CN113824555B - Key processing method and device - Google Patents
Key processing method and device Download PDFInfo
- Publication number
- CN113824555B CN113824555B CN202111070131.3A CN202111070131A CN113824555B CN 113824555 B CN113824555 B CN 113824555B CN 202111070131 A CN202111070131 A CN 202111070131A CN 113824555 B CN113824555 B CN 113824555B
- Authority
- CN
- China
- Prior art keywords
- key
- authentication information
- management system
- account authentication
- cipher
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 24
- 230000008859 change Effects 0.000 claims abstract description 120
- 238000000034 method Methods 0.000 claims abstract description 61
- 238000012545 processing Methods 0.000 claims description 36
- 238000004891 communication Methods 0.000 claims description 9
- 230000004044 response Effects 0.000 claims description 8
- 230000008569 process Effects 0.000 abstract description 17
- 238000010586 diagram Methods 0.000 description 14
- 230000005540 biological transmission Effects 0.000 description 7
- 238000004590 computer program Methods 0.000 description 7
- 230000000694 effects Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 238000012217 deletion Methods 0.000 description 4
- 230000037430 deletion Effects 0.000 description 4
- 230000008676 import Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000005641 tunneling Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The application discloses a key processing method and device. The method comprises the following steps: receiving a key change message sent by a cipher machine; determining account authentication information corresponding to the password machines, and determining the password machines registered under the accounts corresponding to the account authentication information, wherein a key management system is logged in through the account authentication information to distribute keys to a plurality of password machines of the password service to be executed; a key change message is broadcast to registered cryptographic machines. According to the method and the device, the problem that the key synchronization process is complex and key leakage is easy to occur when a plurality of cipher machines are used for providing services for one user in the related art is solved.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to a method and an apparatus for processing a key.
Background
In the present information age, it is important to encrypt information, and information security of individuals, companies and countries is concerned. The current way of encrypting and decrypting information is generally: the original file is encrypted by the encryption key through the cipher machine to obtain an encrypted file, and the encrypted file is decrypted by the decryption key to obtain the file content.
In order to manage the key required by the cryptographic engine while providing cryptographic operations and key modification services for the cryptographic engine, a key management system has been developed in the related art, where the key management system may provide a service for key management for a user, specifically, when the cryptographic operations are required to be performed using a password, the key is derived from the key management system to a user service system, and then the key is sent to the cryptographic engine through the user service system. When a plurality of cipher machines provide service for a user together, key synchronization needs to be executed through a service system, and in the process of key synchronization, the service system executes excessive operations irrelevant to services, so that service system resources are occupied, and meanwhile, the problem of key leakage is easy to cause.
Aiming at the problems that the key synchronization process is complicated and the key leakage is easy to cause when a plurality of cipher machines are used for providing service for one user in common in the related art, no effective solution is proposed at present.
Disclosure of Invention
The application provides a key processing method and device, which are used for solving the problems that the key synchronization process is complicated and key leakage is easy to cause when a plurality of cipher machines are used for providing services for a user in the related technology.
According to one aspect of the present application, a key processing method is provided. The method comprises the following steps: receiving a key change message sent by a cipher machine; determining account authentication information corresponding to the password machines, and determining the password machines registered under the accounts corresponding to the account authentication information, wherein a key management system is logged in through the account authentication information to distribute keys to a plurality of password machines of the password service to be executed; a key change message is broadcast to registered cryptographic machines.
Optionally, before determining the account authentication information corresponding to the cryptographic machine and determining the registered cryptographic machine under the account corresponding to the account authentication information, the method further includes: creating a plurality of account authentication information corresponding to the key management system; writing the same account authentication information and address information of a key management system into a plurality of cipher machines for executing the cipher service; and receiving a registration request sent by a cipher machine of the cipher service to be executed, and registering address information of the cipher machine in an account corresponding to the account authentication information, wherein the registration request carries the account authentication information.
Optionally, after writing the same account authentication information and address information of the key management system to a plurality of cryptographic machines to perform the cryptographic service, the method further comprises: and receiving a key downloading request sent by a cipher machine for executing the cipher service, and sending a plurality of keys to the cipher machine, wherein the key downloading request carries account authentication information, and the keys are keys associated with the account authentication information.
According to another aspect of the present application, there is provided another key processing method, including: the method comprises the steps that a cipher machine receives a key change broadcast message sent by a key management system, wherein the key change broadcast message is used for indicating that a key in a target cipher machine is changed, and the target cipher machine and the cipher machine are registered cipher machines under corresponding accounts of the same account authentication information; the key change is performed according to the key change broadcast message.
Optionally, before the cryptographic machine receives the key change broadcast message sent by the key management system, the method further comprises: receiving account authentication information and address information of a key management system, wherein the account authentication information is used for logging in the key management system to distribute keys to the cipher machine; sending a registration request to a key management system, wherein the registration request carries account authentication information; and receiving a registration feedback message sent by the key management system, wherein the registration feedback message is used for indicating the registration condition of the cipher machine under an account corresponding to the account authentication information, and the cipher machine is the cipher machine sending the registration request.
Optionally, after receiving the account authentication information and the address information of the key management system, the method further comprises: sending a key downloading request to a key management system, wherein the key downloading request carries account authentication information; and receiving a plurality of keys returned by the key management system in response to the key downloading request, wherein the plurality of keys are a plurality of keys associated with the account authentication information.
Optionally, after receiving the plurality of keys returned by the key management system in response to the key download request, the method further comprises: receiving a key operation instruction sent by a client; executing the content indicated by the key operation instruction, and sending a key change message to the key management system, wherein the key change message carries account authentication information.
According to another aspect of the present application, there is provided a key processing system including: the key management system is used for establishing communication connection with the cipher machine through the address information and the account authentication information, and sending a key change broadcast message to a registered cipher machine corresponding to the account authentication information under the condition that the cipher machine is changed in key; the plurality of cipher machines are used for downloading a plurality of keys corresponding to the account authentication information from the key management system when communication connection is established with the key management system, and also used for sending a key change message to the key management system when key change occurs; the client is used for sending the password operation instructions to the plurality of the password machines, receiving data returned by the plurality of the password machines when executing the password operation instructions, and issuing a key change message to a target password machine in the plurality of the password machines, wherein the password operation instructions are encryption instructions or decryption instructions.
According to another aspect of the present application, a key processing apparatus is provided. The device comprises: the first receiving unit is used for receiving the key change message sent by the cipher machine; the first determining unit is used for determining account authentication information corresponding to the password machines and determining the password machines registered under the accounts corresponding to the account authentication information, wherein the password machines are logged in the password management system through the account authentication information to distribute keys to a plurality of password machines of the password service to be executed; a first transmitting unit for broadcasting a key change message to registered cryptographic machines.
According to another aspect of the present application, another key processing apparatus is provided. The device comprises: a fourth receiving unit, configured to receive, by using the crypto-engine, a key change broadcast message sent by the key management system, where the key change broadcast message is used to indicate that a key in a target crypto-engine is changed, and the target crypto-engine and the crypto-engine are registered crypto-engines under the account corresponding to the same account authentication information; and a changing unit for performing key changing according to the key changing broadcast message.
Through the application, the following steps are adopted: receiving a key change message sent by a cipher machine; determining account authentication information corresponding to the password machines, and determining the password machines registered under the accounts corresponding to the account authentication information, wherein a key management system is logged in through the account authentication information to distribute keys to a plurality of password machines of the password service to be executed; a key change message is broadcast to registered cryptographic machines. The method solves the problems that the key synchronization process is complicated and the key leakage is easy to cause when a plurality of cipher machines are used for providing service for one user in the related art. The association between the cipher machine and the cipher machine is established through the account authentication information, so that the effects of improving the key synchronization efficiency and reducing the key leakage risk are achieved when a plurality of cipher machines jointly provide service for one user.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application, illustrate and explain the application and are not to be construed as limiting the application. In the drawings:
FIG. 1 is a flow chart of a key processing method provided according to an embodiment of the present application;
fig. 2 is a schematic diagram corresponding to an alternative key changing method according to an embodiment of the present application;
FIG. 3 is a flow chart of another key processing method provided in accordance with an embodiment of the present application;
FIG. 4 is a schematic diagram of a key processing system provided in accordance with an embodiment of the present application;
fig. 5 is a schematic diagram of a key processing device according to an embodiment of the present application;
fig. 6 is a schematic diagram of another key processing device according to an embodiment of the present application.
Detailed Description
It should be noted that, in the case of no conflict, the embodiments and features in the embodiments may be combined with each other. The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
In order to make the present application solution better understood by those skilled in the art, the following description will be made in detail and with reference to the accompanying drawings in the embodiments of the present application, it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, shall fall within the scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate in order to describe the embodiments of the present application described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
According to an embodiment of the present application, a key processing method is provided. Fig. 1 is a flowchart of a key processing method according to an embodiment of the present application. As shown in fig. 1, the method comprises the steps of:
step S101, a key change message sent by the cryptographic engine is received.
Specifically, after the cryptographic engine receives the key change instruction sent by the client, the cryptographic engine executes the key table update, and sends a key change message to the key management system, for example, receives a key deletion instruction, executes key deletion, and sends a message indicating key deletion to the key management system, receives a key import instruction, executes key import, and sends a message indicating import of a new key to the key management system.
Step S102, determining account authentication information corresponding to the cryptographic machine, and determining the registered cryptographic machine under the account corresponding to the account authentication information, wherein the cryptographic key management system is logged in through the account authentication information to distribute keys to a plurality of cryptographic machines of the cryptographic service to be executed.
It should be noted that the account authentication information may be authentication information applied by a user to the key management system, for example, an account name and a password, a plurality of cryptographic machines may be registered under an account corresponding to the account authentication information, and after the user logs in the key management system through the account authentication information, the user may perform key management on the registered cryptographic machines under the account. Other registered cryptographic machines can be queried through the account authentication information.
Specifically, the account authentication information corresponding to the password machine may be carried in the key change message, and after the key management system receives the key change message sent by the password machine, the account authentication information corresponding to the password machine is determined, so that other registered password machines under the account corresponding to the account authentication information can be queried.
Step S103, broadcasting a key change message to the registered cryptographic machine.
Specifically, the key management system broadcasts a key change message to other registered cryptographic machines under the corresponding account, and each cryptographic machine receiving the key change message can execute key change, so that key synchronization of all registered cryptographic machines under the corresponding account is realized.
The key processing method provided by the embodiment of the application comprises the following steps: receiving a key change message sent by a cipher machine; determining account authentication information corresponding to the password machines, and determining the password machines registered under the accounts corresponding to the account authentication information, wherein a key management system is logged in through the account authentication information to distribute keys to a plurality of password machines of the password service to be executed; a key change message is broadcast to registered cryptographic machines. The method solves the problems that the key synchronization process is complicated and the key leakage is easy to cause when a plurality of cipher machines are used for providing service for one user in the related art. The association between the cipher machine and the cipher machine is established through the account authentication information, so that the effects of improving the key synchronization efficiency and reducing the key leakage risk are achieved when a plurality of cipher machines jointly provide service for one user.
In order to register the cryptographic engine under the account corresponding to the account authentication information, optionally, in the key processing method provided in the embodiment of the present application, before determining the account authentication information corresponding to the cryptographic engine and determining the registered cryptographic engine under the account corresponding to the account authentication information, the method further includes: creating a plurality of account authentication information corresponding to the key management system; writing the same account authentication information and address information of a key management system into a plurality of cipher machines for executing the cipher service; and receiving a registration request sent by a cipher machine of the cipher service to be executed, and registering address information of the cipher machine in an account corresponding to the account authentication information, wherein the registration request carries the account authentication information.
It should be noted that, the key management system may be a system for storing and issuing a key, or may create account authentication information, through which a user may log in to the key management system, so as to manage a key in a cryptographic machine that is to perform a cryptographic service. The number of the corresponding managed cipher machines under one account number can be one or more, the account number does not store a key, and account number authentication information and key information can be associated in a key management system, so that the associated key can be distributed to the cipher machines to be ciphered through logging in the key management system.
Specifically, the account authentication information may be an account name and a password, the address information of the key management system may be an IP address and port information of the key management system, and the account authentication information and the address information of the key management system are written into a plurality of cryptographic machines to be subjected to cryptographic service respectively, so that the plurality of cryptographic machines can request to obtain a key corresponding to the account authentication information from the key management system through an association relationship between the address information of the key management system and the account authentication information.
Further, after the cryptographic machine to perform the cryptographic task receives the account authentication information and the address information of the key management system, a registration request may be sent to the key management system to request to register itself under the account corresponding to the account authentication information. The registration request may include system information of the crypto machine, for example, an IP address and a port of the crypto machine, and may also include account authentication information, where an account corresponding to the account authentication information is a corresponding account created in the key management system, so that the address information of the crypto machine is registered under an account corresponding to the account authentication information, and an association relationship between the account authentication information and a plurality of crypto machines is established in the key management system.
It should be noted that, the key management system may use a device white list mechanism to store a cryptographic machine white list, where the cryptographic machine white list may support adding of a serial number and an IP of the cryptographic machine, and the cryptographic machine not in the white list is not allowed to register even if the registration request is sent and account authentication information is carried, so as to ensure security of the key management system.
In order to improve the efficiency of the cryptographic engine obtaining the key from the key management system, optionally, in the key processing method provided in the embodiment of the present application, after writing the same account authentication information and address information of the key management system into a plurality of cryptographic engines to be executed with the cryptographic service, the method further includes: and receiving a key downloading request sent by a cipher machine for executing the cipher service, and sending a plurality of keys to the cipher machine, wherein the key downloading request carries account authentication information, and the keys are keys associated with the account authentication information.
Specifically, after the account authentication information and the key management system information are acquired, the cryptographic engine can send a key downloading request to the key management system, and key downloading is performed through a secure transmission channel established between the cryptographic engine and the key management system, wherein the downloaded keys are a plurality of keys associated with the account authentication information stored in the key management system, the secure transmission channel can be an SSL (Secure Sockets Layer secure socket protocol) tunnel, and leakage risk in the key transmission process can be reduced.
Optionally, the present embodiment provides a key changing method, and fig. 2 is a schematic diagram corresponding to the key changing method provided in the embodiment of the present application, where fig. 2 shows:
the key changing method is applied to a key processing system, and the key processing system comprises a business system, a target cipher machine, a plurality of cipher machines and a key management system. The target cipher machine receives the key changing instruction, then makes corresponding key change, and uploads the key change information to the key management system. The key management system finds other multiple cipher machines corresponding to the account authentication information by searching the account authentication information corresponding to the target cipher machine, and sends a key change instruction by broadcasting, and the other multiple cipher machines can execute corresponding key change operation after receiving the key change instruction to complete key change.
According to an embodiment of the present application, another key processing method is provided. Fig. 3 is a flowchart of another key processing method provided according to an embodiment of the present application. As shown in fig. 3, the method comprises the steps of:
in step S301, the cryptographic engine receives a key change broadcast message sent by the key management system, where the key change broadcast message is used to indicate that a key in a target cryptographic engine is changed, and the target cryptographic engine and the cryptographic engine are registered cryptographic engines under the account corresponding to the same account authentication information.
Step S302, performing key change according to the key change broadcast message.
Specifically, after the target cryptographic machine executes the key change operation, a key change message is generated, and after the key change message is sent to the key management system, the key management system reads information of other registered cryptographic machines under the account authentication information corresponding to the target cryptographic machine, and sends a key change broadcast to the other cryptographic machines, wherein the key change broadcast is used for indicating the other cryptographic machines to perform the key change operation recorded in the broadcast.
Further, after the cipher machine receives the key change broadcast sent by the key management system, the cipher machine performs key change according to the broadcast content, so that the key synchronization with the target cipher machine is realized.
The key processing method provided by the embodiment of the application comprises the following steps: the method comprises the steps that a cipher machine receives a key change broadcast message sent by a key management system, wherein the key change broadcast message is used for indicating that a key in a target cipher machine is changed, and the target cipher machine and the cipher machine are registered cipher machines under corresponding accounts of the same account authentication information; the key change is performed according to the key change broadcast message. The association between the cipher machine and the cipher machine is established through the account authentication information, so that the effects of improving the key synchronization efficiency and reducing the key leakage risk are achieved when a plurality of cipher machines jointly provide service for one user.
In order to register the cryptographic engine under the account corresponding to the account authentication information, optionally, in the key processing method provided in the embodiment of the present application, before the cryptographic engine receives the key change broadcast message sent by the key management system, the method further includes: receiving account authentication information and address information of a key management system, wherein the account authentication information is used for logging in the key management system to distribute keys to the cipher machine; sending a registration request to a key management system, wherein the registration request carries account authentication information; and receiving a registration feedback message sent by the key management system, wherein the registration feedback message is used for indicating the registration condition of the cipher machine under an account corresponding to the account authentication information, and the cipher machine is the cipher machine sending the registration request.
It should be noted that, the account authentication information may be authentication information issued by the key management system after the user applies to the key management system, where the account authentication information corresponds to one or more keys in the key management system. After the cipher machine receives the address information and account authentication information of the key management system, the account authentication information can be associated with the key management system, so that the cipher machine registers itself under an account corresponding to the account authentication information through the key management system.
Specifically, after the cryptographic machine receives address information and account authentication information of the key management system, a registration request is sent to the key management system, where the registration request may include system information of the cryptographic machine, for example: the system information of the cipher machine is stored under an account corresponding to the account authentication information in the key management system.
Further, after the key management system stores the system information of the cipher machine into the account corresponding to the account authentication information in the key management system, the key management system can feed back the registration condition of the cipher machine to the cipher machine, and registration of the cipher machine is completed at this time, so that association among the key management system, the account authentication information and the cipher machine is realized.
In order to improve the efficiency of the cryptographic engine in acquiring the key from the key management system, optionally, in the key processing method provided in the embodiment of the present application, after receiving the account authentication information and the address information of the key management system, the method further includes: sending a key downloading request to a key management system, wherein the key downloading request carries account authentication information; and receiving a plurality of keys returned by the key management system in response to the key downloading request, wherein the plurality of keys are a plurality of keys associated with the account authentication information.
After the cryptographic engine obtains the account authentication information and the address information of the key management system, the cryptographic engine may send a key download request to the key management system, where the download request includes the account authentication information associated with the key management system, so as to obtain one or more keys corresponding to the account authentication information from the key management system.
Specifically, after the cryptographic engine sends a key download request to the key management system, the cryptographic engine may pass through a secure transmission channel established between the cryptographic engine and the key management system, for example: and the SSL tunnel acquires one or more keys corresponding to the account authentication information in the key management system, and further carries out corresponding password operation according to the downloaded keys.
Optionally, in the key processing method provided in the embodiment of the present application, after receiving a plurality of keys returned by the key management system in response to the key download request, the method further includes: receiving a key operation instruction sent by a client; executing the content indicated by the key operation instruction, and sending a key change message to the key management system, wherein the key change message carries account authentication information.
It should be noted that, in the service system in which the client may operate for the user, the cryptographic engine may execute the key change through the key operation instruction of the client after receiving and storing the plurality of keys sent by the key management system, where the operation indicated by the key operation instruction may be key generation, change or deletion.
Specifically, after receiving a key operation instruction sent by a client, the cryptographic machine executes key operation, and after execution is completed, a key change message is sent to a key management system, so that the key management system can synchronize keys of other cryptographic machines under the same account even if the key management system knows a more condition of a key table.
According to an embodiment of the present application, a key processing system is provided. Fig. 4 is a schematic diagram of a key processing system according to an embodiment of the present application. As shown in fig. 4, the system includes:
the key management system 401 is configured to establish a communication connection with a cryptographic engine through address information and account authentication information, and send a key change broadcast message to a registered cryptographic engine corresponding to the account authentication information when a key change occurs in the cryptographic engine.
Specifically, the address information may be password management information of the key management system, such as IP address and port information. The account authentication information may be authentication information allocated to different users by the key management system, and is used for associating with a key allocated by the key management system in the key management system. The communication connection may be made through a secure transmission channel established between the cryptographic engine and the key management system, for example: SSL tunneling. After the cryptographic engine is communicatively coupled to the key management system, the cryptographic engine may download the key associated with the account authentication information from the key management system to the local.
When the cipher machine generates the key change, the cipher machine can also send the change information to the key management system, and the key management system sends the key change information to other cipher machines in a broadcast mode, wherein the other cipher machines can be other cipher machines registered in account authentication information corresponding to the cipher machine.
The plurality of cryptographic engines 402 are configured to download a plurality of keys corresponding to account authentication information from the key management system when a communication connection is established with the key management system, and to send a key change message to the key management system when a key change occurs.
Specifically, the plurality of keys may be a plurality of keys corresponding to account authentication information stored in the key management system, and the crypto-engine may acquire the plurality of keys through the connection channel and execute an encryption or decryption instruction sent by the client through the keys. When a key change instruction is received on a certain cipher machine, after the key change is executed, the key change information can be sent to a key management system, so that the key management system can enable other cipher machines to change the corresponding keys in a broadcasting mode.
The client 403 is configured to send a cryptographic operation instruction to a plurality of cryptographic machines, receive data returned by the cryptographic operation instruction executed by the cryptographic machines, and send a key change message to a target cryptographic machine in the cryptographic machines, where the cryptographic operation instruction is an encryption instruction or a decryption instruction.
Specifically, the client may be a client corresponding to a service system operated by a user, and the user may send a password operation instruction, such as file encryption or decryption, to the cryptographic engine through the client, where the cryptographic engine returns an encrypted or decrypted file after the instruction operation is performed.
The key processing system provided by the embodiment of the application is implemented by: the key management system 401 is configured to establish a communication connection with a cryptographic machine through address information and account authentication information, and send a key change broadcast message to a registered cryptographic machine corresponding to the account authentication information when a key change occurs in the cryptographic machine; a plurality of cryptographic machines 402 for downloading a plurality of keys corresponding to account authentication information from the key management system when a communication connection is established with the key management system, and for transmitting a key change message to the key management system when a key change occurs; the client 403 is configured to send a cryptographic operation instruction to a plurality of cryptographic machines, receive data returned by the cryptographic operation instruction executed by the cryptographic machines, and send a key change message to a target cryptographic machine in the cryptographic machines, where the cryptographic operation instruction is an encryption instruction or a decryption instruction. The method solves the problems that the key synchronization process is complicated and the key leakage is easy to cause when a plurality of cipher machines are used for providing service for one user in the related art. The association between the cipher machine and the cipher machine is established through the account authentication information, so that the effects of improving the key synchronization efficiency and reducing the key leakage risk are achieved when a plurality of cipher machines jointly provide service for one user.
The user can also perform key change operation through the client, send a key change instruction to the target cipher machine, and realize the key change instruction operation of the cipher machine in a mode of broadcasting through the key management system, wherein the target cipher machine can be any one cipher machine in a plurality of cipher machines corresponding to the account authentication information.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is illustrated in the flowcharts, in some cases the steps illustrated or described may be performed in an order other than that illustrated herein.
The embodiment of the application also provides a key processing device, and the key processing device of the embodiment of the application can be used for executing the key processing method provided by the embodiment of the application. The key processing apparatus provided in the embodiment of the present application is described below.
Fig. 5 is a schematic diagram of a key processing device according to an embodiment of the present application. As shown in fig. 5, the apparatus includes: a first receiving unit 501, a first determining unit 502, and a first transmitting unit 503.
Specifically, the first receiving unit 501 is configured to receive a key change message sent by the crypto-engine.
The first determining unit 502 is configured to determine account authentication information corresponding to a cryptographic engine, and determine a cryptographic engine that is registered under an account corresponding to the account authentication information, where a key management system is logged in through the account authentication information to distribute keys to a plurality of cryptographic engines that are to execute a cryptographic service.
A first sending unit 503, configured to broadcast a key change message to a registered cryptographic engine.
The key processing device provided in the embodiment of the present application receives, through the first receiving unit 501, a key change message sent by a cryptographic machine; the first determining unit 502 determines account authentication information corresponding to the cryptographic machine, and determines a registered cryptographic machine under an account corresponding to the account authentication information, wherein a key management system is logged in through the account authentication information to distribute keys to a plurality of cryptographic machines of a cryptographic service to be executed; the first transmitting unit 503 broadcasts a key change message to the registered cryptographic engine. The method solves the problems that the key synchronization process is complicated and the key leakage is easy to cause when a plurality of cipher machines are used for providing service for one user in the related art. The association between the cipher machine and the cipher machine is established through the account authentication information, so that the effects of improving the key synchronization efficiency and reducing the key leakage risk are achieved when a plurality of cipher machines jointly provide service for one user.
Optionally, in the key processing device provided in the embodiment of the present application, the device further includes: the first creating unit is used for creating a plurality of account authentication information corresponding to the key management system before determining account authentication information corresponding to the password machine and determining the registered password machine under the account corresponding to the account authentication information; the writing unit is used for writing the same account authentication information and the address information of the key management system into a plurality of cipher machines for executing the cipher service; the second receiving unit is used for receiving a registration request sent by a cipher machine for executing the cipher service, and registering address information of the cipher machine in an account corresponding to the account authentication information, wherein the registration request carries the account authentication information.
Optionally, in the key processing device provided in the embodiment of the present application, the device further includes: and the third receiving unit is used for receiving a key downloading request sent by the cipher machine of the cipher service to be executed after writing the same account authentication information and address information of the key management system into a plurality of cipher machines of the cipher service to be executed, and sending a plurality of keys to the cipher machines, wherein the key downloading request carries the account authentication information, and the keys are keys associated with the account authentication information.
The key processing device includes a processor and a memory, the first receiving unit 501, the first determining unit 502, the first transmitting unit 503, and the like are stored in the memory as program units, and the processor executes the program units stored in the memory to realize corresponding functions.
The processor includes a kernel, and the kernel fetches the corresponding program unit from the memory. The kernel can be provided with one or more than one, and the problems that the process of key synchronization is complex and key leakage is easy to cause when a plurality of cipher machines are used for providing service for a user in common in the related technology are solved by adjusting kernel parameters.
The embodiment of the application also provides another key processing device, and it should be noted that the key processing device of the embodiment of the application can be used for executing the key processing method provided by the embodiment of the application. The key processing apparatus provided in the embodiment of the present application is described below.
Fig. 6 is a schematic diagram of another key processing device according to an embodiment of the present application. As shown in fig. 6, the apparatus includes: fourth receiving section 601 and changing section 602.
Specifically, the fourth receiving unit 601 is configured to receive, by using a cryptographic engine, a key change broadcast message sent by a key management system, where the key change broadcast message is used to indicate that a key in a target cryptographic engine is changed, and the target cryptographic engine and the cryptographic engine are registered cryptographic engines under an account corresponding to the same account authentication information.
A changing unit 602, configured to perform key changing according to the key changing broadcast message.
According to the key processing device provided by the embodiment of the application, the fourth receiving unit 601 receives the key change broadcast message sent by the key management system through the cipher machine, wherein the key change broadcast message is used for indicating that the key in the target cipher machine is changed, and the target cipher machine and the cipher machine are registered cipher machines under the account corresponding to the same account authentication information; the changing unit 602 performs key changing according to the key change broadcast message. The method solves the problems that the key synchronization process is complicated and the key leakage is easy to cause when a plurality of cipher machines are used for providing service for one user in the related art. The association between the cipher machine and the cipher machine is established through the account authentication information, so that the effects of improving the key synchronization efficiency and reducing the key leakage risk are achieved when a plurality of cipher machines jointly provide service for one user.
Optionally, in the key processing device provided in the embodiment of the present application, the device further includes: a fifth receiving unit, configured to receive account authentication information and address information of the key management system before the cryptographic engine receives the key change broadcast message sent by the key management system, where the cryptographic engine is assigned a key by logging in the key management system through the account authentication information; the second sending unit is used for sending a registration request to the key management system, wherein the registration request carries account authentication information; and the sixth receiving unit is used for receiving a registration feedback message sent by the key management system, wherein the registration feedback message is used for indicating the registration condition of the cipher machine under the account corresponding to the account authentication information, and the cipher machine is the cipher machine sending the registration request.
Optionally, in the key processing device provided in the embodiment of the present application, the device further includes: the third sending unit is used for sending a key downloading request to the key management system after receiving the account authentication information and the address information of the key management system, wherein the key downloading request carries the account authentication information; and a seventh receiving unit, configured to receive a plurality of keys returned by the key management system in response to the key download request, where the plurality of keys are a plurality of keys associated with the account authentication information.
Optionally, in the key processing device provided in the embodiment of the present application, the device further includes: an eighth receiving unit, configured to receive a key operation instruction sent by the client after receiving a plurality of keys returned by the key management system in response to the key download request; and the execution unit is used for executing the content indicated by the key operation instruction and sending a key change message to the key management system, wherein the key change message carries account authentication information.
The key processing device includes a processor and a memory, and the fourth receiving unit 601, the changing unit 602, and the like are stored in the memory as program units, and the processor executes the program units stored in the memory to realize corresponding functions.
The processor includes a kernel, and the kernel fetches the corresponding program unit from the memory. The kernel can be provided with one or more than one, and the problems that the process of key synchronization is complex and key leakage is easy to cause when a plurality of cipher machines are used for providing service for a user in common in the related technology are solved by adjusting kernel parameters.
The memory may include volatile memory, random Access Memory (RAM), and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM), among other forms in computer readable media, the memory including at least one memory chip.
The embodiment of the application also provides an electronic device, which comprises a processor and a memory; the memory has stored therein computer readable instructions for execution by the processor, wherein the computer readable instructions when executed perform a key processing method. The electronic device herein may be a server, a PC, a PAD, a mobile phone, etc.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, etc., such as Read Only Memory (ROM) or flash RAM. Memory is an example of a computer-readable medium.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises an element.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and changes may be made to the present application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc. which are within the spirit and principles of the present application are intended to be included within the scope of the claims of the present application.
Claims (8)
1. A key processing method, comprising:
receiving a key change message sent by a cipher machine, wherein after the cipher machine receives a key change instruction sent by a client, the cipher machine executes key change and sends the key change message to a key management system, and the key change information indicates operation information on a key;
Determining account authentication information corresponding to the cryptographic machine, and determining a registered cryptographic machine under an account corresponding to the account authentication information, wherein a key management system is logged in through the account authentication information to distribute keys to a plurality of cryptographic machines of a cryptographic service to be executed;
broadcasting the key change message to the registered crypto-engine;
before determining the account authentication information corresponding to the cryptographic machine and determining the registered cryptographic machine under the account corresponding to the account authentication information, the method further comprises: creating a plurality of account authentication information corresponding to the key management system; writing the same account authentication information and address information of the key management system into a plurality of cipher machines of the cipher service to be executed; receiving a registration request sent by a cipher machine of a cipher service to be executed, and registering address information of the cipher machine in an account corresponding to the account authentication information, wherein the registration request carries the account authentication information.
2. The method according to claim 1, wherein after writing the same account authentication information and address information of the key management system to a plurality of cryptographic machines of the cryptographic service to be performed, the method further comprises:
And receiving a key downloading request sent by the cipher machine of the cipher service to be executed, and sending a plurality of keys to the cipher machine, wherein the key downloading request carries the account authentication information, and the plurality of keys are keys associated with the account authentication information.
3. A key processing method, comprising:
the method comprises the steps that a cipher machine receives a key change broadcast message sent by a key management system, wherein the key change broadcast message is used for indicating that a key in a target cipher machine is changed, and the target cipher machine and the cipher machine are registered cipher machines under corresponding accounts of the same account authentication information;
executing key change according to the key change broadcast message;
before the cryptographic engine receives the key change broadcast message sent by the key management system, the method further comprises: receiving account authentication information and address information of the key management system, wherein the account authentication information is used for logging in the key management system to distribute keys to the cipher machine; sending a registration request to the key management system, wherein the registration request carries the account authentication information; and receiving a registration feedback message sent by the key management system, wherein the registration feedback message is used for indicating the registration condition of a cipher machine under an account corresponding to the account authentication information, and the cipher machine is the cipher machine sending the registration request.
4. A method according to claim 3, wherein after receiving account authentication information and address information of the key management system, the method further comprises:
sending a key downloading request to the key management system, wherein the key downloading request carries the account authentication information;
and receiving a plurality of keys returned by the key management system in response to the key downloading request, wherein the keys are associated with the account authentication information.
5. The method of claim 4, wherein after receiving a plurality of keys returned by the key management system in response to the key download request, the method further comprises:
receiving a key operation instruction sent by a client;
executing the content indicated by the key operation instruction, and sending a key change message to the key management system, wherein the key change message carries the account authentication information.
6. A key processing system, comprising:
the key management system is used for establishing communication connection with the cipher machine through the address information and the account authentication information, and sending a key change broadcast message to a registered cipher machine corresponding to the account authentication information under the condition that the cipher machine is subjected to key change;
The plurality of cipher machines are used for downloading a plurality of keys corresponding to the account authentication information from the key management system when communication connection is established with the key management system, and also used for sending a key change message to the key management system when key change occurs;
the client is used for sending the password operation instructions to the plurality of the password machines, receiving data returned by the plurality of the password machines when executing the password operation instructions, and issuing a key change message to a target password machine in the plurality of the password machines, wherein the password operation instructions are encryption instructions or decryption instructions.
7. A key processing apparatus, comprising:
the first receiving unit is used for receiving a key change message sent by the cipher machine, executing key change after the cipher machine receives a key change instruction sent by the client, and sending the key change message to the key management system, wherein the key change information indicates operation information on a key;
the first determining unit is used for determining account authentication information corresponding to the cipher machine and determining the registered cipher machine under the account corresponding to the account authentication information, wherein the cipher machine logs in a key management system through the account authentication information to distribute keys to a plurality of cipher machines of the cipher service to be executed;
A first transmitting unit configured to broadcast the key change message to the registered crypto-engine;
the apparatus further comprises: the first creating unit is used for creating a plurality of account authentication information corresponding to the key management system before determining the account authentication information corresponding to the password machine and determining the password machine registered under the account corresponding to the account authentication information; a writing unit, configured to write the same account authentication information and address information of the key management system into the plurality of cryptographic machines that are to perform cryptographic services; the second receiving unit is used for receiving a registration request sent by a cipher machine for executing the cipher service, and registering address information of the cipher machine in an account corresponding to the account authentication information, wherein the registration request carries the account authentication information.
8. A key processing apparatus, comprising:
a fourth receiving unit, configured to receive, by using a cryptographic engine, a key change broadcast message sent by a key management system, where the key change broadcast message is used to indicate that a key in a target cryptographic engine is changed, and the target cryptographic engine and the cryptographic engine are registered cryptographic engines under an account corresponding to the same account authentication information;
A changing unit for performing key changing according to the key changing broadcast message;
the apparatus further comprises: a fifth receiving unit, configured to receive account authentication information and address information of a key management system before a cryptographic machine receives a key change broadcast message sent by the key management system, where the key management system is logged in through the account authentication information to distribute a key to the cryptographic machine; a second sending unit, configured to send a registration request to the key management system, where the registration request carries the account authentication information; and the sixth receiving unit is used for receiving a registration feedback message sent by the key management system, wherein the registration feedback message is used for indicating the registration condition of the cipher machine under the account corresponding to the account authentication information, and the cipher machine is the cipher machine sending the registration request.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111070131.3A CN113824555B (en) | 2021-09-13 | 2021-09-13 | Key processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111070131.3A CN113824555B (en) | 2021-09-13 | 2021-09-13 | Key processing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113824555A CN113824555A (en) | 2021-12-21 |
| CN113824555B true CN113824555B (en) | 2024-03-19 |
Family
ID=78914481
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111070131.3A Active CN113824555B (en) | 2021-09-13 | 2021-09-13 | Key processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113824555B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1452418A (en) * | 2002-04-12 | 2003-10-29 | 华为技术有限公司 | Method for sending cipher information to mobile terminal in mobile communication system |
| KR20060078809A (en) * | 2004-12-31 | 2006-07-05 | 삼성전자주식회사 | Transmission method and apparatus of a secure key after user authentication in a ethernet passive optical network system |
| WO2009129683A1 (en) * | 2008-04-25 | 2009-10-29 | 中兴通讯股份有限公司 | Access authentication method for a worldwide interoperability for microwave access system, apparatus and system using the same |
| CN108632292A (en) * | 2018-05-16 | 2018-10-09 | 苏宁易购集团股份有限公司 | Data sharing method based on alliance's chain and system |
| CN112560103A (en) * | 2020-12-30 | 2021-03-26 | 北京数盾信息科技有限公司 | Block chain link point cipher machine based on state cipher |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8914849B2 (en) * | 2011-06-08 | 2014-12-16 | Tracfone Wireless, Inc. | Broadcast replenishment of account parameters for groups of wireless devices |
-
2021
- 2021-09-13 CN CN202111070131.3A patent/CN113824555B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1452418A (en) * | 2002-04-12 | 2003-10-29 | 华为技术有限公司 | Method for sending cipher information to mobile terminal in mobile communication system |
| KR20060078809A (en) * | 2004-12-31 | 2006-07-05 | 삼성전자주식회사 | Transmission method and apparatus of a secure key after user authentication in a ethernet passive optical network system |
| WO2009129683A1 (en) * | 2008-04-25 | 2009-10-29 | 中兴通讯股份有限公司 | Access authentication method for a worldwide interoperability for microwave access system, apparatus and system using the same |
| CN108632292A (en) * | 2018-05-16 | 2018-10-09 | 苏宁易购集团股份有限公司 | Data sharing method based on alliance's chain and system |
| CN112560103A (en) * | 2020-12-30 | 2021-03-26 | 北京数盾信息科技有限公司 | Block chain link point cipher machine based on state cipher |
Non-Patent Citations (1)
| Title |
|---|
| 大规模延迟容忍网络中基于分级身份签名的认证方案研究;徐国愚;陈性元;杜学绘;;电子与信息学报(第11期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113824555A (en) | 2021-12-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11431484B2 (en) | Blockchain transaction privacy enhancement through broadcast encryption | |
| CN109120639B (en) | Data cloud storage encryption method and system based on block chain | |
| RU2395166C2 (en) | Method for provision of access to coded content of one of multiple subscriber systems, device for access provision to coded content and method for generation of protected content packets | |
| US10623186B1 (en) | Authenticated encryption with multiple contexts | |
| CN101330381A (en) | Method for providing drm license | |
| CN109450620B (en) | Method for sharing security application in mobile terminal and mobile terminal | |
| CN109347839B (en) | Centralized password management method and device, electronic equipment and computer storage medium | |
| CN111274611A (en) | Data desensitization method, device and computer readable storage medium | |
| US11321471B2 (en) | Encrypted storage of data | |
| CN116662941B (en) | Information encryption method, device, computer equipment and storage medium | |
| US20130170645A1 (en) | Encryption and decryption devices and methods thereof | |
| CN110602132A (en) | Data encryption and decryption processing method | |
| CN111010283B (en) | Method and apparatus for generating information | |
| CN113824555B (en) | Key processing method and device | |
| CN114968088B (en) | File storage method, file reading method and device | |
| CN113452519B (en) | Key synchronization method and device, computer equipment and storage medium | |
| US20160063264A1 (en) | Method for securing a plurality of contents in mobile environment, and a security file using the same | |
| CN113297586A (en) | Data decryption method and device | |
| CN113348452A (en) | Method and system for digital rights management | |
| CN112422475A (en) | Service authentication method, device, system and storage medium | |
| CN114070584B (en) | Secret calculation method, device, equipment and storage medium | |
| CN113572611B (en) | Key processing method and device and electronic device | |
| US20170187702A1 (en) | Chaining of use case-specific entity identifiers | |
| CN113946864B (en) | Confidential information acquisition method, device, equipment and storage medium | |
| JP2019071552A (en) | Encryption communication method, encryption communication system, key issuing device, and program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |