps S101 to S103.
S101: and acquiring a final secret key to be transmitted.
In the embodiment of the present application, a final key to be transmitted, that is, a final key to be transmitted to a key management system generated by a quantum key distribution terminal (e.g., Alice), is transmitted through a system intranet.
S102: and encrypting the final key by using the key seed.
The applicant of the application finds that although the intranet of the quantum Key distribution system can be provided with multiple encryption protection and the security performance of the intranet is high, the risk that transmitted data is stolen still exists, and finally the Key is transmitted in the intranet in a plaintext form and still can be stolen by the EVE, so that the Final Key is known by a third party, and the security of the transmitted data cannot be guaranteed.
Therefore, in the embodiment of the application, after the Final Key transmitted by the intranet is encrypted by using the Key seed, the Final Key is transmitted in the intranet in a ciphertext form, so that the transmission safety and confidentiality of the Final Key can be ensured, even if the EVE steals data from the intranet, the Final Key of the quantum Key distribution system cannot be easily obtained, and the EVE cannot decrypt the transmitted ciphertext easily, thereby reducing the possibility of stealing the Key information by the EVE, and ensuring the safety of data transmission. The following will explain in detail how to encrypt the Final Key, which is not described herein.
S103: and transmitting the final key after the encryption processing to a key management system.
After the Final Key to be transmitted is encrypted, the Final Key can be transmitted to a Key management system through an intranet, so that the secure encryption transmission of the Final Key is realized, and the security of Key information in the system is ensured.
In practical application, the final key after the encryption processing may be transmitted in a form of a key transmission protocol frame, and details of a specific implementation manner are not described herein.
In the embodiment of the application, before the final key to be transmitted is sent to the key management system, the key seed is utilized to encrypt the final key to be transmitted, and the encrypted final key is transmitted to the key management system, so that the final key transmitted in the system through the intranet is not easily stolen by third-party equipment, and the security of the transmission of the final key in the intranet environment and the security and confidentiality of the whole information transmission are ensured.
Referring to fig. 2, which is a schematic flow chart of another key distribution method provided in the embodiment of the present application, compared with fig. 1, a more specific key distribution method is provided.
In some possible implementation manners of the embodiment of the present application, before the step S102, the following steps S201 to S203 may be specifically included.
S201: initial key information is obtained.
In this embodiment, the initial key information may include: dynamic information and hardware solidification information (e.g., inherent ciphertext information burned in the hardware device when the device leaves the factory), and the like. The dynamic information is issued by the key management system, and includes but is not limited to one or more of the following information: the device ID of the first terminal (e.g., Alice terminal), the device ID of the second terminal (e.g., Bob terminal), the random number, the key ID, the key usage (e.g., encryption or decryption), etc. The hardware solidification information is ciphertext information only stored in the first terminal and the Key management system, the hardware solidification information is not transmitted in an intranet and cannot be acquired by the EVE, the Key seed obtained based on the initial Key information cannot be acquired by the EVE, and the security of the Final Key is ensured.
S202: and encrypting the initial key information by using a first preset algorithm to obtain a first key sequence.
As an example, the first preset algorithm may be specifically an SM3 cryptographic hash algorithm. It can be understood that the initial key information is encrypted by adopting a standard encryption mode of the national password administration, which is beneficial to the standardized layout of the peripheral system.
The SM3 cryptographic Hash algorithm is a commercial algorithm compiled by the national crypto authority, and is generally used for digital signature and verification, generation and verification of message authentication codes, and generation of random numbers in cryptographic applications, which is also called Hash (Hash) function or Hash function, and can map input information of any finite length into an output value of a fixed length. SM3 cryptographic hash algorithm can be used for length less than 264The information of the bytes is padded and iteratively compressed to generate a hash value, and the final hash value (i.e. the first key sequence in this embodiment) is 256 bytes. The specific implementation of the SM3 cryptographic hash algorithm is not described in detail herein. The SM3 cryptographic hash algorithm performs 0 and 1 equalization processing on data, and small changes of data bit level can also enable the encrypted data to change in a large range, so that the encryption requirement on the initial key information in the embodiment of the application can be met, and the security of the first key sequence is ensured.
S203: a key seed is generated based on the first key sequence.
In the embodiment of the present application, the key seed corresponds to the encryption algorithm used in the encryption process in step S102, that is, the generated key seed may be used to implement the encryption algorithm. Taking the SM3 cryptographic hash algorithm as an example, 128 bytes may be intercepted from the first key sequence of 256 bytes as the key seed.
In specific implementation, a person skilled in the art may specifically set a generation manner of the key seed according to actual situations, and this embodiment is not specifically limited and is not listed any more.
In some possible implementation manners, in order to ensure the confidentiality of the key seed and further improve the security of data transmission, the key seed may be updated according to a certain period, and a specific updating manner is to update the obtained initial key information. In practical applications, for example, the SM3 cryptographic hash algorithm, when the sequence number of the Key transmission protocol frame of the Final Key is 0, the initial Key information may be updated to update the Key seed.
It is understood that steps S201 to S203 may be executed after step S101, or before step S101, or any one of steps S201 to S203 is executed in parallel with step S101, which is not limited in this embodiment of the application.
Then, in some possible implementation manners of the embodiment of the present application, the step S102 may specifically include:
and encrypting the final key by using the key seed by using a second preset algorithm.
In the embodiment of the present application, the second preset algorithm may be the same as or different from the first preset algorithm. As an example, the second preset algorithm may be specifically an SM4 block cipher algorithm. It can be understood that the adoption of the standard encryption mode of the national password administration to encrypt the Final Key is beneficial to the standardized layout of the peripheral system.
The SM4 block cipher algorithm is a block symmetric key algorithm, the key length and the block length are both 128 bits, and both the encryption algorithm and the key expansion algorithm adopt 32-round nonlinear iterative structures. The conventional encryption mode of the SM4 Block Cipher algorithm includes an Electronic Codebook (ECB) mode and a Cipher Block Chaining (CBC) mode, and in practical application, may be determined according to actual needs, which is not specifically limited in this embodiment of the present application.
In the embodiment of the application, the Final Key to be transmitted is transmitted after being encrypted, and the Key seed used in the encryption is generated after being encrypted, so that the Final Key is doubly encrypted, and the safety and the confidentiality of data transmission are further improved.
Based on the key distribution method applied to the first terminal provided by the above embodiment, the embodiment of the present application further provides a key distribution method applied to a key management system.
Referring to fig. 3, this figure is a schematic flowchart of another key distribution method provided in the embodiment of the present application.
The key distribution method applied to the key management system provided by the embodiment of the application comprises the following steps:
s301: and receiving the final key after the encryption processing.
In this embodiment of the present application, the final key after the encryption processing is obtained by using any one of the key distribution methods applied to the first terminal provided in the foregoing embodiments, and the specific method is not described in detail again.
S302: and decrypting the final key after the encryption by using the key seed to obtain the final key.
It can be understood that the final key after the encryption process can be decrypted by using the same key seed as that used in the encryption process to obtain the final key, and the detailed decryption process is not described herein again.
Then, in some possible implementations of the embodiment of the present application, as shown in fig. 4, step S302 may further include the following steps S401 to S403.
S401: initial key information is obtained.
In this embodiment, the initial key information may include: dynamic information and hardware solidification information (e.g., inherent ciphertext information burned in the hardware device when the device leaves the factory), and the like. Wherein the dynamic information includes, but is not limited to, one or more of the following: the device ID of the first terminal (e.g., Alice terminal), the device ID of the second terminal (e.g., Bob terminal), the random number, the key ID, the key usage (e.g., encryption or decryption), etc. The hardware solidification information is ciphertext information only stored in the first terminal and the Key management system, the hardware solidification information is not transmitted in an intranet and cannot be acquired by the EVE, the Key seed obtained based on the initial Key information cannot be acquired by the EVE, and the security of the Final Key is ensured.
S402: and encrypting the initial key information by using a first preset algorithm to obtain a second key sequence.
As an example, the first preset algorithm may be specifically an SM3 cryptographic hash algorithm. It can be understood that the initial key information is encrypted by adopting a standard encryption mode of the national password administration, which is beneficial to the standardized layout of the peripheral system.
S403: and generating a key seed according to the second key sequence.
It should be noted here that, in order to realize decryption, the method for generating the key seed in step S403 needs to correspond to the method for generating the key seed in step S203, that is, the encryptor (i.e., the first terminal) and the decryptor (i.e., the key management system) generate the same key seed for encryption and decryption, respectively. Since the initial Key information is known information to both the first terminal and the Key management system, the first terminal and the Key management system only need to adopt an agreed algorithm and rule to generate corresponding Key seeds, and hardware solidified information is not transmitted in an intranet, so that the information security and the Final Key security are ensured.
In some possible implementation manners, in order to ensure the confidentiality of the key seed and further improve the security of data transmission, the key seed may be updated according to a certain period, and a specific updating manner is to update the obtained initial key information. In practical applications, for example, the SM3 cryptographic hash algorithm, when the sequence number of the Key transmission protocol frame of the Final Key is 0, the initial Key information may be updated to update the Key seed.
It is understood that steps S401 to S403 may be executed after step S301, before step S301, or any one of steps S401 to S403 may be executed in parallel with step S301, which is not limited in this embodiment of the application.
Then, in some possible implementation manners of the embodiment of the present application, step S302 may specifically include:
and decrypting the encrypted final key by using the key seed by using a second preset algorithm.
In the embodiment of the present application, the second preset algorithm may be the same as or different from the first preset algorithm. As an example, the second preset algorithm may be specifically an SM4 block cipher algorithm.
It is understood that the decryption method employed by the decryptor (i.e. the key management system) corresponds to the encryption method employed by the encryptor (i.e. the first terminal).
In the embodiment of the application, after the key management system receives the final key after encryption processing, the key seed is utilized to decrypt the final key after encryption processing to obtain the final key, so that the final key transmitted in the system through the intranet can be successfully decrypted by the key management system and is not easily stolen by a third-party device, and the security of the transmission of the final key in the intranet environment and the security and confidentiality of the whole information transmission are ensured.
Based on the key distribution method provided by the above embodiment, the embodiment of the present application further provides a key distribution device applied to the first terminal.
Referring to fig. 5, this figure is a schematic structural diagram of a key distribution apparatus according to an embodiment of the present application.
An embodiment of the present application provides a key distribution apparatus applied to a first terminal, including: a key acquisition module 510, a first encryption module 520, and a transmission module 530;
a key obtaining module 510, configured to obtain a final key to be transmitted;
a first encryption module 520, configured to encrypt the final key by using the key seed;
a transmission module 530, configured to transmit the final key after the encryption processing to the key management system.
In some possible implementation manners of the embodiment of the present application, the apparatus may further include: the device comprises an information acquisition module, a second encryption module and a seed generation module;
the information acquisition module is also used for acquiring initial key information, and the initial key information comprises hardware curing information and dynamic information issued by the key management system;
the second encryption module is used for encrypting the initial key information by using a first preset algorithm to obtain a first key sequence;
and the seed generation module is used for generating a key seed according to the first key sequence.
In some possible implementation manners of the embodiment of the present application, the first encryption module 520 may be specifically configured to:
and encrypting the final key by using the key seed by using a second preset algorithm.
As an example, the first preset algorithm may be an SM3 cryptographic hash algorithm; the second preset algorithm may be an SM4 block cipher algorithm.
In the embodiment of the application, before the final key to be transmitted is sent to the key management system, the key seed is utilized to encrypt the final key to be transmitted, and the encrypted final key is transmitted to the key management system, so that the final key transmitted in the system through the intranet is not easily stolen by third-party equipment, and the security of the transmission of the final key in the intranet environment and the security and confidentiality of the whole information transmission are ensured.
Based on the key distribution method provided by the above embodiment, the embodiment of the present application further provides a key distribution device applied to a key management system.
Referring to fig. 6, this figure is a schematic structural diagram of another key distribution apparatus provided in the embodiment of the present application.
An embodiment of the present application provides a key distribution apparatus applied to a key management system, including: a key receiving module 610 and a decryption module 620;
a key receiving module 610, configured to receive a final key after encryption processing; the final key after the encryption processing is obtained by using any one of the key distribution methods applied to the first terminal provided in the above embodiments;
and the decryption module 620 is configured to decrypt the encrypted final key by using the key seed to obtain the final key.
In some possible implementation manners of the embodiment of the present application, the apparatus may further include: the device comprises an acquisition module, an encryption module and a generation module;
the acquisition module is used for acquiring initial key information, and the initial key information comprises the dynamic information and hardware curing information;
the encryption module is used for encrypting the initial key information by using a first preset algorithm to obtain a second key sequence;
and the generating module is used for generating a key seed according to the second key sequence.
In some possible implementation manners of the embodiment of the present application, the decryption module 620 may be specifically configured to:
and decrypting the encrypted final key by using the key seed by using a second preset algorithm.
As an example, the first preset algorithm may be an SM3 cryptographic hash algorithm; the second preset algorithm may be an SM4 block cipher algorithm.
In the embodiment of the application, after the key management system receives the final key after encryption processing, the key seed is utilized to decrypt the final key after encryption processing to obtain the final key, so that the final key transmitted in the system through the intranet can be successfully decrypted by the key management system and is not easily stolen by a third-party device, and the security of the transmission of the final key in the intranet environment and the security and confidentiality of the whole information transmission are ensured.
Based on the key distribution method and device provided by the above embodiments, the embodiments of the present application further provide a device for implementing the above method.
Referring to fig. 7, the figure is a schematic structural diagram of an apparatus provided in an embodiment of the present application.
The equipment that this application embodiment provided includes: a memory 10 and a processor 20;
a memory 10 for storing program code;
the processor 20 is configured to obtain the program code stored in the memory 10, and execute any one of the key distribution methods according to the embodiments according to the instructions of the program code.
In some possible implementations of the embodiment of the present application, the memory 10 and the processor 20 are both disposed on a Field-Programmable Gate Array (FPGA) board.
It can be understood that, since the memory 10 and the processor 20 are both implemented on a hardware board (i.e., an FPGA board), and the acquisition of the Final Key and the encryption and decryption processes are both performed on the hardware board, the security of data in the data processing process of the Key distribution method provided in the embodiment of the present application is ensured, the stability of the system is improved, and the capability of the system to resist third party attacks is improved.
It is understood that the memory 10 and the processor 20 may be implemented on a programmable chip such as a single chip, an ARM, an FPGA, a DSP, an ASIC, and the like, which is not limited in this embodiment of the application.
In the embodiment of the application, before the final key to be transmitted is sent to the key management system, the key seed is utilized to encrypt the final key to be transmitted, and the encrypted final key is transmitted to the key management system, so that the final key transmitted in the system through the intranet is not easily stolen by third-party equipment, and the security of the transmission of the final key in the intranet environment and the security and confidentiality of the whole information transmission are ensured.
It should be noted that, in the present specification, the embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant part can be referred to the method part for description.
It is further noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The foregoing is merely a preferred embodiment of the present application and is not intended to limit the present application in any way. Although the present application has been described with reference to the preferred embodiments, it is not intended to limit the present application. Those skilled in the art can now make numerous possible variations and modifications to the disclosed embodiments, or modify equivalent embodiments, using the methods and techniques disclosed above, without departing from the scope of the claimed embodiments. Therefore, any simple modification, equivalent change and modification made to the above embodiments according to the technical essence of the present application still fall within the protection scope of the technical solution of the present application without departing from the content of the technical solution of the present application.

Claims (18)

1. A key distribution method applied to a first terminal, the method comprising:
acquiring a final secret key to be transmitted;
encrypting the final key by using a key seed;
and transmitting the final key after the encryption processing to a key management system.
2. The method of claim 1, wherein the encrypting the final key using the key seed further comprises:
acquiring initial key information, wherein the initial key information comprises hardware curing information and dynamic information issued by the key management system;
encrypting the initial key information by using a first preset algorithm to obtain a first key sequence;
and generating the key seed according to the first key sequence.
3. The method according to claim 2, wherein the first predetermined algorithm is SM3 cryptographic hash algorithm.
4. The method according to any one of claims 1 to 3, wherein the encrypting the final key using the key seed specifically includes:
and encrypting the final key by using the key seed by using a second preset algorithm.
5. The method according to claim 4, wherein the second predetermined algorithm is the SM4 block cipher algorithm.
6. A key distribution method is applied to a key management system, and the method comprises the following steps:
receiving a final key after encryption processing; the final key after the encryption processing is obtained by using the key distribution method of any one of claims 1 to 5;
and decrypting the encrypted final key by using the key seed to obtain the final key.
7. The method of claim 6, wherein the decrypting the encrypted final key using the key seed further comprises:
acquiring initial key information, wherein the initial key information comprises the dynamic information and hardware curing information;
encrypting the initial key information by using a first preset algorithm to obtain a second key sequence;
and generating the key seed according to the second key sequence.
8. The method according to claim 7, wherein the first predetermined algorithm is SM3 cryptographic hash algorithm.
9. The method according to any one of claims 6 to 8, wherein the decrypting the final key after the encryption processing by using the key seed specifically includes:
and decrypting the encrypted final key by using the key seed by using a second preset algorithm.
10. The method according to claim 9, wherein the second predetermined algorithm is SM4 block cipher algorithm.
11. A key distribution apparatus, applied to a first terminal, the apparatus comprising: the device comprises a key acquisition module, a first encryption module and a transmission module;
the key acquisition module is used for acquiring a final key to be transmitted;
the first encryption module is used for encrypting the final key by using a key seed;
and the transmission module is used for transmitting the final key after encryption processing to the key management system.
12. The apparatus of claim 11, further comprising: the device comprises an information acquisition module, a second encryption module and a seed generation module;
the information acquisition module is further configured to acquire initial key information, where the initial key information includes hardware curing information and dynamic information issued by the key management system;
the second encryption module is used for encrypting the initial key information by using a first preset algorithm to obtain a first key sequence;
the seed generation module is configured to generate the key seed according to the first key sequence.
13. The apparatus according to claim 11 or 12, wherein the first encryption module is specifically configured to:
and encrypting the final key by using the key seed by using a second preset algorithm.
14. A key distribution apparatus applied to a key management system, the apparatus comprising: a key receiving module and a decryption module;
the key receiving module is used for receiving the final key after encryption processing; the final key after the encryption processing is obtained by using the key distribution method of any one of claims 1 to 5;
and the decryption module is used for decrypting the encrypted final key by using the key seed to obtain the final key.
15. The apparatus of claim 14, further comprising: the device comprises an acquisition module, an encryption module and a generation module;
the acquiring module is used for acquiring initial key information, wherein the initial key information comprises the dynamic information and hardware curing information;
the encryption module is used for encrypting the initial key information by using a first preset algorithm to obtain a second key sequence;
and the generating module is used for generating the key seed according to the second key sequence.
16. The apparatus according to claim 14 or 15, wherein the decryption module is specifically configured to:
and decrypting the encrypted final key by using the key seed by using a second preset algorithm.
17. An apparatus, comprising: a memory and a processor;
the memory for storing program code;
the processor is configured to acquire the program code stored in the memory and execute the key distribution method according to any one of claims 1 to 10 according to instructions of the program code.
18. The apparatus of claim 17, wherein the memory and the processor are both disposed on an FPGA board.
CN201910726913.4A 2019-08-07 2019-08-07 Key distribution method, device and equipment Pending CN112350822A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201910726913.4A CN112350822A (en) 2019-08-07 2019-08-07 Key distribution method, device and equipment
CN202311757115.0A CN117527232A (en) 2019-08-07 2019-08-07 Key distribution method, device and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910726913.4A CN112350822A (en) 2019-08-07 2019-08-07 Key distribution method, device and equipment

Related Child Applications (1)

Application Number Title Priority Date Filing Date
CN202311757115.0A Division CN117527232A (en) 2019-08-07 2019-08-07 Key distribution method, device and equipment

Publications (1)

Publication Number Publication Date
CN112350822A true CN112350822A (en) 2021-02-09

Family

ID=74367284

Family Applications (2)

Application Number Title Priority Date Filing Date
CN202311757115.0A Pending CN117527232A (en) 2019-08-07 2019-08-07 Key distribution method, device and equipment
CN201910726913.4A Pending CN112350822A (en) 2019-08-07 2019-08-07 Key distribution method, device and equipment

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN202311757115.0A Pending CN117527232A (en) 2019-08-07 2019-08-07 Key distribution method, device and equipment

Country Status (1)

Country Link
CN (2) CN117527232A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110126011A1 (en) * 2009-11-24 2011-05-26 Electronics And Telecommunications Research Institute Method of user-authenticated quantum key distribution
CN109428709A (en) * 2017-08-22 2019-03-05 中国电信股份有限公司 Quantum key distribution method, system and optical network system
CN109525390A (en) * 2018-11-20 2019-03-26 江苏亨通问天量子信息研究院有限公司 Quantum key wireless dispatch method and system for terminal device secret communication
CN109639407A (en) * 2018-12-28 2019-04-16 浙江神州量子通信技术有限公司 A method of information is encrypted and decrypted based on quantum network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110126011A1 (en) * 2009-11-24 2011-05-26 Electronics And Telecommunications Research Institute Method of user-authenticated quantum key distribution
CN109428709A (en) * 2017-08-22 2019-03-05 中国电信股份有限公司 Quantum key distribution method, system and optical network system
CN109525390A (en) * 2018-11-20 2019-03-26 江苏亨通问天量子信息研究院有限公司 Quantum key wireless dispatch method and system for terminal device secret communication
CN109639407A (en) * 2018-12-28 2019-04-16 浙江神州量子通信技术有限公司 A method of information is encrypted and decrypted based on quantum network

Also Published As

Publication number Publication date
CN117527232A (en) 2024-02-06

Similar Documents

Publication Publication Date Title
CN109040045B (en) Cloud storage access control method based on ciphertext policy attribute-based encryption
CN109495274B (en) Decentralized intelligent lock electronic key distribution method and system
CN110855671B (en) Trusted computing method and system
US20220141038A1 (en) Method of rsa signature or decryption protected using a homomorphic encryption
Kumar et al. Secure storage and access of data in cloud computing
US8433066B2 (en) Method for generating an encryption/decryption key
US10880100B2 (en) Apparatus and method for certificate enrollment
KR101615137B1 (en) Data access method based on attributed
CN110958219A (en) SM2 proxy re-encryption method and device for medical cloud shared data
CN114679340B (en) File sharing method, system, device and readable storage medium
CN109218251B (en) Anti-replay authentication method and system
CN113918982B (en) Data processing method and system based on identification information
CN117318941B (en) Method, system, terminal and storage medium for distributing preset secret key based on in-car network
CN110383755A (en) The network equipment and trusted third party's equipment
EP2892206B1 (en) System and method for push framework security
CN113783683A (en) Cloud platform privacy protection verifiable data aggregation method based on sensor network
Mohammed et al. Secure third party auditor (tpa) for ensuring data integrity in fog computing
CN114785527B (en) Data transmission method, device, equipment and storage medium
CN107872312B (en) Method, device, equipment and system for dynamically generating symmetric key
KR101793528B1 (en) Certificateless public key encryption system and receiving terminal
US20230068650A1 (en) Method for testing if a data element belongs to a list of reference data elements
US11456866B2 (en) Key ladder generating a device public key
CN110391901B (en) Proxy re-encryption method supporting complex access control element description
Salim et al. Applying geo-encryption and attribute based encryption to implement secure access control in the cloud
CN112350822A (en) Key distribution method, device and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination