CN113676318A - Method for encryption and decryption without influencing original password by key rotation - Google Patents
Method for encryption and decryption without influencing original password by key rotation Download PDFInfo
- Publication number
- CN113676318A CN113676318A CN202110801607.XA CN202110801607A CN113676318A CN 113676318 A CN113676318 A CN 113676318A CN 202110801607 A CN202110801607 A CN 202110801607A CN 113676318 A CN113676318 A CN 113676318A
- Authority
- CN
- China
- Prior art keywords
- key
- client
- information
- group
- decryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 21
- 230000001360 synchronised effect Effects 0.000 claims abstract description 7
- 230000000977 initiatory effect Effects 0.000 claims abstract description 6
- 238000012545 processing Methods 0.000 claims description 5
- 230000008569 process Effects 0.000 claims description 3
- 230000008859 change Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method for encrypting and decrypting an original password without being influenced by key rotation, which comprises the following steps: the client side initializes and sends the client side information and the key information of the current group to the server side; the server side inquires all key information corresponding to the current group, judges whether the latest group version number of the server side is consistent with the group version number of the client side or not, if so, the request is completed, and if not, the latest group full-size key information is synchronized to the client side; when a ciphertext decryption operation request is received, inquiring corresponding key information in a client, if the corresponding key information can be normally inquired, acquiring a key for decryption, and if the corresponding key information can not be inquired, initiating a decryption request to a server; and the server returns the corresponding key information to the client for decryption according to the key parameters, and performs priority sliding operation according to the weight of the decrypted key. By the technical scheme of the invention, successful decryption can still be realized after the keys are alternated, and the data security is ensured.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a method for encrypting and decrypting an original password without being influenced by key rotation.
Background
According to the regulation of the network security level protection system, the key of the information system needs to be replaced regularly or irregularly.
However, conventional key replacement can cause that decryption cannot be completed after key replacement by using past key encrypted data, so that a large amount of data migration work and workload of application modification also exist, unified management and control cannot be effectively achieved, and whether key replacement is completed or not cannot be judged.
Disclosure of Invention
Aiming at the problems, the invention provides a method for encrypting and decrypting the original password without being influenced by key alternation, through the communication between a client and a server, after the key alternation, the key change information of the server is synchronized to the client, so that the ciphertext encrypted by using the key after the key alternation can still be successfully decrypted, and the data security is ensured.
In order to achieve the above object, the present invention provides a method for encryption and decryption without affecting the original password by key rotation, which comprises: the client initializes when receiving the encryption and decryption request, and sends the client information and the key information of the current group to the server; the server side inquires all key information corresponding to the current group, judges whether the latest group version number of the server side is consistent with the group version number of the client side or not according to the key information, if so, returns the request, and if not, synchronizes the latest group of the whole key information in the server side to the client side; when the client receives a ciphertext decryption operation request, inquiring corresponding key information in the client according to a ciphertext, if the corresponding key information can be normally inquired, directly acquiring a key for decryption processing, and if the corresponding key information can not be inquired, initiating a decryption request to the server; and the server returns the corresponding key information to the client for decryption according to the key parameter in the decryption request, and performs priority sliding operation according to the weight of the decrypted key.
In the above technical solution, preferably, the client starts a heartbeat during initialization, and the consistency determination between the group version number in the key information and the latest group version number of the server is realized in the heartbeat.
In the above technical solution, preferably, the key information sent by the client to the server in the initialization process includes a group name and a group version number, and the group version number is formed by superimposing version numbers of all keys in a current group.
In the foregoing technical solution, preferably, the specific operation of the server querying all key information corresponding to the current group and determining whether the latest group version number of the server is consistent with the group version number of the client according to the key information includes:
the server side inquires all key information corresponding to the current group name in a cache according to the group name in the key information sent by the client side; overlapping the version numbers of all the inquired keys to form a latest group version number; and comparing the latest group version number with the group version number in the key information sent by the client, and judging whether the latest group version number is consistent with the group version number in the key information sent by the client.
In the above technical solution, preferably, the full amount of key information includes a group name, Hash information and a key ID, the Hash information is a key formed by combining the key ID and a corresponding key version, and the key ID is a key corresponding to a current latest version.
In the above technical solution, preferably, when the client receives a ciphertext decryption operation request, the client analyzes, according to the ciphertext, the full amount of key information synchronized by the server in the client; and if the Hash information corresponding to the ciphertext can be inquired in the full secret key information, carrying out decryption processing by using the secret key of the Hash information, and if the corresponding Hash information cannot be inquired, initiating a decryption request to the server side according to the corresponding client side information, the group name and the Hash information.
In the above technical solution, preferably, the server is provided with a key weight sliding table, which includes a key identifier, and a key version, a key value, Hash information, a weight and a sliding time of a corresponding key, and the key weight sliding table is used for adjusting the use frequency of keys of different versions according to the weight and the sliding time of the key.
In the foregoing technical solution, preferably, the performing a priority sliding operation on the weight of the key after decryption specifically includes: setting the priority of the weight of the decrypted key as the lowest level, and increasing the priority of the weight of the rest keys under the same key identification by one level.
Compared with the prior art, the invention has the beneficial effects that: through the communication between the client and the server, after the key alternation, the key change information of the server is synchronized to the client, so that the ciphertext encrypted by using the key after the key alternation can still be successfully decrypted, and the data security is ensured.
Drawings
Fig. 1 is a schematic flowchart of a method for encryption and decryption of an original password without being affected by key rotation according to an embodiment of the present invention;
fig. 2 is a schematic diagram of an application deployment architecture of a method for encryption and decryption of an original password without being affected by key rotation according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a key version sliding manner disclosed in an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
The invention is described in further detail below with reference to the attached drawing figures:
as shown in fig. 1 and fig. 2, a method for key rotation without affecting encryption and decryption of an original password provided by the present invention includes:
the client initializes when receiving the encryption and decryption request, and sends the client information and the key information of the current group to the server;
the server side inquires all key information corresponding to the current group, judges whether the latest group version number of the server side is consistent with the group version number of the client side or not according to the key information, if so, returns the request, and if not, synchronizes the whole key information of the latest group in the server side to the client side;
when a client receives a ciphertext decryption operation request, inquiring corresponding key information in the client according to a ciphertext, if the client can normally inquire the key information, directly acquiring the key for decryption, and if the client cannot inquire the key information, initiating a decryption request to a server;
and the server returns the corresponding key information to the client for decryption according to the key parameter in the decryption request, and performs priority sliding operation according to the weight of the decrypted key.
In the embodiment, through the communication between the client and the server, after the key rotation, the key change information of the server is synchronized to the client, so that the ciphertext encrypted by using the key after the key rotation can still be successfully decrypted, and the data security is ensured.
Specifically, the method provides the key exchange capability, the default is closed, whether the key is opened or not is set by a user, a rotation period can be set after the key is opened, the key exchange is managed by a key management system and is transparent to the upper part, the old ciphertext encrypted by using the key after the key exchange can still be decrypted, and the new encryption is processed by using a new key.
The key identification is the unique id of the key, is the identification used by the client for encryption, and the advantage of using the key id instead of the key is to prevent the data from being decrypted after the leakage of the ciphertext and the leakage of the algorithm.
After the key is rotated (manually or automatically), the version number of the key is self-increased.
The group version number is formed by the superposition of the version numbers of all keys under the group to which the key belongs.
In the above embodiment, preferably, the client starts a heartbeat during initialization, and the consistency determination between the group version number in the key information and the latest group version number of the server is realized in the heartbeat.
In the above embodiment, preferably, during initialization, information such as the client id (appid), the Group name (Group), and the Group version number (GroupVersion) is sent to the server. The specific operation that the server side inquires all the key information corresponding to the current group and judges whether the latest group version number of the server side is consistent with the group version number of the client side according to the key information comprises the following steps:
the server side inquires all key information corresponding to the current group name in the cache according to the group name in the key information sent by the client side;
overlapping the version numbers of all the inquired keys to form a latest group version number;
the latest Group version number (GroupVersion) of the current Group (Group) is compared with the Group version number (GroupVersion) in the key information sent from the client, and whether the latest Group version number (GroupVersion) is consistent or not is judged.
And (3) analyzing comparison results:
if the comparison is consistent, the request is completed, and if the comparison is inconsistent, the full amount of key information under the latest group of the current server is returned to the client.
Preferably, the full amount of key information includes a group name, Hash information and a key ID, the Hash information is a key formed by combining the key ID and a corresponding key version, and the key ID is a key corresponding to a current latest version. Specifically, the information structure of the full size key information is shown in the following table:
in the above embodiment, preferably, when the client receives the ciphertext decryption operation request, the client queries the corresponding key information synchronized by the server in accordance with the ciphertext;
if the Hash information corresponding to the ciphertext can be inquired in the key information, decryption processing is directly carried out by using the key of the Hash information, and if the corresponding Hash information cannot be inquired, a decryption request is sent to the server side according to the corresponding client side information APPID, the Group name Group and the Hash information.
In the foregoing embodiment, preferably, the server is provided with a key weight sliding table, where the key weight sliding table includes a key identifier, a key version corresponding to the key, a key value, Hash information, a weight, sliding time, and the like, and the key weight sliding table is used to implement adjustment of use frequencies of keys of different versions according to the weight and the sliding time of the key.
Preferably, the key weight sliding table is as follows:
in the foregoing embodiment, preferably, the performing a priority sliding operation on the weight of the key after decryption specifically includes:
setting the priority of the weight of the decrypted key as the lowest level, and increasing the priority of the weight of the rest keys under the same key identification by one level.
Specifically, as shown in the above table, the same key identifier corresponds to different key versions and key values, the ordering default 1 is set to start, the sequence increases, the larger the number is, the higher the corresponding weight is, when a certain key is decrypted by the client at a certain time, the ordering field (weight) of the corresponding current key is set to 1, the ordering numbers (weights) of other keys under the key identifier are all operated by increasing 1, the priority sliding operation of all key versions under the same key identifier is realized, and the top-setting operation is completed, as shown in fig. 3.
The above is only a preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes will occur to those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (8)
1. A method for encryption and decryption without influencing the original password by key rotation is characterized by comprising the following steps:
the client initializes when receiving the encryption and decryption request, and sends the client information and the key information of the current group to the server;
the server side inquires all key information corresponding to the current group, judges whether the latest group version number of the server side is consistent with the group version number of the client side or not according to the key information, if so, returns the request, and if not, synchronizes the latest group of the whole key information in the server side to the client side;
when the client receives a ciphertext decryption operation request, inquiring corresponding key information in the client according to a ciphertext, if the corresponding key information can be normally inquired, directly acquiring a key for decryption processing, and if the corresponding key information can not be inquired, initiating a decryption request to the server;
and the server returns the corresponding key information to the client for decryption according to the key parameter in the decryption request, and performs priority sliding operation according to the weight of the decrypted key.
2. The method of claim 1, wherein the client starts a heartbeat during initialization, and the consistency between the group version number in the key information and the latest group version number of the server is determined in the heartbeat.
3. The method according to claim 1 or 2, wherein the key information sent by the client to the server in the initialization process includes a group name and a group version number, and the group version number is formed by superimposing version numbers of all keys in a current group.
4. The method of claim 3, wherein the specific operation of the server querying all key information corresponding to a current group and determining whether a latest group version number of the server is consistent with a group version number of the client according to the key information comprises:
the server side inquires all key information corresponding to the current group name in a cache according to the group name in the key information sent by the client side;
overlapping the version numbers of all the inquired keys to form a latest group version number;
and comparing the latest group version number with the group version number in the key information sent by the client, and judging whether the latest group version number is consistent with the group version number in the key information sent by the client.
5. The method of claim 1, wherein the full secret key information includes a group name, Hash information and a secret key ID, the Hash information is a secret key formed by combining the secret key ID and a corresponding secret key version, and the secret key ID is a secret key corresponding to a current latest version.
6. The method of claim 5, wherein when the client receives a ciphertext decryption operation request, the client analyzes the full amount of key information synchronized by the server in the client according to the ciphertext;
and if the Hash information corresponding to the ciphertext can be inquired in the full secret key information, carrying out decryption processing by using the secret key of the Hash information, and if the corresponding Hash information cannot be inquired, initiating a decryption request to the server side according to the corresponding client side information, the group name and the Hash information.
7. The method for encryption and decryption of an original password not affected by key rotation according to claim 1, wherein the server is provided with a key weight sliding table, which comprises a key identifier, a key version of a corresponding key, a key value, Hash information, a weight and sliding time, and the key weight sliding table is used for adjusting the use frequency of keys of different versions according to the weight and the sliding time of the key.
8. The method according to claim 7, wherein the performing the priority sliding operation on the weight of the key after the decryption process specifically includes:
setting the priority of the weight of the decrypted key as the lowest level, and increasing the priority of the weight of the rest keys under the same key identification by one level.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110801607.XA CN113676318B (en) | 2021-07-15 | 2021-07-15 | Method for key rotation without affecting original cipher encryption and decryption |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110801607.XA CN113676318B (en) | 2021-07-15 | 2021-07-15 | Method for key rotation without affecting original cipher encryption and decryption |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113676318A true CN113676318A (en) | 2021-11-19 |
CN113676318B CN113676318B (en) | 2024-02-27 |
Family
ID=78539226
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110801607.XA Active CN113676318B (en) | 2021-07-15 | 2021-07-15 | Method for key rotation without affecting original cipher encryption and decryption |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113676318B (en) |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050018853A1 (en) * | 2003-04-08 | 2005-01-27 | Antonio Lain | Cryptographic key update management method and apparatus |
CN107276967A (en) * | 2016-04-07 | 2017-10-20 | 北京京东尚科信息技术有限公司 | A kind of distributed system and its login validation method |
CN109474423A (en) * | 2018-12-10 | 2019-03-15 | 平安科技(深圳)有限公司 | Data encryption/decryption method, server and storage medium |
US20190158281A1 (en) * | 2017-11-20 | 2019-05-23 | Rubrik, Inc. | Managing key encryption keys using a key wrapping tree |
CN110120869A (en) * | 2019-03-27 | 2019-08-13 | 上海隔镜信息科技有限公司 | Key management system and cipher key service node |
US20190377809A1 (en) * | 2018-06-11 | 2019-12-12 | International Business Machines Corporation | Resolving versions in an append-only large-scale data store in distributed data management systems |
CN111818032A (en) * | 2020-06-30 | 2020-10-23 | 腾讯科技(深圳)有限公司 | Data processing method and device based on cloud platform and computer program |
CN112149146A (en) * | 2019-06-27 | 2020-12-29 | 英特尔公司 | Deterministic encryption key rotation |
CN112199704A (en) * | 2020-10-22 | 2021-01-08 | 福建天晴数码有限公司 | Method for dynamically encrypting and decrypting web data based on server |
CN112800439A (en) * | 2020-12-02 | 2021-05-14 | 中国电子科技集团公司第三十研究所 | Key management protocol design method and system for secure storage |
-
2021
- 2021-07-15 CN CN202110801607.XA patent/CN113676318B/en active Active
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050018853A1 (en) * | 2003-04-08 | 2005-01-27 | Antonio Lain | Cryptographic key update management method and apparatus |
CN107276967A (en) * | 2016-04-07 | 2017-10-20 | 北京京东尚科信息技术有限公司 | A kind of distributed system and its login validation method |
US20190158281A1 (en) * | 2017-11-20 | 2019-05-23 | Rubrik, Inc. | Managing key encryption keys using a key wrapping tree |
US20190377809A1 (en) * | 2018-06-11 | 2019-12-12 | International Business Machines Corporation | Resolving versions in an append-only large-scale data store in distributed data management systems |
CN109474423A (en) * | 2018-12-10 | 2019-03-15 | 平安科技(深圳)有限公司 | Data encryption/decryption method, server and storage medium |
CN110120869A (en) * | 2019-03-27 | 2019-08-13 | 上海隔镜信息科技有限公司 | Key management system and cipher key service node |
CN112149146A (en) * | 2019-06-27 | 2020-12-29 | 英特尔公司 | Deterministic encryption key rotation |
CN111818032A (en) * | 2020-06-30 | 2020-10-23 | 腾讯科技(深圳)有限公司 | Data processing method and device based on cloud platform and computer program |
CN112199704A (en) * | 2020-10-22 | 2021-01-08 | 福建天晴数码有限公司 | Method for dynamically encrypting and decrypting web data based on server |
CN112800439A (en) * | 2020-12-02 | 2021-05-14 | 中国电子科技集团公司第三十研究所 | Key management protocol design method and system for secure storage |
Non-Patent Citations (2)
Title |
---|
NOKIA, NOKIA SHANGHAI BELL: "C1-206365 "The impact on UE due to the introduction of Authentication and Key Management for Applications (AKMA)"", 3GPP TSG_CT\\WG1_MM-CC-SM_EX-CN1, no. 1, 8 October 2020 (2020-10-08) * |
范博;杨润垲;黎琳;: "基于SSH的可信信道建立方法研究", 信息网络安全, no. 01, 10 January 2018 (2018-01-10) * |
Also Published As
Publication number | Publication date |
---|---|
CN113676318B (en) | 2024-02-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP1659475B1 (en) | Password protection | |
EP1374474B1 (en) | Method and apparatus for cryptographic key storage wherein key servers are authenticated by possession and secure distribution of stored keys | |
US6947556B1 (en) | Secure data storage and retrieval with key management and user authentication | |
CA2913444C (en) | System and method for user authentication | |
US20070016777A1 (en) | Method of and system for biometric-based access to secure resources with dual authentication | |
US20030028653A1 (en) | Method and system for providing access to computer resources | |
KR20080041220A (en) | Distributed single sign-on service | |
RU2004133759A (en) | INITIALIZING, MAINTAINING, UPDATING, AND RESTORING THE PROTECTED MODE OF THE INTEGRATED SYSTEM USING THE DATA ACCESS MANAGEMENT FUNCTION | |
US20060106803A1 (en) | Information management system, an information processor, and an information management method | |
CA2540590C (en) | System and method for secure access | |
CN107426223B (en) | Cloud document encryption and decryption method, cloud document encryption and decryption device and cloud document processing system | |
US11321471B2 (en) | Encrypted storage of data | |
CN113051540B (en) | Application program interface safety grading treatment method | |
JPH08320847A (en) | Password management system | |
CN111884986A (en) | Data encryption processing method and device | |
CN112039922B (en) | Encryption communication method and device | |
CN112507325A (en) | Method, device, equipment and storage medium for managing equipment access authority | |
CN110602132A (en) | Data encryption and decryption processing method | |
CN112199704B (en) | Method for dynamically encrypting and decrypting web data based on server | |
US20060112283A1 (en) | Encrypting a credential store with a lockbox | |
CN113676318B (en) | Method for key rotation without affecting original cipher encryption and decryption | |
WO2005091148A1 (en) | Storing of encrypted data in the memory of a portable electronic device | |
CN114157470B (en) | Token management method and device | |
CN111010397B (en) | Database password modification method and device | |
WO2018051236A1 (en) | Protection of authentication tokens |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |