CN113347165A - Method and device for seamlessly replacing secret key, server side and data interaction method - Google Patents

Method and device for seamlessly replacing secret key, server side and data interaction method Download PDF

Info

Publication number
CN113347165A
CN113347165A CN202110564850.4A CN202110564850A CN113347165A CN 113347165 A CN113347165 A CN 113347165A CN 202110564850 A CN202110564850 A CN 202110564850A CN 113347165 A CN113347165 A CN 113347165A
Authority
CN
China
Prior art keywords
key
old
new
time
double
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110564850.4A
Other languages
Chinese (zh)
Inventor
赵哲阳
覃俊杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bank of Communications Co Ltd
Original Assignee
Bank of Communications Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bank of Communications Co Ltd filed Critical Bank of Communications Co Ltd
Priority to CN202110564850.4A priority Critical patent/CN113347165A/en
Publication of CN113347165A publication Critical patent/CN113347165A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/068Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys

Abstract

The invention relates to a method, a device, a server and a data interaction method for seamlessly replacing a secret key. The method for seamlessly replacing the key comprises the following steps: receiving a key replacement request of a client, wherein the key replacement request comprises a new public key, new key effective time, new key failure time and old key failure time; verifying the key replacement request, and determining a double-key parallel period; and after the double-key parallel period is finished, the old key is downloaded, and the new key is used for replacing the old key. Compared with the prior art, the method and the system ensure the timing controllability of the service end on the key switching when the key switching is carried out at the background service end, simultaneously avoid the defect that the service needs to be stopped during the previous key switching, and reduce the maintenance cost of key replacement.

Description

Method and device for seamlessly replacing secret key, server side and data interaction method
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method, an apparatus, a server and a data interaction method for seamlessly replacing a key.
Background
The open platform of the enterprise realizes the safe communication between the client SDK and the server API gateway through a secret key technology, the client provides a public key of the client to the server, the private key of the client is used for signing data when the client sends the data to the server, and the public key of the client is used for verifying and signing after the server receives the data, so that the communication safety between the client and the server is ensured. If the client changes the public and private key pair, a new public key needs to be given to the server, and the client can communicate with the server again after the key database of the server is updated.
The existing key replacement method mainly includes:
and firstly, the old key is off line and then the new key is on line, after the old key is off line, the old key can be immediately invalid, and if the service using the old key still exists on line, the API call can be failed. Because the client cannot use the relevant interface of the service party when the key is changed, some transactions applied by the client fail, and the key is often changed only when the transaction is low in peak in order to reduce the influence on the transactions.
Firstly, adjusting a server, compatible with new and old keys, and online connecting the new key and the old key; and adjusting the server, removing the support of the old key, and downloading the old key. Since the two keys are compatible, which requires the support of the server, the code logic associated with the server is relatively complex. Secondly, the technical scheme does not strictly limit the offline time of the old key, and still causes partial transaction failure.
Therefore, a need currently exists for a method of seamlessly rekeying.
Disclosure of Invention
The present invention provides a method, an apparatus, a server and a data interaction method for seamlessly changing a key, so as to overcome the above-mentioned drawbacks of the prior art.
The purpose of the invention can be realized by the following technical scheme:
a method of seamlessly rekeying, comprising:
receiving a key replacement request of a client, wherein the key replacement request comprises a new public key, new key effective time, new key failure time and old key failure time;
verifying the key replacement request, and determining a double-key parallel period;
and after the double-key parallel period is finished, the old key is downloaded, and the new key is used for replacing the old key.
Preferably, the specific way to verify the rekey request is as follows: and judging whether the old key failure time lags the new key effective time or not and the lag time is less than a set threshold, if so, passing the verification, otherwise, failing to pass the verification and failing to replace the key.
Preferably, the specific way of determining the dual-key parallel period is as follows: when the key exchange request passes the verification, the double-key parallel period is determined as follows: the starting time of the double-key parallel period is the effective time of the new key, and the ending time of the double-key parallel period is the invalid time of the old key.
Preferably, the method further comprises the following steps: and starting a timing task, and regularly cleaning invalid old keys.
An apparatus for seamless rekeying, comprising:
a request receiving unit: the system comprises a key exchange request receiving client, a key exchange request and a key exchange request, wherein the key exchange request comprises a new public key, new key effective time, new key invalid time and old key invalid time;
an authentication determination unit: the system is used for verifying the key replacement request and determining the parallel period of the double keys;
a replacement unit: and the method is used for downloading the old key after the double-key parallel period is ended and replacing the old key with the new key.
Preferably, the way of verifying the key exchange request by the verification determining unit is as follows: and judging whether the old key failure time lags the new key effective time or not and the lag time is less than a set threshold, if so, passing the verification, otherwise, failing to pass the verification and failing to replace the key.
Preferably, the specific way of determining the dual-key parallel period by the verification determining unit is as follows: and when the verification of the key replacement request is passed, determining the effective time of the new key as the starting time of the double-key parallel period, and determining the invalid time of the old key as the ending time of the double-key parallel period as the invalid time of the old key.
Preferably, the apparatus further comprises:
a timing cleaning unit: this unit is used to periodically clean up invalid old keys.
The server side comprises the seamless key replacing device.
A data interaction method is used for data interaction in the process of replacing a key by adopting the seamless key replacing method, and comprises the following steps:
before the dual-key parallel period starts, the old public key is adopted to check the signature of the interactive data of the client, and the old public key is utilized to encrypt the reply message;
in the double-key parallel period, the old public key and the new public key are respectively adopted to check the signature of the interactive data of the client, the current key used by the client is confirmed, the corresponding public key is cached, and the cached public key is further utilized to encrypt the reply message;
and after the double-key parallel period is finished, checking the signature of the interactive data of the client by adopting the new public key, and encrypting the reply message by utilizing the new public key.
Compared with the prior art, the invention has the following advantages:
(1) when the key switching is carried out at the background server, the invention ensures the timing controllability of the key switching at the server, avoids the defect that the service needs to be stopped during the previous key switching, and reduces the maintenance cost of the key replacement.
(2) The invention realizes the control of the parallel period of the double keys by controlling the failure time and the failure time of the keys, combines the operation of the new online key and the old offline key into one step, and reduces the repeated operation of the server.
(3) The invention realizes the function of seamless key switching through 'double-key parallel period', ensures that no key blank period occurs during key switching, and ensures the transaction success rate under the condition of high access amount.
Drawings
FIG. 1 is a flow chart of a method for seamlessly rekeying of the present invention.
FIG. 2 is a schematic diagram of a seamless rekeying apparatus according to the present invention.
In the figure, 201 is a request receiving unit, 202 is a verification determining unit, 203 is a replacing unit, and 204 is a timing cleaning unit.
Detailed Description
The invention is described in detail below with reference to the figures and specific embodiments. Note that the following description of the embodiments is merely a substantial example, and the present invention is not intended to be limited to the application or the use thereof, and is not limited to the following embodiments.
Example 1
As shown in fig. 1, the present embodiment provides a method for seamlessly rekeying, including:
receiving a key replacement request of a client, wherein the key replacement request comprises a new public key, new key effective time, new key failure time and old key failure time;
verifying the key replacement request, and determining a double-key parallel period;
and after the double-key parallel period is finished, the old key is downloaded, and the new key is used for replacing the old key.
In the process, a timing task is also started, and invalid old keys are cleaned regularly.
The specific way of verifying the key change request is as follows: and judging whether the old key failure time lags the new key effective time or not and the lag time is less than a set threshold, if so, passing the verification, otherwise, failing to pass the verification and failing to replace the key. In this embodiment, the threshold is set to be 2 hours, that is, 0< old key expiration time-new key effective time <2 hours, the key exchange request verification is passed, and further, the specific manner of determining the dual-key parallel period is as follows: when the key exchange request passes the verification, the double-key parallel period is determined as follows: the starting time of the double-key parallel period is the effective time of the new key, and the ending time of the double-key parallel period is the invalid time of the old key. Two attributes of 'effective time' and 'dead time' are added to the key, when a user requests key change, the dead time of submitting an old key and the effective time and the dead time of a new key are needed while providing a new public key. The platform checks the key change request submitted by the user after receiving the request, strictly controls the parallel period duration of the keys, ensures that the old key can fail within two hours after the new key takes effect (namely 0< the time of failure of the old key-the time of taking effect of the new key <2 hours), and simultaneously defaults the time of failure of the new key to be set as 100 years after the time of taking effect, and ensures that the key change period is in the service valley period. When the server side carries out the key change operation, the invalidation time of the old key is updated and the validation time and the invalidation time of the new key are set according to the requirements of the user. And the server side performs signature checking on the request message, before signature checking, all keys meeting the conditions are pulled from the database or the cache according to the application id and the failure time, signature checking operation is performed in sequence, if signature checking is successful, the signature checking process is ended, the keys are determined, and then the keys are stored in the cache of the server side for encryption of subsequent reply messages. When the double-key parallel period is over, the old key can not be obtained any more, the new key is continuously used, and the seamless switching process of the keys is finished.
The technical scheme strictly controls the online of the new key and the offline of the old key through the effective time and the ineffective time of the key, and ensures that the communication between the client and the server is not influenced during the key replacement.
Example 2
As shown in fig. 2, the present embodiment provides a seamless rekeying apparatus, including:
the request receiving unit 201: the system comprises a key exchange request receiving client, a key exchange request and a key exchange request, wherein the key exchange request comprises a new public key, new key effective time, new key invalid time and old key invalid time;
the verification determination unit 202: the system is used for verifying the key replacement request and determining the parallel period of the double keys;
the replacement unit 203: and the method is used for downloading the old key after the double-key parallel period is ended and replacing the old key with the new key.
The way in which the authentication determination unit 202 authenticates the key exchange request is: and judging whether the old key failure time lags the new key effective time or not and the lag time is less than a set threshold, if so, passing the verification, otherwise, failing to pass the verification and failing to replace the key.
The verification determining unit 202 determines the dual-key parallel period in a specific manner as follows: and when the verification of the key replacement request is passed, determining the effective time of the new key as the starting time of the double-key parallel period, and determining the invalid time of the old key as the ending time of the double-key parallel period as the invalid time of the old key.
As a preferred embodiment, the apparatus further comprises: the timing cleaning unit 204: this unit is used to periodically clean up invalid old keys.
The method of embodiment 1 is performed by the apparatus for seamlessly changing a key provided in this embodiment when performing seamless key change, and details thereof are not described in this embodiment.
Example 3
Based on embodiment 2, this embodiment provides a server, which includes the apparatus for seamlessly replacing a key provided in embodiment 1.
Example 4
Based on embodiment 1, this embodiment provides a data interaction method, where the method is used for data interaction in a key exchange process by using the seamless key exchange method of embodiment 1, and the data interaction method includes:
before the dual-key parallel period starts, the old public key is adopted to check the signature of the interactive data of the client, and the old public key is utilized to encrypt the reply message;
in the double-key parallel period, the old public key and the new public key are respectively adopted to check the signature of the interactive data of the client, the current key used by the client is confirmed, the corresponding public key is cached, and the cached public key is further utilized to encrypt the reply message;
and after the double-key parallel period is finished, checking the signature of the interactive data of the client by adopting the new public key, and encrypting the reply message by utilizing the new public key.
With reference to fig. 2, the specific process of the data interaction method is as follows:
1) and after the client generates a new key pair, the new public key, the effective time and the invalid time of the new public key and the invalid time of the old public key are all sent to the server.
2) And after the server receives the data, comparing the effective time of the new public key with the ineffective time of the old public key to ensure that no vacancy period occurs during key switching.
3) And after the information of the new and old public keys is successfully verified, the server stores the effective time and the invalid time of the new and old public keys into a database.
4) After the key information is successfully changed, the server enters a double-key parallel period, the client side after the key is changed generates a message, when the server side verifies the signature of the message, under a normal condition, two signature verification public keys exist according to the current time, the server side can be used for signature verification in sequence, if the signature verification public keys are successful, the key is determined to be the key currently used by the client side, and then the key is stored in the cache of the server side and used for subsequent reply message encryption.
5) And when the expiration time of the old key is over, the server side queries the database under the condition of the expiration time, and only the updated key can be obtained.
The above embodiments are merely examples and do not limit the scope of the present invention. These embodiments may be implemented in other various manners, and various omissions, substitutions, and changes may be made without departing from the technical spirit of the present invention.

Claims (10)

1. A method for seamlessly rekeying, comprising:
receiving a key replacement request of a client, wherein the key replacement request comprises a new public key, new key effective time, new key failure time and old key failure time;
verifying the key replacement request, and determining a double-key parallel period;
and after the double-key parallel period is finished, the old key is downloaded, and the new key is used for replacing the old key.
2. The method of claim 1, wherein the key change request is verified by: and judging whether the old key failure time lags the new key effective time or not and the lag time is less than a set threshold, if so, passing the verification, otherwise, failing to pass the verification and failing to replace the key.
3. The method for seamlessly rekeying of claim 2, wherein the double-key concurrency period is determined by: when the key exchange request passes the verification, the double-key parallel period is determined as follows: the starting time of the double-key parallel period is the effective time of the new key, and the ending time of the double-key parallel period is the invalid time of the old key.
4. The method of claim 1, further comprising: and starting a timing task, and regularly cleaning invalid old keys.
5. An apparatus for seamlessly rekeying, comprising:
request receiving unit (201): the system comprises a key exchange request receiving client, a key exchange request and a key exchange request, wherein the key exchange request comprises a new public key, new key effective time, new key invalid time and old key invalid time;
verification determination unit (202): the system is used for verifying the key replacement request and determining the parallel period of the double keys;
replacement unit (203): and the method is used for downloading the old key after the double-key parallel period is ended and replacing the old key with the new key.
6. The seamless rekeying apparatus of claim 5, wherein the authentication determining unit (202) authenticates the rekeying request by: and judging whether the old key failure time lags the new key effective time or not and the lag time is less than a set threshold, if so, passing the verification, otherwise, failing to pass the verification and failing to replace the key.
7. The device for seamless rekeying of claim 6, wherein the authentication determining unit (202) determines the dual-key parallel period by: and when the verification of the key replacement request is passed, determining the effective time of the new key as the starting time of the double-key parallel period, and determining the invalid time of the old key as the ending time of the double-key parallel period as the invalid time of the old key.
8. The apparatus for seamlessly rekeying of claim 5, further comprising:
a timed cleaning unit (204): this unit is used to periodically clean up invalid old keys.
9. A server comprising the seamless rekeying apparatus of any one of claims 5 to 8.
10. A data interaction method, which is used for data interaction in a key exchange process by adopting the seamless key exchange method as claimed in any one of claims 1 to 4, the data interaction method comprising:
before the dual-key parallel period starts, the old public key is adopted to check the signature of the interactive data of the client, and the old public key is utilized to encrypt the reply message;
in the double-key parallel period, the old public key and the new public key are respectively adopted to check the signature of the interactive data of the client, the current key used by the client is confirmed, the corresponding public key is cached, and the cached public key is further utilized to encrypt the reply message;
and after the double-key parallel period is finished, checking the signature of the interactive data of the client by adopting the new public key, and encrypting the reply message by utilizing the new public key.
CN202110564850.4A 2021-05-24 2021-05-24 Method and device for seamlessly replacing secret key, server side and data interaction method Pending CN113347165A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110564850.4A CN113347165A (en) 2021-05-24 2021-05-24 Method and device for seamlessly replacing secret key, server side and data interaction method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110564850.4A CN113347165A (en) 2021-05-24 2021-05-24 Method and device for seamlessly replacing secret key, server side and data interaction method

Publications (1)

Publication Number Publication Date
CN113347165A true CN113347165A (en) 2021-09-03

Family

ID=77471045

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110564850.4A Pending CN113347165A (en) 2021-05-24 2021-05-24 Method and device for seamlessly replacing secret key, server side and data interaction method

Country Status (1)

Country Link
CN (1) CN113347165A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115118421A (en) * 2022-08-30 2022-09-27 深圳竹云科技股份有限公司 Key alternation method, device and computer equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002217896A (en) * 2001-01-23 2002-08-02 Matsushita Electric Ind Co Ltd Method for cipher communication and gateway device
CN1494252A (en) * 2002-10-31 2004-05-05 华为技术有限公司 Encryption communication method and device
CN101931830A (en) * 2009-06-18 2010-12-29 中兴通讯股份有限公司 Method for upgrading secret key in Gigabit passive optical network and optical line terminal
CN111200491A (en) * 2018-11-20 2020-05-26 千寻位置网络有限公司 Key updating method, data decrypting method, device, client and interactive system
CN111585753A (en) * 2020-04-27 2020-08-25 盛趣信息技术(上海)有限公司 Service data centralized encryption system and method
CN112532392A (en) * 2020-11-16 2021-03-19 中信银行股份有限公司 Key processing method, device, equipment and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002217896A (en) * 2001-01-23 2002-08-02 Matsushita Electric Ind Co Ltd Method for cipher communication and gateway device
CN1494252A (en) * 2002-10-31 2004-05-05 华为技术有限公司 Encryption communication method and device
CN101931830A (en) * 2009-06-18 2010-12-29 中兴通讯股份有限公司 Method for upgrading secret key in Gigabit passive optical network and optical line terminal
CN111200491A (en) * 2018-11-20 2020-05-26 千寻位置网络有限公司 Key updating method, data decrypting method, device, client and interactive system
CN111585753A (en) * 2020-04-27 2020-08-25 盛趣信息技术(上海)有限公司 Service data centralized encryption system and method
CN112532392A (en) * 2020-11-16 2021-03-19 中信银行股份有限公司 Key processing method, device, equipment and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115118421A (en) * 2022-08-30 2022-09-27 深圳竹云科技股份有限公司 Key alternation method, device and computer equipment

Similar Documents

Publication Publication Date Title
US9043609B2 (en) Implementing security measures for authorized tokens used in mobile transactions
CN112912912A (en) Wallet recovery method
CN109547445B (en) Method and system for verifying legality of network request of client
US20140025581A1 (en) Mobile transactions using authorized tokens
WO2014014527A1 (en) Distributing authorized tokens to conduct mobile transactions
CN106878009B (en) Key updating method and system
CN111131313A (en) Safety guarantee method and system for replacing ECU (electronic control Unit) of intelligent networked automobile
CN111884811B (en) Block chain-based data evidence storing method and data evidence storing platform
CN108830983A (en) A kind of access control system and its working method based on block chain
CN115834253B (en) Identity verification method, identity verification system, client and server
CN103001936A (en) Method and system for third party application interface authorization
CN101155033B (en) Method for confirming client identity
CN102377573A (en) Double-factor authentication method capable of securely updating password
CN113347165A (en) Method and device for seamlessly replacing secret key, server side and data interaction method
CN111176710B (en) Operation method of terminal software management system and terminal software management system
CN113950801A (en) Method and apparatus for public key management using blockchains
CN113364582B (en) Method for communication key configuration and update management in transformer substation
CN108924161A (en) A kind of encrypted transaction data communication means and system
CN111740985A (en) TCP long connection security verification encryption method
JP2001344368A (en) Management method, device, program and storage medium for electronic certificate
CN1972290A (en) Modification method for authentication password based on SIP, subscriber proxy server and subscriber proxy client
CN114615309A (en) Client access control method, device and system, electronic equipment and storage medium
CN110740040A (en) Method for carrying out identity verification in rail transit signal system by adopting PKI model
CN114745149B (en) Software authorization management method
CN111179475A (en) System and method for generating temporary password offline

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210903