CN113347147B - Two-point secret key safety synchronization method, system and equipment - Google Patents
Two-point secret key safety synchronization method, system and equipment Download PDFInfo
- Publication number
- CN113347147B CN113347147B CN202110404469.1A CN202110404469A CN113347147B CN 113347147 B CN113347147 B CN 113347147B CN 202110404469 A CN202110404469 A CN 202110404469A CN 113347147 B CN113347147 B CN 113347147B
- Authority
- CN
- China
- Prior art keywords
- key
- user
- check value
- nascent
- primary
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
Abstract
The application discloses a two-point key safety synchronization method, a system and equipment, wherein a first user encrypts a first key check value of a first nascent key through a node key to obtain an encrypted key check value after sending the generated first nascent key to a second user, and the first user sends the encrypted key check value to the second user; and processing the first primary key according to the feedback information of the second user. And after the first user sends the generated key to the second user, the key received by the second user is verified through the unique identification key verification value of the key, and if the key verification values are inconsistent, the key is discarded. The key between the two is ensured to keep synchronous, and the problem that data interaction is carried out between two data communication parties under the condition that the keys are not synchronous is further avoided.
Description
Technical Field
The present application relates to the technical field of key synchronization, and in particular, to a method, a system, and a device for secure synchronization of two-point keys.
Background
The key synchronization is an important link for ensuring the data transmission safety in the field of data communication, and the key for encrypting and decrypting the key which is normally used by a caller can be safely synchronized. In the technical field of key synchronization, the mechanism of key security synchronization is relatively perfect, and in general, in order to ensure key synchronization, a caller sends a key to a receiver through a secure channel after encrypting data by using the key.
However, if a network problem occurs or a communication request is modified, the sent keys may fall to the ground and be inconsistent, which may result in the received keys being out of synchronization, and thus the data receiver may not decrypt the encrypted data. At this time, the database is required to be rolled back, the data is restored to the original state, encryption and key transmission are carried out again, and then key synchronization is realized.
The rollback of the database not only causes the waste of communication resources, but also causes certain insecurity of transmitted data. Therefore, how to ensure that the user does not use the key that is not successfully synchronized without rollback of the database is an urgent problem in the art.
Disclosure of Invention
In order to solve the technical problems, the following technical scheme is provided:
in a first aspect, an embodiment of the present application provides a method for secure synchronization of two point keys, where the method includes: after a first user sends a generated first nascent key to a second user, encrypting a first key verification value of the first nascent key through a node key to obtain an encrypted key verification value, wherein the first user and the second user are users with common key equipment, the first nascent key is any symmetric key generated by the first user through local key equipment, and the first key verification value is a unique identifier of the first nascent key; the first user sends the encryption key check value to the second user; processing the first primary key according to the feedback information of the second user
By adopting the implementation mode, after the first user sends the generated key to the second user, the key received by the second user is verified through the unique identification key check value of the key, and if the key check values are inconsistent, the key is discarded. The key between the two is ensured to keep synchronous, and the problem that data interaction is carried out between two data communication parties under the condition that the keys are not synchronous is further avoided.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the processing the first primary key according to the information fed back by the second user includes: the second user obtains a carried first key check value according to the encryption key check value; if the first key check value is different from a key check value carried by a first nascent key received by a second user, discarding the first nascent key; or if the first key check value is the same as the key check value carried by the first nascent key received by the second user, using the first nascent key as a normal key.
With reference to the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, the obtaining, by the second user, the carried first key check value according to the encryption key check value includes: determining a node key negotiated with a first user; and decrypting the encrypted key check value according to the node key to obtain the first key check value.
With reference to the first aspect, in a third possible implementation manner of the first aspect, the sending, by the first user, the generated first primary key to the second user includes: the first user encrypts the first primary key through a local key to obtain a first key; encrypting the first key through a node key to obtain a second key; and sending the second key to the first user.
With reference to the first aspect, in a fourth possible implementation manner of the first aspect, the first user sends an encryption key check value to the second user according to a first time interval, and the second user sends feedback information to the first user according to a second time interval, where the second time interval is greater than the first time interval.
With reference to the fourth possible implementation manner of the first aspect, in a fifth possible implementation manner of the first aspect, if the first user or the second user detects that a communication network is abnormal, a prompt message is sent.
With reference to the fifth possible implementation manner of the first aspect, in a sixth possible implementation manner of the first aspect, after the second user sends the first feedback information to the first user at the first time, when the second user receives the prompt information from the first user at the second time with an interval duration less than the second time interval or when the second user detects that the communication network is abnormal, the second user directly sends the feedback information to the first user.
In a second aspect, an embodiment of the present application provides a two-point key security synchronization system, where the system includes: an obtaining module, configured to encrypt a first key check value of a first nascent key by a node key after the first user sends the generated first nascent key to a second user, to obtain an encrypted key check value, where the first user and the second user are users having a common key device, the first nascent key is any symmetric key generated by the first user through a local key device, and the first key check value is a unique identifier of the first nascent key; a sending module, configured to send, by the first user, the encryption key check value to the second user; and the processing module is used for processing the first primary key according to the feedback information of the second user.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the processing module includes: the decryption unit is used for the second user to obtain a carried first key check value according to the encryption key check value; the verification unit is used for discarding the first primary key if the first key verification value is different from a key verification value carried by the first primary key received by the second user; or, if the first key check value is the same as a key check value carried by a first nascent key received by a second user, using the first nascent key as a normal key.
In a third aspect, an embodiment of the present application provides an apparatus, including: a processor; a memory for storing processor executable instructions; the processor executes the two-point key security synchronization method described in the first aspect or any possible implementation manner of the first aspect to ensure key synchronization between users of encrypted communication.
Drawings
Fig. 1 is a schematic flowchart of a two-point key security synchronization method according to an embodiment of the present disclosure;
fig. 2 is a schematic diagram of a two-point key security synchronization system according to an embodiment of the present disclosure;
fig. 3 is a schematic diagram of an apparatus provided in an embodiment of the present application.
Detailed Description
The present invention will be described with reference to the accompanying drawings and embodiments.
The key synchronization directly aims to call a key management system by application systems in different places to acquire the same key, so that the key is applied to encrypt, transmit, decrypt and the like some important information. However, based on the problems presented in the background, the present application proposes the following solutions.
Fig. 1 is a schematic flowchart of a two-point key security synchronization method provided in an embodiment of the present application, and referring to fig. 1, the two-point key security synchronization method provided in the embodiment of the present application includes:
s101, after the first user sends the generated first nascent secret key to the second user, the first secret key check value of the first nascent secret key is encrypted through the node secret key to obtain an encryption secret key check value.
In this embodiment, the first user and the second user are users having a common key device and have the same local master key. The first primary key is any symmetric key generated by the first user through local key equipment, and the first key check value is a unique identifier of the first primary key.
And the first user encrypts the first primary key through a local key to obtain a first key. The first user and the second user use asymmetric key encryption to negotiate a symmetric key as a node key, and the first key is encrypted through the node key to obtain a second key. Sending the second key to the first user
And S102, the first user sends the encryption key check value to the second user.
In this embodiment, the first user sending the encryption key check value to the second user is determined according to the sending of the key to the second user. After the primary key is sent to the second user every time, in order to ensure the subsequent synchronization of the key during data interaction and encryption and decryption, the second user sends a key check value to check the key synchronization after receiving the primary key.
S103, processing the first primary key according to the feedback information of the second user.
Because there may be not only the first user but also other users interacting with the second user, there may be a plurality of node keys in the corresponding second user key management system, and different node keys are distinguished according to different user identifications.
The second user firstly determines first user identification information corresponding to the currently received encryption key check value, and determines a node key negotiated with the first user. And decrypting the encrypted key check value according to the node key to obtain a first key check value.
The second user then extracts the corresponding key check value from the first nascent key data most recently received from the first user, and compares it with the first key check value. And if the first key check value is different from the key check value carried by the first nascent key received by the second user, discarding the first nascent key, and changing the state of the nascent key into waste, so that the first user is required to send a new key to the second user again. And if the first key check value is the same as the key check value carried by the first nascent key received by the second user, the first nascent key is used as a normal key, the state of the nascent key is changed to be normal, and the first user and the second user can perform normal encryption and decryption data interaction.
In an exemplary embodiment, it is ensured that a plurality of keys are used between the first user and the second user to satisfy the requirement of data interaction security, and therefore, the first user sends the encryption key check value after sending the key to the second user. When the first user sends a plurality of encryption key check values to the second user according to the first time interval, because the key serial numbers corresponding to the key check values carried in different encryption key check values are unique, the second user does not perform feedback according to the receiving times, but performs unified feedback after receiving a predetermined number of encryption key check values. Thus, if the first user sends the encryption key check value to the second user at a first time interval, the second user sends feedback information to the first user at a second time interval greater than the first time interval.
Generally, after a first user sends a key to a second user, most of the conditions of key synchronization are affected by network anomaly. Thus, if the first user or the second user detects a network anomaly, such as a network outage or a network transport protocol modification. At this time, a prompt message is sent, and the first user stops sending the key when detecting that the first user sends the feedback information back. And if the second user detects the key, informing the first user of stopping sending the key, and prompting the first user to send the encryption key check value corresponding to the latest key after the network is recovered.
In an exemplary embodiment, after the second user sends the first feedback information to the first user at the first time, the network abnormality information prompted by the first user is received at a certain subsequent time or the second user detects the network abnormality. At this time, the time for sending the feedback information at the next moment is not yet reached, but the feedback information is directly sent to the first user in order to determine the key synchronization state received at the previous moment.
Corresponding to the two-point key security synchronization method provided by the foregoing embodiment, the present application also provides an embodiment of a two-point key security synchronization system, and referring to fig. 2, the two-point key security synchronization system 20 includes: an acquisition module 201, a sending module 202 and a processing module 203.
The obtaining module 201 is configured to encrypt a first key check value of a first nascent key by a node key after the first user sends the generated first nascent key to a second user to obtain an encrypted key check value, where the first user and the second user are users having a common key device, the first nascent key is any symmetric key generated by the first user through a local key device, and the first key check value is a unique identifier of the first nascent key.
And the first user encrypts the first primary key through a local key to obtain a first key, encrypts the first key through a node key to obtain a second key, and sends the second key to the first user.
A sending module 202, configured to send the encryption key check value to the second user by the first user.
And the processing module is used for processing the first nascent key according to the information fed back by the second user.
Further, the processing module comprises: a decryption unit and a verification unit.
And the decryption unit is used for the second user to obtain the carried first key check value according to the encryption key check value. Specifically, the second user first determines a node key negotiated with the first user, and decrypts the encrypted key check value according to the node key to obtain the first key check value.
The verification unit is used for discarding the first primary key if the first key verification value is different from a key verification value carried by the first primary key received by the second user; or, if the first key check value is the same as a key check value carried by a first nascent key received by a second user, using the first nascent key as a normal key.
The present application further provides an embodiment of a device, specifically, the device in this embodiment is a device for ensuring key synchronization, and referring to fig. 3, the device 30 includes: a processor 301, a memory 302, and a communication interface 303.
In fig. 3, the processor 301, the memory 302, and the communication interface 303 may be connected to each other by a bus; the bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 3, but this does not mean only one bus or one type of bus.
The processor 301 generally controls the overall functions of the device 30, for example, after the device 30 is started and a terminal is started, a first user sends a generated first nascent key to a second user, encrypts a first key check value of the first nascent key by using a node key to obtain an encrypted key check value, and the first user sends the encrypted key check value to the second user; and processing the first primary key according to the feedback information of the second user.
The processor 301 may be a general-purpose processor such as a Central Processing Unit (CPU), a Network Processor (NP), or a combination of a CPU and an NP. The processor may also be a Microprocessor (MCU). The processor may also include a hardware chip. The hardware chip may be an Application Specific Integrated Circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The PLD may be a Complex Programmable Logic Device (CPLD), a Field Programmable Gate Array (FPGA), or the like.
Memory 302 is configured to store computer-executable instructions to support the operation of device 30 data. The memory 301 may be implemented by any type or combination of volatile or non-volatile memory devices, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.
After the device 30 is started, the processor 301 and the memory 302 are powered on, and the processor 301 reads and executes the computer executable instructions stored in the memory 302 to complete all or part of the steps in the above-described two-point key security synchronization method embodiment.
The communication interface 303 is used for the device 30 to transfer data, for example, to enable communication with a key device. The communication interface 303 includes a wired communication interface, and may also include a wireless communication interface. The wired communication interface comprises a USB interface, a Micro USB interface and an Ethernet interface. The wireless communication interface may be a WLAN interface, a cellular network communication interface, a combination thereof, or the like.
In an exemplary embodiment, the device 30 provided by the embodiments of the present application further includes a power supply component that provides power to the various components of the device 30. The power components may include a power management system, one or more power sources, and other components associated with generating, managing, and distributing power for device 30.
In an exemplary embodiment, device 30 may be implemented as one or more Application Specific Integrated Circuits (ASICs), digital Signal Processors (DSPs), digital Signal Processing Devices (DSPDs), programmable Logic Devices (PLDs), field Programmable Gate Arrays (FPGAs), or other electronic components.
It is noted that, in this document, relational terms such as "first" and "second," and the like, are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or apparatus that comprises the element.
Of course, the above description is not limited to the above examples, and technical features that are not described in this application may be implemented by or using the prior art, and are not described herein again; the above embodiments and drawings are only for illustrating the technical solutions of the present application and not for limiting the present application, and the present application is only described in detail with reference to the preferred embodiments instead, it should be understood by those skilled in the art that changes, modifications, additions or substitutions within the spirit and scope of the present application may be made by those skilled in the art without departing from the spirit of the present application, and the scope of the claims of the present application should also be covered.
Claims (7)
1. A two-point key secure synchronization method, the method comprising:
after a first user sends a generated first nascent key to a second user, encrypting a first key verification value of the first nascent key through a node key to obtain an encrypted key verification value, wherein the first user and the second user are users who have common key equipment, the first nascent key is any symmetric key generated by the first user through local key equipment, and the first key verification value is a unique identifier of the first nascent key;
the first user sends the encryption key check value to the second user;
processing the first primary key according to the feedback information of the second user; processing the first primary key according to the information fed back by the second user, including:
the second user obtains a carried first key check value according to the encryption key check value;
the second user obtains the carried first key check value according to the encryption key check value, and the method comprises the following steps:
determining a node key negotiated with a first user;
decrypting the encrypted key check value according to the node key to obtain the first key check value; wherein: the second user extracts a corresponding key check value from the first primary key data which is received from the first user last time, and compares the key check value with the first key check value;
if the first key check value is different from a key check value carried by a first nascent key received by a second user, discarding the first nascent key;
alternatively, the first and second electrodes may be,
and if the first key check value is the same as the key check value carried by the first nascent key received by the second user, using the first nascent key as a normal key.
2. The two-point key security synchronization method of claim 1, wherein the first user sends the generated first primary key to the second user, and the method comprises:
the first user encrypts the first primary key through a local key to obtain a first key;
encrypting the first key through a node key to obtain a second key;
and sending the second key to the second user.
3. The two-point key security synchronization method of claim 1, wherein the first user sends the encryption key check value to the second user at a first time interval, and the second user sends the feedback information to the first user at a second time interval, and the second time interval is greater than the first time interval.
4. The two-point key security synchronization method according to claim 3, wherein if the first user or the second user detects an abnormality of a communication network, a prompt message is issued.
5. The two-point key security synchronization method according to claim 4, wherein when the second user receives the prompt message from the first user at a second time that is shorter than the second time interval after sending the first feedback message to the first user at the first time, or when the second user detects an abnormality in the communication network, the second user directly sends the feedback message to the first user.
6. A two-point key secure synchronization system, the system comprising:
an obtaining module, configured to encrypt a first key check value of a first nascent key by a node key after the first user sends the generated first nascent key to a second user, to obtain an encrypted key check value, where the first user and the second user are users having a common key device, the first nascent key is any symmetric key generated by the first user through a local key device, and the first key check value is a unique identifier of the first nascent key;
a sending module, configured to send the encryption key check value to the second user by the first user;
the processing module is used for processing the first primary key according to the feedback information of the second user;
the processing module comprises:
the decryption unit is used for the second user to obtain a carried first key check value according to the encryption key check value;
the second user obtains the carried first key check value according to the encryption key check value, and the method comprises the following steps:
determining a node key negotiated with a first user;
decrypting the encrypted key check value according to the node key to obtain the first key check value; wherein: the second user extracts a corresponding key check value from the first primary key data which is received from the first user last time, and compares the key check value with the first key check value;
the verification unit is used for discarding the first primary key if the first key verification value is different from a key verification value carried by the first primary key received by the second user; or, if the first key check value is the same as a key check value carried by a first nascent key received by a second user, using the first nascent key as a normal key.
7. An apparatus, comprising:
a processor;
a memory for storing processor executable instructions;
the processor performs the two-point key security synchronization method of any one of claims 1-5 to ensure key synchronization between users of encrypted communications.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110404469.1A CN113347147B (en) | 2021-04-15 | 2021-04-15 | Two-point secret key safety synchronization method, system and equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110404469.1A CN113347147B (en) | 2021-04-15 | 2021-04-15 | Two-point secret key safety synchronization method, system and equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113347147A CN113347147A (en) | 2021-09-03 |
CN113347147B true CN113347147B (en) | 2022-11-04 |
Family
ID=77468067
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110404469.1A Active CN113347147B (en) | 2021-04-15 | 2021-04-15 | Two-point secret key safety synchronization method, system and equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113347147B (en) |
Family Cites Families (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101136742B (en) * | 2007-04-09 | 2011-01-19 | 中兴通讯股份有限公司 | Packet key synchronization, updating, and calibration method |
US20130290731A1 (en) * | 2012-04-26 | 2013-10-31 | Appsense Limited | Systems and methods for storing and verifying security information |
CN104008344A (en) * | 2013-02-21 | 2014-08-27 | 福建福昕软件开发股份有限公司北京分公司 | Method and system for ePub document data safety protection |
CN103888942B (en) * | 2014-03-14 | 2017-04-19 | 天地融科技股份有限公司 | Data processing method based on negotiation secret keys |
CN104219252A (en) * | 2014-09-28 | 2014-12-17 | 东南大学 | Coding error correction based secret key forward direction consistency calibration method |
CN107395560B (en) * | 2017-06-05 | 2020-07-24 | 努比亚技术有限公司 | Security verification and initiating and managing method, equipment, server and storage medium thereof |
CN108123797A (en) * | 2017-11-20 | 2018-06-05 | 安徽问天量子科技股份有限公司 | Network cryptographic device based on quantum key |
CN108683688B (en) * | 2018-07-20 | 2024-02-06 | 中国建设银行股份有限公司浙江省分行 | Method for realizing information transmission safety based on digital envelope technology |
CN109150526A (en) * | 2018-11-02 | 2019-01-04 | 美的集团股份有限公司 | Cryptographic key negotiation method, equipment, terminal, storage medium and system |
CN110166426A (en) * | 2019-04-11 | 2019-08-23 | 北京媒球信息科技有限公司 | Information sends terminal, receives terminal and its secret communication method, storage medium |
-
2021
- 2021-04-15 CN CN202110404469.1A patent/CN113347147B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN113347147A (en) | 2021-09-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8767964B2 (en) | Secure communications in computer cluster systems | |
EP2053531B1 (en) | Authentication certificate management for access to a wireless communication device | |
AU2012334829C1 (en) | Secure messaging | |
US20130238895A1 (en) | Renewal processing of digital certificates in an asynchronous messaging environment | |
CN101098229B (en) | Method for checking integrality of standby information | |
US20030196080A1 (en) | Secure communication via the internet | |
CN109274494B (en) | Method and device for maintaining secret key | |
WO2005065134A2 (en) | Mobile device and method for providing certificate based cryptography | |
US20100180123A1 (en) | Procedure and architecture for the protection of real time data | |
CN110234102B (en) | Communication method and apparatus | |
CN101305542B (en) | Method for downloading digital certificate and cryptographic key | |
CN112003697A (en) | Encryption and decryption method and device for cryptographic module, electronic equipment and computer storage medium | |
US20220174058A1 (en) | Peer-to-peer notification system | |
CN1791098B (en) | Method for realizing safety coalition synchronization | |
CN113347147B (en) | Two-point secret key safety synchronization method, system and equipment | |
CN102571338A (en) | PKI (Public Key Infrastructure)-based method and system for certifying internet of things | |
KR20190040443A (en) | Apparatus and method for creating secure session of smart meter | |
US11297063B2 (en) | Method for user administration of a field device | |
KR101087410B1 (en) | User-defined passwords having associated unique version data to assist user recall of the password | |
CN112350823B (en) | CAN FD communication method between vehicle-mounted controllers | |
CN112699391A (en) | Target data sending method and privacy computing platform | |
EP3664362A1 (en) | Key generation method, acquisition method, private key update method, chip and server | |
EP1357697B1 (en) | Secure communication via the internet | |
CN115276991B (en) | Secure chip dynamic key generation method, secure chip device, equipment and medium | |
CN114221814B (en) | System, method, device, processor and computer readable storage medium for realizing terminal equipment safety starting special service |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: A Two Point Key Secure Synchronization Method, System, and Device Effective date of registration: 20230525 Granted publication date: 20221104 Pledgee: Jinan Free Trade Zone sub branch of Qilu Bank Co.,Ltd. Pledgor: Zhongan Yunke technology development (Shandong) Co.,Ltd. Registration number: Y2023980041898 |