CN114003927A - System and method for realizing cloud platform key management - Google Patents
System and method for realizing cloud platform key management Download PDFInfo
- Publication number
- CN114003927A CN114003927A CN202111224932.0A CN202111224932A CN114003927A CN 114003927 A CN114003927 A CN 114003927A CN 202111224932 A CN202111224932 A CN 202111224932A CN 114003927 A CN114003927 A CN 114003927A
- Authority
- CN
- China
- Prior art keywords
- key
- key management
- cloud platform
- service unit
- end micro
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 19
- 238000012545 processing Methods 0.000 claims abstract description 8
- 230000010354 integration Effects 0.000 claims abstract description 5
- 210000001503 joint Anatomy 0.000 claims description 4
- 230000006378 damage Effects 0.000 claims description 3
- 238000012217 deletion Methods 0.000 claims description 3
- 230000037430 deletion Effects 0.000 claims description 3
- 230000008676 import Effects 0.000 claims description 3
- 230000001960 triggered effect Effects 0.000 claims description 3
- 238000012795 verification Methods 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 description 3
- 241001522296 Erithacus rubecula Species 0.000 description 2
- 238000005336 cracking Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a system and a method for realizing cloud platform key management, and belongs to the technical field of cloud computing pass. The system for realizing cloud platform key management comprises a front-end micro-service unit, a rear-end micro-service unit and an infrastructure micro-service unit; the front-end micro-service unit is used for interacting with a user, receiving user configuration, forwarding to the service logic layer for processing and presenting a processing result to the user; the back-end micro-service unit comprises a secret key module and an encryption and decryption module; the infrastructure microserver is based on operating on a Barbican component, which is an open source OpenStack component. The system for realizing cloud platform key management is simple, reliable, safe and compliant in data encryption protection capability, has multiple integrations, is easy to use, and has good popularization and application values.
Description
Technical Field
The invention relates to the technical field of cloud computing pass, and particularly provides a system and a method for realizing cloud platform key management.
Background
With the continuous progress of society and the rapid development of social economy, various technologies are also rapidly advanced. The computer has the advantages of large information storage capacity, convenience and quickness in information acquisition and the like, and is widely applied. With the continuous improvement of the demands of users, cloud computing technology is developed. With the rapid development of cloud computing technology, more and more enterprises and individuals migrate applications from a traditional computing center to a cloud center, more and more applications are deployed on a cloud platform, the security requirement on cloud data is increased day by day, meanwhile, various certifications such as "cloud service user data protection capability assessment (public/private)" also take data encryption as an important evaluation index, and the cloud data encryption is of great importance.
Disclosure of Invention
The technical task of the invention is to provide a simple, reliable, safe and compliant data encryption protection capability, and a system for realizing cloud platform key management with multiple integration and easy use, aiming at the problems.
A further technical task of the present invention is to provide a method for implementing cloud platform key management.
In order to achieve the purpose, the invention provides the following technical scheme:
a system for realizing cloud platform key management comprises a front-end micro service unit, a rear-end micro service unit and an infrastructure micro service unit;
the front-end micro-service unit is used for interacting with a user, receiving user configuration, forwarding to the service logic layer for processing and presenting a processing result to the user;
the back-end micro-service unit comprises a secret key module and an encryption and decryption module;
the infrastructure microservice unit is implemented based on Barbican and is used for managing the life cycle of the key cryptograph. Barbican is an open source group of OpenStack devices.
Preferably, the key module of the back-end micro service unit includes creation of a key, instance query of the key, asymmetric public key query, and rotation and destruction of the key.
Preferably, the encryption and decryption module of the back-end micro service unit is used for encrypting and decrypting data and signing, and comprises data encryption, data decryption, data signing and signature verification.
Preferably, the created instance of the key only contains information of the instance of the key, excluding the cipher text of the key, which is stored in the Barbican of the infrastructure microservice unit.
Preferably, the key is destroyed by setting a deletion grace period for decryption of the encrypted data.
Preferably, the grace period is not less than seven days.
Preferably, the key round sets a round period by using a timing task, when triggered, the key instance remains unchanged, and the key management internally creates and updates the underlying key ciphertext and generates a version corresponding to the key ciphertext.
The following security goals can be achieved through key round provided by key management:
1. reducing the amount of data encrypted per key
The manner in which keys are encrypted is changed by periodically rotating the keys, which may result in each key having a higher security threshold and a smaller cryptanalysis attack surface.
2. Forming logical isolation of data
The round-robin encryption key enables ciphertext data generated before and after the round robin to form a virtual isolation effect. Security events for a particular key can be quickly defined to affect scope, and further measures can be taken.
3. Reducing time window for key cracking
If on the basis of the regular round-robin encryption keys, ciphertext data generated by the old encryption key is round-robin encrypted by the new encryption key, the round-robin period is a decryption time window of the key. This means that data can only be accessed if the crack is completed between two round-robin events.
The key types supported in the key management service are: the international keys AES 256 and RSA 1024; a domestic secret key: SM2, SM3 and SM 4. Where AES and RSA are created and stored by barbican in infrastructure services. While SM2, SM3, and SM4 are created for backend microservices, stored by barbican
The invention discloses a method for realizing cloud platform key management, which is realized based on the system for realizing cloud platform key management. The bottom layer uses an open-source OpenStack component Barbican to realize the creation and storage of partial secret keys, different types of secret keys are created according to tenant requirements, a user is supported to import own secret keys, and management is carried out through secret key management service.
Preferably, the method supports the cloud product to perform encryption protection on the managed user data in a party integration mode.
Preferably, when the cloud product is docked to use the key management service, the front-end micro service unit and the back-end micro service unit are docked, the cloud product creates a key of a required type through the front-end micro service unit managed by using the key, the key management provides key instance information, and when data encryption and decryption are performed, encryption and decryption operations of the data are performed by calling the SDK provided by the key management back-end micro service unit or the key management.
Compared with the prior art, the method for realizing cloud platform key management has the following outstanding beneficial effects: according to the method for realizing cloud platform key management, data in a cloud product is encrypted by using a server side of the cloud product, the encrypted data is stored in an application, an encryption key is stored in a key management service, the key and the data are respectively stored, the cloud data is more effectively protected, the ability of controlling the cloud computing and storage environment is provided by a cloud product integrated key management service encryption mode, computing and storage resources are isolated and protected in a distributed multi-tenant system, the distributed computing environment or the storage environment is controlled by controlling the life cycle, the use state or an access control authority strategy of the key in key management, and the method has good popularization and application values.
Drawings
FIG. 1 is an architecture diagram of a system for implementing cloud platform key management in accordance with the present invention;
fig. 2 is a flowchart of a method for implementing key management of a cloud platform according to the present invention.
Detailed Description
The system and method for implementing cloud platform key management according to the present invention will be described in further detail with reference to the accompanying drawings and embodiments.
Examples
As shown in fig. 1, the system for implementing cloud platform key management of the present invention includes a front-end micro service unit, a back-end micro service unit, and an infrastructure micro service unit.
The front-end micro-service unit is a front-end micro-service kms-front module and is used for interacting with a user, receiving user configuration, forwarding to a service logic layer for processing and presenting a processing result to the user.
The back-end micro-service unit is a back-end micro-service kms-service module and comprises a secret key module and an encryption and decryption module.
The key module of the back-end micro-service unit comprises creation of a key, instance query of the key, asymmetric public key query, and rotation and destruction of the key. The encryption and decryption module is used for encrypting and decrypting data and signing, and comprises data encryption, data decryption, data signing and signature verification.
The created instance of the key only contains information of the instance of the key, not the key cryptogram, which is stored in the Barbican of the infrastructure microservice unit.
When the secret key is destroyed, a deletion grace period is set for the decryption operation of the encrypted data. Wherein the grace period is not less than seven days.
The key rotation utilizes a timing task to set a rotation period, when triggered, the key instance is kept unchanged, and the key management internally creates and updates the bottom layer key ciphertext and generates a version corresponding to the key ciphertext.
The following security goals can be achieved through key round provided by key management:
1. reducing the amount of data encrypted per key
The manner in which keys are encrypted is changed by periodically rotating the keys, which may result in each key having a higher security threshold and a smaller cryptanalysis attack surface.
2. Forming logical isolation of data
The round-robin encryption key enables ciphertext data generated before and after the round robin to form a virtual isolation effect. Security events for a particular key can be quickly defined to affect scope, and further measures can be taken.
3. Reducing time window for key cracking
If on the basis of the regular round-robin encryption keys, ciphertext data generated by the old encryption key is round-robin encrypted by the new encryption key, the round-robin period is a decryption time window of the key. This means that data can only be accessed if the crack is completed between two round-robin events.
The infrastructure microserver is based on operating on a Barbican component, which is an open source OpenStack component.
The method for realizing the cloud platform key management is realized based on a system for realizing the cloud platform key management. The bottom layer uses an open-source OpenStack component Barbican to realize the creation and storage of partial secret keys, different types of secret keys are created according to tenant requirements, a user is supported to import own secret keys, and management is carried out through secret key management service.
The method for realizing the cloud platform key management supports the cloud product to encrypt and protect the managed user data in a party integration mode. When a cloud product is in butt joint with a key management service, a front-end micro service unit and a rear-end micro service unit are in butt joint, the cloud product creates a key of a required type through the front-end micro service unit managed by the key, key example information is provided through key management, and when data encryption and decryption are carried out, encryption and decryption operations of the data are carried out through calling the SDK provided by the key management rear-end micro service unit or the key management.
The above-described embodiments are merely preferred embodiments of the present invention, and general changes and substitutions by those skilled in the art within the technical scope of the present invention are included in the protection scope of the present invention.
Claims (10)
1. A system for realizing cloud platform key management is characterized in that: the system comprises a front-end micro-service unit, a rear-end micro-service unit and an infrastructure micro-service unit;
the front-end micro-service unit is used for interacting with a user, receiving user configuration, forwarding to the service logic layer for processing and presenting a processing result to the user;
the back-end micro-service unit comprises a secret key module and an encryption and decryption module;
the infrastructure microservice unit is implemented based on Barbican and is used for managing the life cycle of the cipher key cryptograph.
2. The system for implementing cloud platform key management of claim 1, wherein: the key module of the back-end micro-service unit comprises creation of a key, instance query of the key, asymmetric public key query and rotation and destruction of the key.
3. The system for implementing cloud platform key management of claim 1, wherein: and the encryption and decryption module of the back-end micro service unit is used for encrypting and decrypting data and signing, and comprises data encryption, data decryption, data signing and signature verification.
4. The system for implementing cloud platform key management of claim 3, wherein: the created instance of the key only contains information of the instance of the key, not the key cryptogram, which is stored in the Barbican of the infrastructure microservice unit.
5. The system for implementing cloud platform key management of claim 4, wherein: when the secret key is destroyed, a deletion grace period is set for the decryption operation of the encrypted data.
6. The system for implementing cloud platform key management of claim 5, wherein: the grace period is not less than seven days.
7. The system for implementing cloud platform key management of claim 6, wherein: the key rotation utilizes a timing task to set a rotation period, when the rotation period is triggered, the key instance is kept unchanged, the key management internally creates and updates the bottom layer key ciphertext, and generates the version corresponding to the key ciphertext.
8. A method for realizing cloud platform key management is characterized in that: the method is realized based on any one of claims 1 to 7, and is implemented by a system for realizing cloud platform key management, wherein the bottom layer uses an open-source OpenStack component Barbican to realize the creation and storage of partial keys, different types of keys are created according to tenant requirements, and a user is supported to import own keys and manage the keys through a key management service.
9. The method of claim 8, wherein the cloud platform key management is performed by: the method supports the cloud product to carry out encryption protection on the managed user data in a party integration mode.
10. The method of implementing cloud platform key management of claim 9, wherein: when a cloud product is in butt joint with a key management service, a front-end micro service unit and a rear-end micro service unit are in butt joint, the cloud product creates a key of a required type through the front-end micro service unit managed by the key, key example information is provided through key management, and when data encryption and decryption are carried out, encryption and decryption operations of the data are carried out through calling the SDK provided by the key management rear-end micro service unit or the key management.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111224932.0A CN114003927A (en) | 2021-10-21 | 2021-10-21 | System and method for realizing cloud platform key management |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111224932.0A CN114003927A (en) | 2021-10-21 | 2021-10-21 | System and method for realizing cloud platform key management |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114003927A true CN114003927A (en) | 2022-02-01 |
Family
ID=79923351
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111224932.0A Pending CN114003927A (en) | 2021-10-21 | 2021-10-21 | System and method for realizing cloud platform key management |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114003927A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114598757A (en) * | 2022-03-17 | 2022-06-07 | 浪潮云信息技术股份公司 | Cloud native country secret key management method |
-
2021
- 2021-10-21 CN CN202111224932.0A patent/CN114003927A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114598757A (en) * | 2022-03-17 | 2022-06-07 | 浪潮云信息技术股份公司 | Cloud native country secret key management method |
| CN114598757B (en) * | 2022-03-17 | 2024-06-18 | 浪潮云信息技术股份公司 | Cloud-primary national secret key management method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7711120B2 (en) | Cryptographic key management | |
| CN103268456A (en) | Method and device for file safety control | |
| US11783091B2 (en) | Executing entity-specific cryptographic code in a cryptographic coprocessor | |
| Murala et al. | Secure dynamic groups data sharing with modified revocable attribute-based encryption in cloud | |
| CN107911221B (en) | Key management method for secure storage of solid-state disk data | |
| Shen et al. | SecDM: Securing data migration between cloud storage systems | |
| Singh et al. | Hybrid two-tier framework for improved security in cloud environment | |
| CN110932855A (en) | Quantum key distribution method based on block chain | |
| CN114003927A (en) | System and method for realizing cloud platform key management | |
| CN103379103A (en) | Linear encryption and decryption hardware implementation method | |
| CN110750326B (en) | Disk encryption and decryption method and system for virtual machine | |
| US20210111901A1 (en) | Executing entity-specific cryptographic code in a trusted execution environment | |
| Senthil Kumari et al. | Key derivation policy for data security and data integrity in cloud computing | |
| CN108173880B (en) | File encryption system based on third party key management | |
| CN110502911A (en) | A kind of method, equipment and storage medium based on Faas cloud service configuration vFPGA | |
| Jun et al. | Trusted full disk encryption model based on TPM | |
| Jang-Jaccard et al. | Portable key management service for cloud storage | |
| CN107343008A (en) | A kind of data safety isolation of anti-access module leakage is with sharing implementation method | |
| Tian et al. | A trusted control model of cloud storage | |
| Basu et al. | Secured cloud storage scheme using ECC based key management in user hierarchy | |
| Taylor et al. | Security approaches and crypto algorithms in mobile cloud storage environment to ensure data security | |
| Sánchez‐Artigas et al. | StackSync: Attribute‐based data sharing in file synchronization services | |
| Verma et al. | Light weight encryption technique for group communication in cloud computing environment | |
| CN116846547B (en) | Quantum technology-based political data cross-domain secure transmission method | |
| Vinothkumar et al. | A comprehensive study of cryptography and key management based security in cloud computing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |