CN114095157B - Key management method, key management device, computer equipment and readable storage medium - Google Patents
Key management method, key management device, computer equipment and readable storage medium Download PDFInfo
- Publication number
- CN114095157B CN114095157B CN202111272590.XA CN202111272590A CN114095157B CN 114095157 B CN114095157 B CN 114095157B CN 202111272590 A CN202111272590 A CN 202111272590A CN 114095157 B CN114095157 B CN 114095157B
- Authority
- CN
- China
- Prior art keywords
- key
- seed
- trusted execution
- execution environment
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000007726 management method Methods 0.000 title abstract description 46
- 239000012634 fragment Substances 0.000 claims abstract description 179
- 238000000034 method Methods 0.000 claims abstract description 61
- 230000008569 process Effects 0.000 claims description 19
- 238000004590 computer program Methods 0.000 claims description 13
- 238000004364 calculation method Methods 0.000 claims description 3
- 238000013467 fragmentation Methods 0.000 description 12
- 238000006062 fragmentation reaction Methods 0.000 description 12
- 238000004422 calculation algorithm Methods 0.000 description 9
- 230000000694 effects Effects 0.000 description 9
- 230000007246 mechanism Effects 0.000 description 8
- 238000009795 derivation Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 125000004122 cyclic group Chemical group 0.000 description 3
- 230000002085 persistent effect Effects 0.000 description 2
- 238000004321 preservation Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 229920002430 Fibre-reinforced plastic Polymers 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 239000002131 composite material Substances 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 239000011151 fibre-reinforced plastic Substances 0.000 description 1
- 230000002045 lasting effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The application relates to a key management method, a key management device, a computer device and a readable storage medium. The method comprises the following steps: generating a random number in the data key trusted execution environment, sending the random number to the participants with the seed key fragments, receiving key generation parameters sent by a plurality of participants, acquiring the data key according to the key generation parameters, and storing the data key outside the data key trusted execution environment. The method can generate the data key in the data key trusted execution environment, ensures the safety of the generated data key, stores the data key outside the data key trusted execution environment for subsequent use, and avoids the problem that the data key is required to be acquired from the cryptographic machine when the data key is stored in the cryptographic machine for use, thereby reducing the risk of data key leakage.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and apparatus for managing a key, a computer device, and a readable storage medium.
Background
In a cloud computing environment, users no longer directly own hardware resources of an infrastructure, but directly use services in the cloud computing environment, so security of user data is increasingly prominent in the cloud computing environment. In order to ensure the safety of data transmission, data storage, user access, business operation and the like in a cloud computing environment, a password technology plays an increasingly important role in the cloud computing environment as a core technology for ensuring the safety of a cloud computing platform.
In the traditional technology, a data encryption and decryption technology is realized by adopting a three-level key management system, wherein the three-level key management system sequentially comprises a master key, a key exchange key and a data key, and the master key is stored in a cipher machine. The master key is used for encrypting a key exchange key and a data key to be stored locally, the key exchange key is used for encrypting the data key to be transmitted as a network, the data key is used for encrypting and decrypting the object to be processed, and the data key is decrypted through the master key. However, storing the data key using a cryptographic engine may present a risk of disclosure of the data key.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a key management method, apparatus, computer device, and readable storage medium.
A key management method, the method comprising:
generating a random number in a data key trusted execution environment;
the random number is sent to a participant with a seed key fragment, and key generation parameters sent by a plurality of participants are received, wherein the key generation parameters are obtained by the participants according to the random number and the seed key fragment;
and acquiring a data key according to the key generation parameter, and storing the data key outside the data key trusted execution environment.
In one embodiment, the storing the data key outside the data key trusted execution environment includes:
encrypting the data key through a first secure storage key to obtain an encrypted data key, and storing the encrypted data key outside the data key trusted execution environment.
In one embodiment, the method further comprises:
generating a key fragment parameter in a seed key trusted execution environment;
and determining the seed key sharding according to the key sharding parameters.
In one embodiment, the determining the seed key shard according to the key shard parameter includes:
Determining identification information of each participant; the participants are participants in the multiparty security calculation process;
and obtaining the seed key fragments held by each participant according to the identification information and the key fragment parameters.
In one embodiment, the obtaining, according to the identification information and the key fragmentation parameter, a seed key fragmentation held by each party includes:
for each participant, according to the identification information and the key slicing parameters, obtaining first key slicing information of the current participant, and sending the first key slicing information to other participants;
and obtaining the seed key fragment held by the current participant according to the first key fragment information of the current participant and the received second key fragment information sent by the other participants.
In one embodiment, the method further comprises:
encrypting the seed key fragments through a second secure storage key to obtain encrypted seed key fragments, and storing the encrypted seed key fragments outside the seed key trusted execution environment.
In one embodiment, the method further comprises:
Acquiring the encrypted seed key fragments from the outside of the seed key trusted execution environment;
decrypting the encrypted seed key fragments through the second secure storage key to obtain the seed key fragments, and sending the seed key fragments to each participant so that each participant generates the data key according to the seed key fragments.
In one embodiment, the method further comprises:
acquiring the encrypted data key from outside the data key trusted execution environment;
decrypting the encrypted data key through the first secure storage key to obtain the data key;
and encrypting and decrypting the object to be processed through the data key.
A key management apparatus, the apparatus comprising:
the random number generation module is used for generating random numbers in the data key trusted execution environment;
the key generation parameter acquisition module is used for transmitting the random number to a participant with the seed key fragmentation and receiving key generation parameters transmitted by a plurality of participants, wherein the key generation parameters are obtained by the participant according to the random number and the held seed key fragmentation;
And the data key generation module is used for acquiring a data key according to the key generation parameter and storing the data key outside the data key trusted execution environment.
A computer device comprising a memory storing a computer program and a processor which when executing the computer program performs the steps of:
generating a random number in a data key trusted execution environment;
the random number is sent to a participant with a seed key fragment, and key generation parameters sent by a plurality of participants are received, wherein the key generation parameters are obtained by the participants according to the random number and the seed key fragment;
and acquiring a data key according to the key generation parameter, and storing the data key outside the data key trusted execution environment.
A readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of:
generating a random number in a data key trusted execution environment;
the random number is sent to a participant with a seed key fragment, and key generation parameters sent by a plurality of participants are received, wherein the key generation parameters are obtained by the participants according to the random number and the seed key fragment;
And acquiring a data key according to the key generation parameter, and storing the data key outside the data key trusted execution environment.
The key management method, the device, the computer equipment and the readable storage medium can generate random numbers in the data key trusted execution environment, send the random numbers to the participants with the seed key fragments, receive key generation parameters sent by a plurality of participants, acquire the data key according to the key generation parameters and store the data key outside the data key trusted execution environment.
Drawings
FIG. 1 is a flow diagram of a key management method in one embodiment;
FIG. 2 is a flow chart of a method for encrypting and decrypting a corresponding to-be-processed in one embodiment;
FIG. 3 is a flow diagram of a method for determining seed key shards in one embodiment;
FIG. 4 is a flowchart illustrating a specific method for determining seed key shards according to another embodiment;
FIG. 5 is a flowchart illustrating a specific method for determining seed key shards in another embodiment;
FIG. 6 is a flowchart of another exemplary method for obtaining a seed key fragment from outside a seed key trusted execution environment;
FIG. 7 is a block diagram of a key management device in one embodiment;
fig. 8 is an internal structural diagram of a computer device in one embodiment.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
The key management method provided by the application can be applied to computer equipment, a plurality of participants for multiparty secure computation exist in the computer equipment, each participant can be a functional module in the computer equipment, and the functional module can be a software module or a hardware module. The number of the computer devices may be one or more. In the case of multiple computer devices, the multiple computer devices may be communicatively connected to each other, where the communication may be Wi-Fi, mobile network, or bluetooth connection, etc. The computer device may be implemented by a stand-alone server or a server cluster formed by a plurality of servers, and may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers and portable wearable devices.
In one embodiment, as shown in fig. 1, a key management method is provided, and the method is applied to the computer device in fig. 1 for illustration, and includes the following steps:
s100, generating random numbers in the data key trusted execution environment.
In particular, the computer device may generate a random number m in the data key trusted execution environment. m may be any real number. There may be N participants in a computer device.
And S200, transmitting the random number to the participants with the seed key fragments, and receiving key generation parameters transmitted by a plurality of participants, wherein the key generation parameters are obtained by the participants according to the random number and the seed key fragments.
Specifically, the computer device may send the generated random number m to the seed key holding shard s through the secure channel i At the same time, the computer device may also receive key generation parameters sent by multiple parties in the data key trusted execution environment. The secure channel may be an SSL or TLS encrypted channel in a computer device. In this embodiment, the computer device may receive at least t parameters and the transmitted key generation parameters. The above-mentioned i represents the identification information of the participant, and the identification information may be the number of the participant, or may be the position number of the participant, and i represents the position number of the participant, and the position numbers of the participants in adjacent positions are consecutive, and i may be a positive integer greater than or equal to 1. The t may be a real number of 1 or more and less than N.
As will be appreciated, in a computer deviceEach participant can divide the segments s according to the random number and the seed key acquired before the participant i Performing a first arithmetic operation to obtain a key generation parameter H i . The first arithmetic operation may be four arithmetic operations, an exponent operation, a logarithm operation, a rounding operation, or the like, or may be a combination of these operations. In this embodiment, however, the first arithmetic operation may include a hash operation and a remainder operation, and the key generation parameter H i Specifically, the method can be calculated by the following formula (1), namely:
wherein Hash (-) represents Hash operation, mod (-) represents residual operation, q represents order in cyclic group algorithm, in this embodiment, the actual operation object of residual function mod q in formula (1) isAnd q.
Exemplary parameters involved in the q generation process are, if G is Z * p Is a cyclic subgroup of Z * p Representing a prime number domain and being a finite domain, p being a modulus of the prime number domain, g representing a generator of the cyclic subgroup, the order being set to q, which may be a large prime number, wherein p may be equal to 2q+1.
S300, acquiring the data key according to the key generation parameter, and storing the data key outside the data key trusted execution environment.
In particular, the computer device may generate parameters H by means of at least t keys received in a data key trusted execution environment i A second arithmetic operation is performed to obtain the data key EK. The above-described second arithmetic operation may be a four-arithmetic operation, an exponent operation, a logarithm operation, a rounding operation, or the like, or may be a combined operation of these operations, but the first arithmetic operation and the second arithmetic operation may be different. In the present embodiment, however, the second arithmetic operation may include a hash operation and a continuous multiplication operationThe data key EK can be calculated by the following formula (2):
wherein i and j are the identification information of different participants in the t participants respectively.
Further, after the data key is obtained by the computer device, the data key can be stored outside the trusted execution environment of the data key so as to be used in the subsequent encryption and decryption of the data. The computer device may pre-process the data key and then store the pre-processed data key outside the data key trusted execution environment. The preprocessing may be denoising processing, encryption processing, normalization processing, binary conversion processing, and the like. The present embodiment generates a data key by a random number in order to make the generated data key random.
In the key management method, the computer equipment can generate random numbers in the data key trusted execution environment, send the random numbers to the participators with the seed key fragments, receive key generation parameters sent by a plurality of participators, acquire the data key according to the key generation parameters, and store the data key outside the data key trusted execution environment.
In some scenarios, the data key is not encrypted immediately after the data key is generated, in which case the data key may be stored first, and then the stored data key may be extracted for safe use when in use, so as to encrypt and decrypt the object to be processed. Thus, in this embodiment, the step of storing the data key outside the trusted execution environment of the data key in S300 may specifically include: encrypting the data key through the first secure storage key to obtain an encrypted data key, and storing the encrypted data key outside the data key trusted execution environment.
Specifically, the computer device may generate a first secure storage key by using a hardware key derivation mechanism in a trusted execution environment of the data key, and further encrypt the data key EK by using the first secure storage key to obtain an encrypted data key. Meanwhile, the random number m can be encrypted through the first secure storage key to obtain an encrypted random number, and the encrypted random number and the encrypted data key can be stored outside the data key trusted execution environment. In addition, in the process of generating the data key, other related parameters can be stored outside the trusted execution environment of the data key after being encrypted so as to realize the lasting preservation of the parameters. The hardware key derivation mechanism in this embodiment may be a standard mechanism provided by a data key trusted execution environment, and may be an Intel SGX key derivation mechanism.
It will be appreciated that the encrypted data key may be given a data key identification when stored in order to distinguish the encrypted data key from other keys. The data key identification may be one or more characters in any form, and is different from the seed key shard identification and the participant identification.
Further, in some scenarios, when the object to be processed needs to be encrypted and decrypted by using the data key, after executing the step of S300, as shown in fig. 2, the key management method may further include the following steps:
s310, acquiring the encrypted data key from the outside of the data key trusted execution environment.
In particular, the computer device may obtain, from outside the data key trusted execution environment, all encrypted data keys that match the data key identifier according to the data key identifier.
S320, decrypting the encrypted data key through the first secure storage key to obtain the data key.
It will be appreciated that the computer device may continue to decrypt the encrypted data key with the first secure storage key, recovering the encrypted data key to the data key.
S330, encrypting and decrypting the object to be processed through the data key.
Specifically, the computer device may encrypt and decrypt the object to be processed through the recovered data key in the trusted execution environment of the data key. The object to be processed may be media, data, files, hardware, etc. The encryption and decryption can comprise an encryption process and a decryption process, and an encryption algorithm adopted in the encryption process corresponds to a decryption algorithm adopted in the decryption process. The encryption algorithm may be an asymmetric encryption algorithm, a symmetric encryption algorithm, an international data encryption algorithm digital signature algorithm, a threshold Elgamal encryption algorithm, or the like.
According to the key management method, the data key can be encrypted through the first secure storage key to obtain the encrypted data key, the encrypted data key is stored outside the data key trusted execution environment so that the encrypted data key is obtained from the outside of the data key trusted execution environment when the data to be processed is encrypted and decrypted, the encrypted data key is further decrypted to obtain the data key, and then the data to be processed is encrypted and decrypted through the decrypted data key, so that the problem that the data key is required to be obtained from the cryptographic machine when the data key is stored in the cryptographic machine for use is solved, the risk of data key leakage is reduced, meanwhile, the method does not need to carry out secure management on the data key through the cryptographic machine, and therefore the security protection cost of multi-stage cryptographic management is saved.
As one embodiment, as shown in fig. 3, the key management method may further include the following steps:
s400, generating a key fragment parameter in the seed key trusted execution environment.
Specifically, the seed key trusted execution environment and the data key trusted execution environment are two different trusted execution environments in the computer device. Each party i in the computer device can generate corresponding key fragment parameters P in the seed key trusted execution environment i (j) Wherein the key fragment parameter P i (j) May be a randomly generated logarithmic function, exponential function, curve fitting function, etc. But in this embodiment, the key fragment parameter P i (j) Can be obtained by randomly generated n-th order polynomials, i.e. key fragmentation parameter P i (j) The method can be a randomly generated n-order polynomial, and can be specifically calculated by the following formula (3), namely:
wherein a is ij Representing the N-th order polynomial coefficients, N may be smaller than the total number of participants N. Due to the key fragmentation parameter P i (j) As an n-th order polynomial, in this embodiment, t may be n+1 or more.
S500, determining the seed key shards according to the key shard parameters.
Specifically, each party j in the computer device may generate the key fragment parameter P according to the party j j (j) Key fragment parameter P sent from other party i i (j) Determining seed keyAnd (5) slicing. Wherein the key fragment parameter P generated by the party j can be used for the self j (j) Key fragment parameter P sent from other party i i (j) Combining to obtain key fragment parameter P i (j) The key fragment parameter P generated by the party j can be also used for j (j) Key fragment parameter P sent from other party i i (j) Respectively performing operation processing, and then combining the parameters after the operation processing to obtain a key fragment parameter P i (j) Of course, these methods of determining the key fragment parameters are not limited.
According to the key management method, the seed key fragments can be determined firstly and then stored outside the trusted execution environment, and then the data key is determined through the seed key fragments, so that the seed key fragments cannot be recovered into the seed key at will, the whole key management process becomes safer and more reliable, the risk of leakage of the seed key fragments can be reduced, and the safety of the generated data key is ensured.
As an embodiment, as shown in fig. 4, the step of determining the seed key shard according to the key shard parameter in S500 may specifically include the following steps:
S510, determining identification information of each participant; the participants are participants in the multiparty secure computing process.
Specifically, the identification information of each participant may be a preset number of the participant, or may be a preset location number of the participant.
S520, obtaining the seed key fragments held by each participant according to the identification information and the key fragment parameters.
Specifically, each party i in the computer equipment can acquire the key fragment parameters P sent by other parties j in the seed key trusted execution environment j (i) And through the key slicing parameters P corresponding to the N currently acquired participants j (i) Performing a third arithmetic operation with the identification information to obtain seed key fragments s held by each party i i . The third arithmetic operation may be different from the first arithmetic operation and the second arithmetic operation, the first arithmetic operationThe three arithmetic operations may be four arithmetic operations, an exponential operation, a logarithmic operation, a rounding operation, or the like, or may be a combination of these operations.
As shown in fig. 5, the step of obtaining the seed key shard held by each party according to the identification information and the key shard parameter in S520 may specifically include:
S521, for each participant, according to the identification information and the key slicing parameters, obtaining the first key slicing information of the current participant, and sending the first key slicing information to other participants.
Specifically, for each participant, if the identification information of the current participant is i and the identification information of the other participant is j, the first key fragment information obtained by the current participant includes: the current party i sends the key slicing information of the other party j and the key slicing information of the current party i, and further, the current party in the computer device may send the key slicing information of the first key slicing information that the current party i sends to the other party j. Wherein the key fragment parameter corresponding to the key fragment information sent by the front party i to the other party j is P i (j) The key fragmentation parameter corresponding to the key fragmentation information of the current party i is P i (i) A. The invention relates to a method for producing a fibre-reinforced plastic composite The first key slice information may be understood as a key slice parameter P i (j) And P i (i) Corresponding specific results.
S522, obtaining the seed key fragment held by the current party according to the first key fragment information of the current party and the received second key fragment information sent by other parties.
In particular, the second key fragmentation parameter sent by other party j to current party i may be expressed as P j (i),P j (i) The corresponding specific result may be the second key sharding information. The current participant in the computer device may perform a fourth operation on the key fragment information of the current participant i sent by the other participant j in the received second key fragment information and the own key fragment information in the first key fragment information to obtain eachSeed key shard s held by participants i . The fourth arithmetic operation may be different from the first arithmetic operation, the second arithmetic operation, and the third arithmetic operation, and may be four arithmetic operations, an exponent operation, a logarithm operation, a rounding operation, and the like, or may be a combination operation of these operations. However, in the present embodiment, the fourth arithmetic operation described above may be a sum operation.
It can be understood that each participant in the computer device can perform summation operation according to the key fragment information obtained by itself and the key fragment information sent by other participants through the lagrangian interpolation formula to obtain the seed key fragments s held by each participant i The specific process can be calculated by the following formula (4), namely:
In addition, the computer device may incorporate seed key fragments s obtained by each party i A fifth arithmetic operation is performed to obtain a seed key s. The fifth arithmetic operation may be different from the first arithmetic operation, the second arithmetic operation, the third arithmetic operation, and the fourth arithmetic operation, and may be four arithmetic operations, an exponent operation, a logarithm operation, a rounding operation, and the like, or may be a combination of these operations. However, in this embodiment, the specific generation process of the seed key s may be calculated by the following formula (5):
the key management method can acquire the seed key fragments, and further determine the data key through the seed key fragments, and the seed key fragments cannot be recovered into the seed key at will, so that the whole key management process becomes safer and more reliable, the risk of leakage of the seed key fragments can be reduced, and the safety of the generated data key is ensured.
In some scenarios, after the generation of the seed key fragments, the data key may be determined after a certain time interval, in which case the acquired seed key fragments may be stored first, and then the stored seed key fragments may be extracted for safe use when in use, to generate the data key. Therefore, in this embodiment, after the step of S522, the key management method may further include the steps of: and encrypting the seed key fragments through the second secure storage key to obtain encrypted seed key fragments, and storing the encrypted seed key fragments outside the seed key trusted execution environment.
Specifically, the computer device may generate a second secure storage key by using a hardware key derivation mechanism in a trusted execution environment of the seed key, and further, pair the seed key fragments s by using the second secure storage key i And encrypting to obtain encrypted seed key fragments. At the same time, the n-order polynomial coefficient a can also be stored by the second secure storage key ij Encrypting to obtain an encrypted polynomial coefficient, and storing the encrypted polynomial coefficient and the encrypted seed key fragment outside the seed key trusted execution environment. The trusted execution environment in this embodiment may be a memory of the computer device, and the outside of the trusted execution environment may be understood as any memory outside the memory, such as a mobile hard disk, a local disk, and the like, where in this embodiment, the outside of the trusted execution environment may be the local disk. In addition, in the process of generating the seed key fragments, other related parameters can be stored outside the trusted execution environment of the seed key after being encrypted so as to realize the persistent preservation of the parameters. The hardware key derivation mechanism in this embodiment may be a standard mechanism provided by the seed key trusted execution environment, and may be an Intel SGX key derivation mechanism.
It will be appreciated that when the encrypted seed key fragments are stored, a seed key fragment identifier and a party identifier may be assigned to distinguish the encrypted seed key fragments from other keys, and the parties corresponding to the different seed key fragments may be distinguished by the party identifier. The seed key fragment identification and the party identification may each be one or more characters in any form.
Further, after the step of storing the encrypted seed key fragment outside the seed key trusted execution environment, as shown in fig. 6, the above-mentioned key management method may further include:
s5221, obtaining encrypted seed key fragments from the outside of the seed key trusted execution environment.
Specifically, the computer device may obtain, from outside the seed key trusted execution environment, all encrypted seed key fragments that match the seed key fragment identifier according to the seed key fragment identifier.
S5222, decrypting the encrypted seed key fragments through the second secure storage key to obtain seed key fragments, and sending the seed key fragments to each participant so that each participant generates a data key according to the seed key fragments.
It can be appreciated that the computer device may continue to decrypt the encrypted seed key fragments by the second secure storage key, restore the encrypted seed key fragments to seed key fragments, and send the seed key fragments to the corresponding participants according to the participant identifiers, so that each participant in the computer device may further generate the data key according to the seed key fragments thereof.
According to the key management method, the generated seed key fragments can be encrypted and then stored outside the seed key trusted execution environment, persistent storage is achieved, the seed key fragments are inconvenient to lose, meanwhile, according to actual use requirements, the encrypted seed key fragments which are safely stored can be obtained at any time from the outside of the seed key trusted execution environment, so that a data key can be further generated, the whole key management process is safer and more reliable, the risk of leakage of the seed key fragments can be reduced, and the safety of the generated data key is guaranteed.
For the convenience of understanding of those skilled in the art, the key management method provided by the present application will be described by taking an execution body as an example of a computer device, and specifically, the method includes:
(1) Generating a key fragment parameter in a seed key trusted execution environment;
(2) Determining identification information of each participant; the participants are participants in the multiparty secure computing process.
(3) And aiming at each participant, obtaining the first key fragmentation information of the current participant according to the identification information and the key fragmentation parameters, and sending the first key fragmentation information to other participants.
(4) And obtaining the seed key fragment held by the current participant according to the first key fragment information of the current participant and the received second key fragment information sent by other participants.
(5) And encrypting the seed key fragments through the second secure storage key to obtain encrypted seed key fragments, and storing the encrypted seed key fragments outside the seed key trusted execution environment.
(6) And obtaining the encrypted seed key fragments from the outside of the seed key trusted execution environment.
(7) Decrypting the encrypted seed key fragments through the second secure storage key to obtain seed key fragments, and sending the seed key fragments to each participant so that each participant generates a data key according to the seed key fragments.
(8) A random number is generated in a data key trusted execution environment.
(9) And sending the random number to the participants with the seed key fragments, and receiving key generation parameters sent by a plurality of participants, wherein the key generation parameters are obtained by the participants according to the random number and the seed key fragments.
(10) And acquiring the data key according to the key generation parameter, encrypting the data key through the first secure storage key to obtain an encrypted data key, and storing the encrypted data key outside the data key trusted execution environment.
(11) The encrypted data key is obtained from outside the trusted execution environment of the data key.
(12) And decrypting the encrypted data key through the first secure storage key to obtain the data key.
(13) And encrypting and decrypting the object to be processed through the data key.
The implementation process of the above (1) to (13) may be specifically referred to the description of the above embodiment, and its implementation principle and technical effects are similar, and will not be described herein again.
It should be understood that, although the steps in the flowcharts of fig. 1-6 are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in FIGS. 1-6 may include multiple steps or stages that are not necessarily performed at the same time, but may be performed at different times, nor do the order in which the steps or stages are performed necessarily performed in sequence, but may be performed alternately or alternately with at least a portion of the steps or stages in other steps or other steps.
In one embodiment, as shown in fig. 7, there is provided a key management apparatus including: a random number generation module 11, a key generation parameter acquisition module 12, and a data key generation module 13, wherein:
a random number generation module 11, configured to generate a random number in a trusted execution environment of a data key;
a key generation parameter obtaining module 12, configured to send a random number to a participant that holds a seed key fragment, and receive key generation parameters sent by a plurality of participants, where the key generation parameters are obtained by the participant according to the random number and the held seed key fragment;
the data key generation module 13 is configured to obtain a data key according to the key generation parameter, and store the data key to the outside of the trusted execution environment of the data key.
The key management device provided in this embodiment may execute the above method embodiment, and its implementation principle and technical effects are similar, and will not be described herein.
In one embodiment, the data key generating module 13 is specifically configured to encrypt the data key with the first secure storage key, obtain an encrypted data key, and store the encrypted data key outside the trusted execution environment of the data key.
The key management device provided in this embodiment may execute the above method embodiment, and its implementation principle and technical effects are similar, and will not be described herein.
In one embodiment, the key management apparatus further includes: the device comprises a key fragment parameter acquisition module and a fragment generation module, wherein:
the key slicing parameter acquisition module is used for generating key slicing parameters in the seed key trusted execution environment;
and the fragment generation module is used for determining the seed key fragments according to the key fragment parameters.
The key management device provided in this embodiment may execute the above method embodiment, and its implementation principle and technical effects are similar, and will not be described herein.
In one embodiment, the tile generation module includes: an identification information determining unit and a key fragment acquiring unit, wherein:
an identification information determining unit for determining identification information of each participant; the participants are participants in the multiparty security calculation process;
and the key fragment acquisition unit is used for acquiring the seed key fragments held by each participant according to the identification information and the key fragment parameters.
The key management device provided in this embodiment may execute the above method embodiment, and its implementation principle and technical effects are similar, and will not be described herein.
In one embodiment, the key fragment acquisition unit includes: the device comprises a fragment information acquisition subunit and a key fragment acquisition subunit, wherein:
the slicing information acquisition subunit is used for acquiring first key slicing information of the current participant according to the identification information and the key slicing parameters for each participant, and sending the first key slicing information to other participants;
the key fragment obtaining subunit is configured to obtain a seed key fragment held by the current participant according to the first key fragment information of the current participant and the received second key fragment information sent by other participants.
The key management device provided in this embodiment may execute the above method embodiment, and its implementation principle and technical effects are similar, and will not be described herein.
In one embodiment, the key fragment acquisition unit further includes: a key-slicing encryption subunit, wherein:
the key fragment encryption subunit is used for encrypting the seed key fragments through the second secure storage key to obtain encrypted seed key fragments, and storing the encrypted seed key fragments outside the seed key trusted execution environment.
The key management device provided in this embodiment may execute the above method embodiment, and its implementation principle and technical effects are similar, and will not be described herein.
In one embodiment, the key fragment acquisition unit further includes: an encryption fragment acquisition subunit and a key fragment decryption subunit, wherein:
the encryption fragment acquisition subunit is used for acquiring encrypted seed key fragments from the outside of the seed key trusted execution environment;
and the key fragment decryption subunit is used for decrypting the encrypted seed key fragments through the second secure storage key to obtain seed key fragments, and sending the seed key fragments to each participant so that each participant can generate a data key according to the seed key fragments.
The key management device provided in this embodiment may execute the above method embodiment, and its implementation principle and technical effects are similar, and will not be described herein.
In one embodiment, the key management apparatus further includes: a sample data acquisition unit and a decision stream acquisition unit, wherein:
the encryption key acquisition module is used for acquiring the encrypted data key from the outside of the data key trusted execution environment;
the decryption module is used for decrypting the encrypted data key through the first secure storage key to obtain the data key;
and the encryption and decryption module is used for encrypting and decrypting the object to be processed through the data key.
The key management device provided in this embodiment may execute the above method embodiment, and its implementation principle and technical effects are similar, and will not be described herein.
For specific limitations of the key management apparatus, reference may be made to the above limitations of the key management method, and no further description is given here. The respective modules in the above-described key management apparatus may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, the internal structure of which may be as shown in FIG. 8. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is used for storing encrypted data keys, encrypted seed key fragments and the like. The computer program is executed by a processor to implement a key management method.
It will be appreciated by those skilled in the art that the structure shown in FIG. 8 is merely a block diagram of some of the structures associated with the present inventive arrangements and is not limiting of the computer device to which the present inventive arrangements may be applied, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
In one embodiment, a computer device is provided comprising a memory and a processor, the memory having stored therein a computer program, the processor when executing the computer program performing the steps of:
generating a random number in a data key trusted execution environment;
the random number is sent to a participant with the seed key fragments, key generation parameters sent by a plurality of participants are received, and the key generation parameters are obtained by the participants according to the random number and the seed key fragments;
and acquiring the data key according to the key generation parameter, and storing the data key outside the data key trusted execution environment.
In one embodiment, a readable storage medium is provided having a computer program stored thereon, which when executed by a processor, performs the steps of:
Generating a random number in a data key trusted execution environment;
the random number is sent to a participant with the seed key fragments, key generation parameters sent by a plurality of participants are received, and the key generation parameters are obtained by the participants according to the random number and the seed key fragments;
and acquiring the data key according to the key generation parameter, and storing the data key outside the data key trusted execution environment.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, or the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples illustrate only a few embodiments of the application, which are described in detail and are not to be construed as limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of protection of the present application is to be determined by the appended claims.
Claims (11)
1. A method of key management, the method comprising:
generating a random number in a data key trusted execution environment;
the random number is sent to a participant with a seed key fragment, key generation parameters sent by a plurality of participants are received in a data key trusted execution environment, and the key generation parameters are obtained by the participant according to the random number and the held seed key fragment; the key generation parameters are generated in a seed key trusted execution environment, and the seed key fragments are stored outside the seed key trusted execution environment; the seed key trusted execution environment and the data key trusted execution environment are two different trusted execution environments;
And acquiring a data key according to the key generation parameter, encrypting the data key, storing the encrypted data key outside the data key trusted execution environment, determining a seed key fragment, encrypting the seed key fragment, storing the encrypted seed key fragment outside the seed key trusted execution environment, and transmitting the seed key fragment to each participant so that each participant generates a data key according to the seed key fragment.
2. The method of claim 1, wherein the storing the data key after encrypting to outside the data key trusted execution environment comprises:
encrypting the data key through a first secure storage key to obtain an encrypted data key, and storing the encrypted data key outside the data key trusted execution environment.
3. The method of claim 1, wherein the determining the seed key shard comprises:
generating a key fragment parameter in the seed key trusted execution environment;
and determining the seed key sharding according to the key sharding parameters.
4. A method according to claim 3, wherein said determining a seed key shard from said key shard parameters comprises:
Determining identification information of each participant; the participants are participants in the multiparty security calculation process;
and obtaining the seed key fragments held by each participant according to the identification information and the key fragment parameters.
5. The method of claim 4, wherein the obtaining the seed key shard held by each of the participants based on the identification information and the key shard parameters comprises:
for each participant, according to the identification information and the key slicing parameters, obtaining first key slicing information of the current participant, and sending the first key slicing information to other participants;
and obtaining the seed key fragment held by the current participant according to the first key fragment information of the current participant and the received second key fragment information sent by the other participants.
6. The method of claim 1, wherein the storing the seed key fragments after encryption outside the seed key trusted execution environment comprises:
encrypting the seed key fragments through a second secure storage key to obtain encrypted seed key fragments, and storing the encrypted seed key fragments outside the seed key trusted execution environment.
7. The method of claim 6, wherein the method further comprises:
acquiring the encrypted seed key fragments from the outside of the seed key trusted execution environment;
and decrypting the encrypted seed key fragments through the second secure storage key to obtain the seed key fragments.
8. The method according to claim 2, wherein the method further comprises:
acquiring the encrypted data key from outside the data key trusted execution environment;
decrypting the encrypted data key through the first secure storage key to obtain the data key;
and encrypting and decrypting the object to be processed through the data key.
9. A key management apparatus, the apparatus comprising:
the random number generation module is used for generating random numbers in the data key trusted execution environment;
the key generation parameter acquisition module is used for transmitting the random number to a participant with the seed key fragments, and receiving key generation parameters transmitted by a plurality of participants in the data key trusted execution environment, wherein the key generation parameters are obtained by the participant according to the random number and the held seed key fragments; the key generation parameters are generated in a seed key trusted execution environment, and the seed key fragments are stored outside the seed key trusted execution environment; the seed key trusted execution environment and the data key trusted execution environment are two different trusted execution environments;
The data key generation module is used for acquiring a data key according to the key generation parameters, encrypting the data key, storing the data key outside the data key trusted execution environment, determining a seed key fragment, encrypting the seed key fragment, storing the seed key fragment outside the seed key trusted execution environment, and sending the seed key fragment to each participant so that each participant generates a data key according to the seed key fragment.
10. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1-8 when the computer program is executed.
11. A readable storage medium having stored thereon a computer program, which when executed by a processor performs the steps of the method according to any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111272590.XA CN114095157B (en) | 2021-10-29 | 2021-10-29 | Key management method, key management device, computer equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111272590.XA CN114095157B (en) | 2021-10-29 | 2021-10-29 | Key management method, key management device, computer equipment and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114095157A CN114095157A (en) | 2022-02-25 |
| CN114095157B true CN114095157B (en) | 2023-10-24 |
Family
ID=80298194
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111272590.XA Active CN114095157B (en) | 2021-10-29 | 2021-10-29 | Key management method, key management device, computer equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114095157B (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110430051A (en) * | 2019-08-01 | 2019-11-08 | 北京永新视博数字电视技术有限公司 | A kind of method for storing cipher key, device and server |
| CN111082934A (en) * | 2019-12-31 | 2020-04-28 | 支付宝(杭州)信息技术有限公司 | Cross-domain secure multiparty computing method and device based on trusted execution environment |
| CN111563261A (en) * | 2020-05-15 | 2020-08-21 | 支付宝(杭州)信息技术有限公司 | Privacy protection multi-party computing method and system based on trusted execution environment |
| CN112183767A (en) * | 2020-09-30 | 2021-01-05 | 哈尔滨工业大学(深圳) | Multi-key lower model aggregation federal learning method and related equipment |
| CN112398648A (en) * | 2020-11-05 | 2021-02-23 | 华控清交信息科技(北京)有限公司 | Key management method and device for key management |
| WO2021083179A1 (en) * | 2019-10-30 | 2021-05-06 | 阿里巴巴集团控股有限公司 | Secure multi-party computing method, apparatus, system, and storage medium |
| CN112953974A (en) * | 2021-04-16 | 2021-06-11 | 平安科技(深圳)有限公司 | Data collision method, device, equipment and computer readable storage medium |
| CN113190871A (en) * | 2021-05-28 | 2021-07-30 | 脸萌有限公司 | Data protection method and device, readable medium and electronic equipment |
| CN113395159A (en) * | 2021-01-08 | 2021-09-14 | 腾讯科技(深圳)有限公司 | Data processing method based on trusted execution environment and related device |
| CN113541963A (en) * | 2021-07-16 | 2021-10-22 | 北京数牍科技有限公司 | TEE-based extensible secure multi-party computing method and system |
-
2021
- 2021-10-29 CN CN202111272590.XA patent/CN114095157B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110430051A (en) * | 2019-08-01 | 2019-11-08 | 北京永新视博数字电视技术有限公司 | A kind of method for storing cipher key, device and server |
| WO2021083179A1 (en) * | 2019-10-30 | 2021-05-06 | 阿里巴巴集团控股有限公司 | Secure multi-party computing method, apparatus, system, and storage medium |
| CN111082934A (en) * | 2019-12-31 | 2020-04-28 | 支付宝(杭州)信息技术有限公司 | Cross-domain secure multiparty computing method and device based on trusted execution environment |
| CN111563261A (en) * | 2020-05-15 | 2020-08-21 | 支付宝(杭州)信息技术有限公司 | Privacy protection multi-party computing method and system based on trusted execution environment |
| CN112183767A (en) * | 2020-09-30 | 2021-01-05 | 哈尔滨工业大学(深圳) | Multi-key lower model aggregation federal learning method and related equipment |
| CN112398648A (en) * | 2020-11-05 | 2021-02-23 | 华控清交信息科技(北京)有限公司 | Key management method and device for key management |
| CN113395159A (en) * | 2021-01-08 | 2021-09-14 | 腾讯科技(深圳)有限公司 | Data processing method based on trusted execution environment and related device |
| CN112953974A (en) * | 2021-04-16 | 2021-06-11 | 平安科技(深圳)有限公司 | Data collision method, device, equipment and computer readable storage medium |
| CN113190871A (en) * | 2021-05-28 | 2021-07-30 | 脸萌有限公司 | Data protection method and device, readable medium and electronic equipment |
| CN113541963A (en) * | 2021-07-16 | 2021-10-22 | 北京数牍科技有限公司 | TEE-based extensible secure multi-party computing method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114095157A (en) | 2022-02-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3959839A1 (en) | Methods and systems for privacy preserving evaluation of machine learning models | |
| CN111404952B (en) | Transformer substation data encryption transmission method and device, computer equipment and storage medium | |
| CN111783129A (en) | Data processing method and system for protecting privacy | |
| WO2016088453A1 (en) | Encryption apparatus, decryption apparatus, cryptography processing system, encryption method, decryption method, encryption program, and decryption program | |
| JP7323004B2 (en) | Data extraction system, data extraction method, registration device and program | |
| CN114039785A (en) | Data encryption, decryption and processing method, device, equipment and storage medium | |
| CN111555880A (en) | Data collision method and device, storage medium and electronic equipment | |
| CN111475690B (en) | Character string matching method and device, data detection method and server | |
| CN111859435B (en) | Data security processing method and device | |
| Adedeji Kazeem et al. | A new hybrid data encryption and decryption technique to enhance data security in communication networks: algorithm development | |
| CN116170142B (en) | Distributed collaborative decryption method, device and storage medium | |
| CN111046431B (en) | Data processing method, query method, device, electronic equipment and system | |
| CN115412365B (en) | Data privacy protection method based on multilayer encryption | |
| CN114095157B (en) | Key management method, key management device, computer equipment and readable storage medium | |
| CN114726580B (en) | Data processing method and device | |
| JP2006227411A (en) | Communications system, encryption device, key generator, key generating method, restoration device, communication method, encryption method, and cryptography restoration method | |
| CN112019335B (en) | SM2 algorithm-based multiparty collaborative encryption and decryption method, device, system and medium | |
| WO2019111319A1 (en) | Secret equality determination system, secret equality determination method and secret equality determination program recording medium | |
| CN114244517A (en) | Data encryption and signature method and device, computer equipment and storage medium | |
| CN114362912A (en) | Identification password generation method based on distributed key center, electronic device and medium | |
| KR101026647B1 (en) | Communication security system and method of the same with key derivation cryptographic algorithm | |
| CN111931204A (en) | Encryption and de-duplication storage method and terminal equipment for distributed system | |
| CN117440372B (en) | Zero trust authentication method and device for wireless network | |
| CN116303551B (en) | Hidden query method and device | |
| CN115442103B (en) | Method, system, equipment and storage medium for resisting poisoning attack in group learning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |