CN114124373B - Video key management method and system for automatic backup and recovery - Google Patents
Video key management method and system for automatic backup and recovery Download PDFInfo
- Publication number
- CN114124373B CN114124373B CN202111290691.XA CN202111290691A CN114124373B CN 114124373 B CN114124373 B CN 114124373B CN 202111290691 A CN202111290691 A CN 202111290691A CN 114124373 B CN114124373 B CN 114124373B
- Authority
- CN
- China
- Prior art keywords
- key
- backup
- party
- video
- key backup
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000007726 management method Methods 0.000 title claims abstract description 53
- 238000011084 recovery Methods 0.000 title claims abstract description 45
- 238000000034 method Methods 0.000 claims abstract description 19
- 238000012806 monitoring device Methods 0.000 claims description 14
- 230000011664 signaling Effects 0.000 claims description 14
- 238000012544 monitoring process Methods 0.000 claims description 11
- 238000013475 authorization Methods 0.000 claims description 9
- 239000012634 fragment Substances 0.000 claims description 3
- 230000011218 segmentation Effects 0.000 claims description 3
- 230000002265 prevention Effects 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000006855 networking Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 230000002457 bidirectional effect Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)
Abstract
The invention discloses a video key management method and a system for automatic backup and recovery, wherein the method comprises the following steps: the key generator deploys a key backup service module and a key backup library in each key backup party; the key generator authorizes each key backup party to receive the key backup package, and simultaneously authorizes each key backup party to distribute and acquire the key backup package; the key generator assembles a key backup package, encrypts and sends the key backup package to each authorized key backup party to store the key backup package in a key backup library of the key backup party for key backup; during video on demand, a key user obtains a historical backup key in a key backup library on a current stage platform, decrypts the video and plays the video; when the key generator requests recovery, the key backup side performs key recovery. The method effectively prevents the loss of the historical key through multi-node and multi-mode key backup, solves the problem of the usability of the encrypted video, and has the advantages of single-point failure prevention, key confidentiality and integrity protection and key quick retrieval.
Description
Technical Field
The invention belongs to the technical field of video key management, and particularly relates to a video key management method and system for automatic backup and recovery.
Background
In 11 months of 2018, the national standardization management committee of China issues technical requirements for public safety video monitoring networking information safety of GB35114-2017, which is a mandatory national standard for video monitoring networking information safety. The standard classifies front-end monitoring equipment, and requires C-level equipment to have the capability of bidirectional identity authentication based on a digital certificate and a management platform, video data signing capability and video data encryption capability, so that identity reality and video source reality equipment can be achieved, whether video content is tampered can be checked, and the aim of encrypting and protecting video content can be achieved. The key used for encrypting the video data requires that the update period of the video key encryption key VKEK is not more than 1 day, and the update period of the video encryption key VEK is not more than 1 hour. The VEK is used for encrypting the video stream, VKEK is used for encrypting the VEK, the VEK is randomly generated by the front-end monitoring device, VKEK is generated from a 'key management system' of the platform end and distributed to the front-end monitoring device after being encrypted by adopting a public key of the front-end monitoring device. Since the platform end needs to dock multiple front-end monitoring devices, and each front-end monitoring device needs to generate at least one VKEK per day, a large amount of VKEK will be generated.
The above safety requirements bring new problems: once VKEK is lost, the video recording cannot be decrypted for playback. Although the key management system KMS commonly used in the market at present has functions of symmetric key generation, storage, distribution, backup, recovery and the like, the backup and recovery of the key are operated in a manual mode, and cannot meet the requirement of fast recovery to support real-time video playing. In addition, the KMS flattens the identification of the key, and when massive keys need to be searched, the waiting time of the user is long, and the video on demand is obvious.
When a video-on-demand user clicks a historical encrypted video of a lower platform on an upper platform, most of current manufacturers generate new VKEK on the lower platform, and re-encrypt a video encryption key VEK in the encrypted video by using the new VKEK to assemble a new video file. The new VKEK is encrypted by the upper-level Ping Taigong key and distributed to the upper-level platform. Because video data is huge data, the processing process has very high pressure on the performance of the server, so that video on demand is seriously clamped, and the user experience is influenced.
Disclosure of Invention
The invention aims to overcome the defects and shortcomings of the prior art, and provides a video key management method and system for automatic backup and recovery, which are used for multi-node and multi-mode key backup, effectively prevent the loss of a historical key and have the advantages of single-point failure prevention, key confidentiality and integrity protection and key quick retrieval.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
the invention provides a video key management method for automatic backup and recovery, which comprises the following steps:
the key generator deploys a key backup service module and a key backup library in each key backup party;
the key generator authorizes each key backup party to receive the key backup package, and simultaneously authorizes each key backup party to distribute and acquire the key backup package;
the key generator assembles the key backup package according to the data format of the key backup library, encrypts and distributes the key backup package to the key backup service modules of all authorized key backup parties through the key backup service module, and stores the key backup package into the key backup library of the key backup party for key backup;
when the video on demand needs to use the backup key, the key user obtains the historical backup key in the key backup library on the current stage platform, decrypts the video and plays the video;
When the key generator requests recovery, the key backup side is used for carrying out key recovery; after receiving the request, the key backup party decrypts the key backup library of the key backup party and encrypts the key backup library into a new key backup library, the new key backup library is sent to the key generation party through the key backup service module of the key backup party, and the key generation party decrypts the new key backup library sent by the key backup party and merges the new key backup library into the local key backup library.
Preferably, the key generating party refers to a video key management system for generating a video key encryption key VKEK, and the key backup party refers to equipment or personnel for performing key backup by assigning the key generating party, and the equipment or personnel comprise a signaling server, a gateway, a key manager terminal and an upper-layer video key management system.
Preferably, the key generator authorizes each key backup party to receive the key backup package, and the specific authorization configuration parameters include: the method comprises the steps of (1) a key backup party name, an access mode of the key backup party, an access address of the key backup party, a key encryption public key or certificate of the key backup party, a signature public key or certificate and a selection threshold identifier;
each key backup party authorizes the key generator to distribute and acquire the key backup package, and specific authorization configuration parameters comprise: the name of the key generator, the IP of the key generator, the public key or certificate of signature of the key generator, the public key or certificate of encryption.
Preferably, the data format of the key backup library adopts a directory hierarchical structure, and comprises a fourth-level directory, wherein the first-level directory is the ID of the present-level platform, the second-level directory is the IDs of all front-end monitoring devices connected by the present-level platform, the third-level directory is all key version numbers of a certain front-end device, the fourth-level directory is each key backup file, and the public key ID of each key backup party is used as a file name;
The information in the key backup file includes: platform number PlatformID, front-end device number DevID, key version number KeyVersion, key generation time KEYCREATETIME, key algorithm identification KeyAlgID, key backup party public key identification BackupKeyID, encrypted key EncryptedKey, threshold identification ThresholdID, threshold m and t, key generator party public key identification CreatorKeyID, key generator party Signature.
Preferably, the key backup is stored in a key backup library of a key backup party, specifically:
The key generator assembles a key backup package for all video key encryption keys VKEK of the last day at set time according to the data format of a key backup library, encrypts VKEK by adopting the public key of the key backup and puts the encrypted key encryptedKey field in the data format; if threshold segmentation is involved, dividing VKEK into m parts according to threshold parameters, adopting a public key pair VKEK of a key manager to encrypt, then placing the encrypted key encryptedKey field in a data format, and finally adopting a private key of a key generator to sign;
The key generator distributes the assembled key backup package to the key backup service module of each authorized key backup party in an HTTPpost or Email mode through the key backup service module;
after receiving the key backup package sent by the key generator, the key backup party authenticates the key generator IP first, and then verifies the signature by using the key generator certificate;
The key backup party performs incremental combination on the received key backup package and the previous key backup package to form a full-quantity key backup library of the node, and then performs safe backup;
The key backup side informs the key generation side that the key backup of the node is successful.
Preferably, when the video on demand needs to use the backup key, the key user obtains the historical backup key in the key backup library on the current stage platform, decrypts the video, and plays the video, which specifically includes:
when the video playing terminal plays the historical encrypted video file, the front-end monitoring equipment ID and VKEK version numbers are obtained through the SVAC video file;
the video playing terminal transmits the public key of the video playing terminal through a signaling server of the current stage platform, and the front end monitoring equipment ID and VKEK version numbers acquire VKEK;
The signaling server of the present stage platform authenticates the video playing terminal;
After the permission is determined, a signaling server of the current stage platform transmits a public key of a video playing terminal to a video key management system of the current stage platform, and a front end monitoring device ID and VKEK version numbers are obtained to obtain VKEK;
The video key management system of the present stage platform obtains the appointed VKEK from the present stage key backup library according to the front end monitoring device ID and the key version number, adopts the private key of the present stage platform to decrypt, and encrypts VKEK by the public key of the video playing terminal;
the video key management system of the present stage platform returns VKEK after encryption through the key backup service module of the present stage platform;
the video playing terminal decrypts VKEK by adopting the private key of the video playing terminal, decrypts the video encryption key VEK by utilizing VKEK, and then decrypts the encrypted video by utilizing VEK to play.
Preferably, the key recovery by the key backup party specifically includes:
the key generation sends a recovery request to the key backup side;
After receiving the request, the key backup party authenticates the IP and the certificate of the key generation party, searches a key backup library of the key backup party after passing, uses a private key of the key backup party to decrypt, and uses a public key of the key generation party to encrypt to generate a new key backup package;
returning a new key backup package to the key generator by the key backup direction;
The key generator analyzes the new key backup package, decrypts the encrypted key encryptedKey field in the new key backup package by using the private key of the key generator, and if the key generator relates to the threshold parameter, the key encryptedKey field is combined with key factors decrypted by other key administrators;
And the key generator combines the decrypted key backup information with the local key backup library, and the key backup library is successfully restored.
Preferably, when the key recovery is performed, the key manager is supported to recover in a manual mode, specifically:
And dividing VKEK generated by a key generator into m blocks through shamir threshold cryptography, keeping the m blocks for m key administrators, and recovering VKEK by only providing VKEK fragments for t,0<t < = m key administrators during key recovery.
The invention also provides a video key management system for automatic backup and recovery, which is applied to the video key management method for automatic backup and recovery, and comprises a deployment module, an authorization module, a backup module, a use module and a recovery module;
the deployment module is used for deploying the key backup service module and the key backup library in each key backup party by the key generator;
The authorization module is used for authorizing each key backup party to receive the key backup package by the key generating party, and simultaneously authorizing the key generating party to distribute and acquire the key backup package by the key backup party;
The backup module is used for distributing the key backup information to each key backup party by the key generator to carry out key backup;
the using module is used for acquiring a video key and decrypting the video for playing when the video is on demand;
And the restoration module is used for acquiring the key backup package of each key backup party and merging the key backup package into the local key backup library when the key generator requests restoration.
In still another aspect, the present invention provides a computer readable storage medium storing a program which, when executed by a processor, implements the method for managing a video key for automatic backup and restore.
Compared with the prior art, the invention has the following advantages and beneficial effects:
1. according to the invention, through multi-node and multi-mode key backup of a present stage platform, an upper stage platform, a manual mode and the like, the loss of a historical key is effectively prevented, and the problem of the usability of an encrypted video is solved;
2. the format of the key backup library of the directory structure in the invention is more in line with the management logic of the video key, and is more beneficial to quickly searching the history key to decrypt and play the encrypted video;
3. the invention supports the automatic mode of key backup and recovery, accelerates the speed of key backup and recovery, reduces the labor cost and meets the requirement of video on demand real-time;
4. The authorized platforms can share the secret key through the secret key backup, so that the platforms can mutually decrypt the encrypted video; and in the process of transferring the encrypted video, the encrypted video is not decrypted and then encrypted, so that the burden of equipment and a network is effectively reduced.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for managing video keys for automatic backup and restore according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a key backup service module deployed according to an embodiment of the present invention;
FIG. 3 is a diagram of a data format of a key backup library according to an embodiment of the present invention;
FIG. 4 is a flow chart of key backup distribution according to an embodiment of the present invention;
FIG. 5 is a flowchart illustrating the use of the key backup according to the embodiment of the present invention;
FIG. 6 is a flow chart of key recovery according to an embodiment of the present invention;
FIG. 7 is a block diagram of an automatic backup and restore video key management system according to an embodiment of the present invention;
fig. 8 is a block diagram of a computer-readable storage medium according to an embodiment of the present invention.
Detailed Description
In order to enable those skilled in the art to better understand the present application, the following description will make clear and complete descriptions of the technical solutions according to the embodiments of the present application with reference to the accompanying drawings. It will be apparent that the described embodiments are only some, but not all, embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the described embodiments of the application may be combined with other embodiments.
As shown in fig. 1, in one embodiment of the present application, there is provided a video key management method for automatic backup and restore, including the steps of:
S1, a key generator deploys a key backup service module and a key backup library in each key backup party;
More specifically, the key generator refers to a video key management system that generates a video key encryption key VKEK; the key backup party refers to equipment or personnel for performing key backup by assigning a key generating party, such as a signaling server, a gateway, a key manager terminal, an upper-layer video key management system and the like.
More specifically, as shown in fig. 2, the key backup party includes a video key management system, a signaling server, a gateway, and a key manager terminal, and key backup service modules are respectively deployed on the key backup parties for distributing and receiving key backup packages (the key backup packages are subsets of a key backup library). The video key management system is used for generating a video key encryption key VKEK of the local platform, distributing the video key encryption key VKEK to the front-end monitoring equipment for use, and packaging a key backup package by the key backup service module to distribute the key backup package to key backup service modules of other network nodes for key backup. And when the video key management system recovers after failure, acquiring a key backup package from the key backup service modules of other network nodes through the key backup service module to recover the key.
S2, the key generator authorizes each key backup party to receive the key backup package, and simultaneously, the key generator authorizes each key backup party to distribute and acquire the key backup package;
More specifically, the specific configuration parameters of the key generator for authorizing each key backup include: a key backup party name (such as "home signaling server", "superior key management system", "key manager-Zhang San", etc.), an access mode of the key backup party (such as "http post" or "Email"), an access address of the key backup party (such as URL or Email address), a key encryption public key or certificate of the key backup party (necessary), a signature public key or certificate (may be null), and a selection threshold identification (may be null);
the specific configuration parameters of the key generating party authorized by each key backup party comprise: the name of the key generator (e.g., the "present-level key management system", "lower-level key management system", etc.), the IP of the key generator, the signed public key or certificate of the key generator, the encrypted public key or certificate.
S3, the key generator assembles the key backup package according to the data format of the key backup library, encrypts and distributes the key backup package to the key backup service modules of all authorized key backup parties through the key backup service modules, and stores the key backup package into the key backup library of the key backup party for key backup;
More specifically, as shown in fig. 3, the data format of the key backup library adopts a directory hierarchy structure, so that the history key of the designated front-end monitoring terminal can be conveniently and quickly found, and compared with the flat database table format, the key backup library has the characteristics of clear logic hierarchy, high key retrieval speed and the like. The first-level catalogue of the key backup library is the ID of the platform of the present level, the second-level catalogue is the ID of all front-end monitoring devices connected with the platform of the present level, the third-level catalogue is all key version numbers of a certain front-end device, the fourth-level is each key backup file, the public key ID of each key backup party is used as a file name, and the key backup files specifically comprise the following information: platform number PlatformID, front-end device number DevID, key version number KeyVersion, key generation time KEYCREATETIME, key algorithm identification KeyAlgID, key backup party public key identification BackupKeyID, encrypted key EncryptedKey, threshold identification ThresholdID (may be null), m and t of threshold (may be null), key generation party public key identification CreatorKeyID, key generation party Signature: signature of the data; the key backup package is a subset of the key backup repository.
More specifically, as shown in fig. 4, the specific steps of key backup are:
S31, a key generator assembles a key backup package for all video key encryption keys VKEK of the last day at a set time (such as 0 a.m.) according to the data format of a key backup library, encrypts VKEK by adopting a public key of the key backup and puts the encrypted key encryptedKey field in the data format; if threshold segmentation is involved, dividing VKEK into m parts according to threshold parameters, adopting a public key pair VKEK of a key manager to encrypt, then placing the encrypted key encryptedKey field in a data format, and adopting a private key of a key generator to sign;
S32, the key generator distributes the assembled key backup package to the key backup service module of each authorized key backup party in an HTTPpost or Email mode through the key backup service module;
s33, after receiving the key backup package sent by the key generator, the key backup party authenticates the key generator IP first, and verifies the signature by using the key generator certificate to ensure the data integrity;
S34, the key backup party performs incremental combination on the received key backup package and the previous key backup package to form a full key backup library of the node, and then performs safe backup;
S35, the key backup party informs the key generation party that the key backup of the node is successful.
S4, when the video on demand needs to use the backup key, the key user obtains the historical backup key in the key backup library on the current stage platform, decrypts the video and plays the video;
more specifically, since the lower stage platform regularly backs up the video key to the upper stage platform, the upper stage platform can acquire the historical backup key of the lower stage platform from the video key management system of the upper stage to decrypt and play, the mode has very small performance pressure on the server, video on demand clamping is not caused, and the user experience is obviously superior to the products of most factories.
As shown in fig. 5, the backup key is used as follows:
s41, when the video playing terminal plays the historical encrypted video file, acquiring a front-end monitoring device ID and VKEK version numbers through the SVAC video file;
s42, the video playing terminal transmits a public key of the video playing terminal through a signaling server of the present stage platform, and the front end monitoring device ID and VKEK version numbers acquire VKEK;
S43, authenticating the video playing terminal by the signaling server of the present stage platform;
s44, after the permission is determined, the signaling server of the current stage platform transmits the public key of the video playing terminal to the video key management system of the current stage platform, and the front end monitoring equipment ID and VKEK version number are acquired VKEK;
S45, the video key management system of the local stage platform obtains a designation VKEK from the local stage key backup library according to the front end monitoring equipment ID and the key version number, decrypts by adopting the private key of the local stage platform, and encrypts VKEK by using the public key of the video playing terminal;
s46, the video key management system of the present stage platform returns VKEK after encryption through the key backup service module of the present stage platform;
S47, the video playing terminal decrypts VKEK by adopting the private key of the video playing terminal, decrypts the video encryption key VEK by utilizing VKEK, and then decrypts the encrypted video by using the VEK to play.
S5, when the key generator requests recovery, the key backup side is used for carrying out key recovery; after receiving the request, the key backup party decrypts the key backup library of the key backup party and encrypts the key backup library into a new key backup library, the new key backup library is sent to the key generation party through the key backup service module of the key backup party, and the key generation party decrypts the new key backup library sent by the key backup party and merges the new key backup library into the local key backup library.
More specifically, as shown in fig. 6, the backup key recovery steps are:
S51, a key generation sends a recovery request to a key backup side;
S52, after receiving the request, the key backup party authenticates the IP and the certificate of the key generation party, searches the key backup library of the key backup party after passing, uses the private key of the key backup party to decrypt, and uses the public key of the key generation party to encrypt so as to generate a new key backup library;
s53, the key backup side returns to the new key backup library through the key backup service module of the key backup side;
s54, the key generator analyzes the new key backup library, decrypts the encrypted key encryptedKey field in the new key backup library by using the private key of the key generator, and if the key generator relates to the threshold parameter, combines the encrypted key encryptedKey field with key factors decrypted by other key administrators;
And S55, the key generator combines the decrypted key backup information with the local key backup library, and the key backup library is successfully restored.
More specifically, the backup key recovery of the present embodiment also supports manual recovery by a key manager, specifically:
And dividing VKEK generated by a key generator into m blocks through shamir threshold cryptography, keeping the m blocks for m key administrators, and recovering VKEK by only providing VKEK fragments for t,0<t < = m key administrators during key recovery.
It should be noted that, for the sake of simplicity of description, the foregoing method embodiments are all expressed as a series of combinations of actions, but it should be understood by those skilled in the art that the present invention is not limited by the order of actions described, as some steps may be performed in other order or simultaneously in accordance with the present invention.
Based on the same ideas the automatic backup and recovery video key management method in the above embodiment, the present invention also provides an automatic backup and recovery video key management system, which can be used to perform the automatic backup and recovery video key management method. For ease of illustration, only those portions of an embodiment of an automatic backup and restore video key management system are shown in a schematic configuration, and those skilled in the art will appreciate that the illustrated configuration is not limiting of the apparatus and may include more or fewer components than illustrated, or may combine certain components, or a different arrangement of components.
In another embodiment of the present application, as shown in fig. 7, there is provided an automatic backup and restore video key management system 100, which includes at least the following modules:
A deployment module 101, configured to deploy, by a key generator, a key backup service module and a key backup library in each key backup party;
An authorization module 102, configured to authorize each key backup party to receive the key backup package by the key generating party, and authorize each key backup party to distribute and obtain the key backup package by the key generating party;
The backup module 103 is configured to distribute key backup information to each key backup party by the key generator to perform key backup;
the use module 104 is used for acquiring a video key and decrypting the video for playing when video on demand;
And the restoration module 105 is used for acquiring the key backup libraries of each key backup party and merging the key backup libraries into the local key backup library when the key generation party requests restoration.
It should be noted that, the technical features and the beneficial effects described in the embodiments of the automatic backup and restore video key management method according to the present invention are applicable to the embodiments of the automatic backup and restore video key management system, and specific content may be referred to the description of the embodiments of the method according to the present invention, which is not repeated herein, and thus is described herein.
In addition, in the implementation of the automatic backup and restore video key management system according to the foregoing embodiment, the logic division of each program module is merely illustrative, and in practical application, the allocation of the functions may be performed by different program modules according to needs, for example, in view of configuration requirements of corresponding hardware or convenience of implementation of software, that is, the internal structure of the automatic backup and restore video key management system is divided into different program modules to perform all or part of the functions described above.
As shown in fig. 8, in one embodiment, there is further provided a computer readable storage medium 200 storing a program in a memory 201, where when the program is executed by a processor, the processor 202 implements the method for managing video keys for automatic backup and restore, specifically:
the key generator deploys a key backup service module and a key backup library in each key backup party;
the key generator authorizes each key backup party to receive the key backup package, and simultaneously authorizes each key backup party to distribute and acquire the key backup package;
the key generator assembles the key backup package according to the data format of the key backup library, encrypts and distributes the key backup package to the key backup service modules of all authorized key backup parties through the key backup service module, and stores the key backup package into the key backup library of the key backup party for key backup;
when the video on demand needs to use the backup key, the key user obtains the historical backup key in the key backup library on the current stage platform, decrypts the video and plays the video;
When the key generator requests recovery, the key backup side is used for carrying out key recovery; after receiving the request, the key backup party decrypts the key backup library of the key backup party and encrypts the key backup library into a new key backup library, the new key backup library is sent to the key generation party through the key backup service module of the key backup party, and the key generation party decrypts the new key backup library sent by the key backup party and merges the new key backup library into the local key backup library.
Those skilled in the art will appreciate that all or part of the processes in the methods of the above embodiments may be implemented by a computer program for instructing relevant hardware, where the program may be stored in a non-volatile computer readable storage medium, and where the program, when executed, may include processes in the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in embodiments provided herein may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous link (SYNCHLINK) DRAM (SLDRAM), memory bus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples are preferred embodiments of the present invention, but the embodiments of the present invention are not limited to the above examples, and any other changes, modifications, substitutions, combinations, and simplifications that do not depart from the spirit and principle of the present invention should be made in the equivalent manner, and the embodiments are included in the protection scope of the present invention.
Claims (7)
1. The video key management method for automatic backup and recovery is characterized by comprising the following steps:
the key generator deploys a key backup service module and a key backup library in each key backup party;
the key generator authorizes each key backup party to receive the key backup package, and simultaneously authorizes each key backup party to distribute and acquire the key backup package;
the key generator assembles the key backup package according to the data format of the key backup library, encrypts and distributes the key backup package to the key backup service modules of all authorized key backup parties through the key backup service module, and stores the key backup package into the key backup library of the key backup party for key backup;
when the video on demand needs to use the backup key, the key user obtains the historical backup key in the key backup library on the current stage platform, decrypts the video and plays the video;
when the key generator requests recovery, the key backup side is used for carrying out key recovery; after receiving the request, the key backup party decrypts the key backup library of the key backup party and encrypts the key backup library into a new key backup library, and sends the new key backup library to the key generation party through the key backup service module of the key backup party, and the key generation party decrypts the new key backup library sent by the key backup party and merges the new key backup library into the local key backup library; the key recovery is carried out by the key backup party, and the manual mode recovery of a key manager is supported, specifically:
dividing VKEK generated by a key generating party into m blocks through shamir threshold cryptography to be stored by m key administrators, and recovering VKEK,0<t < = m only by providing VKEK fragments by t key administrators when the key is recovered;
The data format of the key backup library adopts a directory hierarchical structure and comprises a fourth-level directory, wherein the first-level directory is the ID of the current-level platform, the second-level directory is the IDs of all front-end monitoring devices connected with the current-level platform, the third-level directory is all key version numbers of a certain front-end device, the fourth-level directory is each key backup file, and the public key ID of each key backup party is used as a file name;
The information in the key backup file includes: platform number PlatformID, front-end device number DevID, key version number KeyVersion, key generation time KEYCREATETIME, key algorithm identification KeyAlgID, key backup party public key identification BackupKeyID, encrypted key EncryptedKey, threshold identification ThresholdID, threshold m and t, key generation party public key identification CreatorKeyID, key generation party Signature;
the key backup is stored in a key backup library of the key backup party, and the key backup is carried out, specifically:
The key generator assembles a key backup package for all video key encryption keys VKEK of the last day at set time according to the data format of a key backup library, encrypts VKEK by adopting the public key of the key backup and puts the encrypted key encryptedKey field in the data format; if threshold segmentation is involved, dividing VKEK into m parts according to threshold parameters, adopting a public key pair VKEK of a key manager to encrypt, then placing the encrypted key encryptedKey field in a data format, and finally adopting a private key of a key generator to sign;
The key generator distributes the assembled key backup package to the key backup service module of each authorized key backup party in an HTTPpost or Email mode through the key backup service module;
after receiving the key backup package sent by the key generator, the key backup party authenticates the key generator IP first, and then verifies the signature by using the key generator certificate;
The key backup party performs incremental combination on the received key backup package and the previous key backup package to form a full-quantity key backup library of the node, and then performs safe backup;
The key backup side informs the key generation side that the key backup of the node is successful.
2. The method for automatically backing up and recovering video key management according to claim 1, wherein the key generator is a video key management system for generating video key encryption key VKEK, and the key backup is a device or a person assigned to the key generator for performing key backup, and the device or person comprises a signaling server, a gateway, a key manager terminal, and an upper layer video key management system.
3. The method for managing video keys for automatic backup and restore according to claim 1, wherein said key generator authorizes each key backup party to receive a key backup package, and the specific authorization configuration parameters include: the method comprises the steps of (1) a key backup party name, an access mode of the key backup party, an access address of the key backup party, a key encryption public key or certificate of the key backup party, a signature public key or certificate and a selection threshold identifier;
each key backup party authorizes the key generator to distribute and acquire the key backup package, and specific authorization configuration parameters comprise: the name of the key generator, the IP of the key generator, the public key or certificate of signature of the key generator, the public key or certificate of encryption.
4. The method for managing the video key of automatic backup and recovery according to claim 1, wherein when the backup key is needed to be used for video on demand, the key user obtains the historical backup key in the key backup library on the current stage platform, decrypts the video and plays the video, specifically:
when the video playing terminal plays the historical encrypted video file, the front-end monitoring equipment ID and VKEK version numbers are obtained through the SVAC video file;
the video playing terminal transmits the public key of the video playing terminal through a signaling server of the current stage platform, and the front end monitoring equipment ID and VKEK version numbers acquire VKEK;
The signaling server of the present stage platform authenticates the video playing terminal;
After the permission is determined, a signaling server of the current stage platform transmits a public key of a video playing terminal to a video key management system of the current stage platform, and a front end monitoring device ID and VKEK version numbers are obtained to obtain VKEK;
The video key management system of the present stage platform obtains the appointed VKEK from the present stage key backup library according to the front end monitoring device ID and the key version number, adopts the private key of the present stage platform to decrypt, and encrypts VKEK by the public key of the video playing terminal;
the video key management system of the present stage platform returns VKEK after encryption through the key backup service module of the present stage platform;
the video playing terminal decrypts VKEK by adopting the private key of the video playing terminal, decrypts the video encryption key VEK by utilizing VKEK, and then decrypts the encrypted video by utilizing VEK to play.
5. The method for managing the video key of automatic backup and restore according to claim 1, wherein the key restore by the key backup party comprises the following steps:
the key generation sends a recovery request to the key backup side;
After receiving the request, the key backup party authenticates the IP and the certificate of the key generation party, searches a key backup library of the key backup party after passing, uses a private key of the key backup party to decrypt, and uses a public key of the key generation party to encrypt to generate a new key backup package;
returning a new key backup package to the key generator by the key backup direction;
The key generator analyzes the new key backup package, decrypts the encrypted key encryptedKey field in the new key backup package by using the private key of the key generator, and if the key generator relates to the threshold parameter, the key encryptedKey field is combined with key factors decrypted by other key administrators;
And the key generator combines the decrypted key backup information with the local key backup library, and the key backup library is successfully restored.
6. An automatic backup and recovery video key management system, which is characterized in that the automatic backup and recovery video key management system is applied to the video key management method of any one of claims 1-5, and comprises a deployment module, an authorization module, a backup module, a use module and a recovery module;
the deployment module is used for deploying the key backup service module and the key backup library in each key backup party by the key generator;
The authorization module is used for authorizing each key backup party to receive the key backup package by the key generating party, and simultaneously authorizing the key generating party to distribute and acquire the key backup package by the key backup party;
The backup module is used for distributing the key backup information to each key backup party by the key generator to carry out key backup;
the using module is used for acquiring a video key and decrypting the video for playing when the video is on demand;
And the restoration module is used for acquiring the key backup package of each key backup party and merging the key backup package into the local key backup library when the key generator requests restoration.
7. A computer-readable storage medium storing a program, wherein the program, when executed by a processor, implements an automatic backup and restore video key management method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111290691.XA CN114124373B (en) | 2021-11-02 | 2021-11-02 | Video key management method and system for automatic backup and recovery |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111290691.XA CN114124373B (en) | 2021-11-02 | 2021-11-02 | Video key management method and system for automatic backup and recovery |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114124373A CN114124373A (en) | 2022-03-01 |
| CN114124373B true CN114124373B (en) | 2024-07-05 |
Family
ID=80380340
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111290691.XA Active CN114124373B (en) | 2021-11-02 | 2021-11-02 | Video key management method and system for automatic backup and recovery |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114124373B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107171796A (en) * | 2017-06-27 | 2017-09-15 | 济南浪潮高新科技投资发展有限公司 | A kind of many KMC key recovery methods |
Family Cites Families (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2007020065A (en) * | 2005-07-11 | 2007-01-25 | Hitachi Ltd | Decryption backup method, decryption restoration method, attestation device, individual key setting machine, user terminal, backup equipment, encryption backup program, decryption restoration program |
| CN101986596B (en) * | 2010-10-21 | 2014-06-25 | 无锡江南信息安全工程技术中心 | Key management mechanism |
| GB2532039B (en) * | 2014-11-06 | 2016-09-21 | Ibm | Secure database backup and recovery |
| US9842062B2 (en) * | 2015-05-31 | 2017-12-12 | Apple Inc. | Backup accessible by subset of related devices |
| CN105681031B (en) * | 2016-01-08 | 2018-12-21 | 成都卫士通信息产业股份有限公司 | A kind of storage encryption gateway key management system and method |
| CN106330868B (en) * | 2016-08-14 | 2019-11-26 | 北京数盾信息科技有限公司 | A kind of high speed network encryption storage key management system and method |
| CN106685645B (en) * | 2016-11-14 | 2019-05-28 | 郑州信大捷安信息技术股份有限公司 | A kind of cipher key backup for safety chip business cipher key and restoration methods and system |
| CN109240849B (en) * | 2018-08-09 | 2021-05-18 | 苏州市科远软件技术开发有限公司 | Data backup method and device and multipoint control unit for video conference system |
| CN109495247A (en) * | 2018-11-21 | 2019-03-19 | 北京深思数盾科技股份有限公司 | Cipher key backup, the method for recovery and encryption equipment |
| CN110086612B (en) * | 2019-04-26 | 2022-03-04 | 山大地纬软件股份有限公司 | Block chain public and private key backup and lost recovery method and system |
| CN110289955A (en) * | 2019-06-25 | 2019-09-27 | 杭州趣链科技有限公司 | A kind of key management method for serving certificate agency based on threshold cryptography model |
| US11271728B2 (en) * | 2019-12-20 | 2022-03-08 | Fujitsu Limited | Secure key management |
| CN112468297B (en) * | 2020-11-30 | 2022-10-18 | 中国工商银行股份有限公司 | Key backup method and device based on block chain |
| CN113037483A (en) * | 2021-04-20 | 2021-06-25 | 重庆九格慧科技有限公司 | Distributed key management method based on threshold |
-
2021
- 2021-11-02 CN CN202111290691.XA patent/CN114124373B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107171796A (en) * | 2017-06-27 | 2017-09-15 | 济南浪潮高新科技投资发展有限公司 | A kind of many KMC key recovery methods |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114124373A (en) | 2022-03-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6968223B2 (en) | Methods, devices, and systems for quantum key distribution | |
| CN109995505B (en) | Data security duplicate removal system and method in fog computing environment and cloud storage platform | |
| CN106487821B (en) | Digital signature method based on Internet block chain technology | |
| US11831753B2 (en) | Secure distributed key management system | |
| CN109981255B (en) | Method and system for updating key pool | |
| CN110635906B (en) | Key management method and device for distributed block storage system | |
| CN108768647B (en) | Random number generation method for block chain | |
| CN107920052B (en) | Encryption method and intelligent device | |
| JP2020507243A5 (en) | ||
| CN111294349A (en) | Method and device for sharing data of Internet of things equipment | |
| CN110933112B (en) | Network access authentication method, device and storage medium | |
| CN113630249B (en) | Quantum network access security trusteeship client platform | |
| Pujar et al. | Survey on data integrity and verification for cloud storage | |
| CN109450951B (en) | Server-side security file management method, device and system | |
| CN112054901B (en) | Key management method and system supporting multiple key systems | |
| US20210111906A1 (en) | Pseudonym credential configuration method and apparatus | |
| CN114124373B (en) | Video key management method and system for automatic backup and recovery | |
| CN108494552B (en) | Cloud storage data deduplication method supporting efficient convergence key management | |
| US20130191646A1 (en) | System for exchanging data between at least one sender and one receiver | |
| CN115828290A (en) | Encryption and decryption method and device based on distributed object storage | |
| CN106790185B (en) | CP-ABE-based method and device for safely accessing authority dynamic update centralized information | |
| CN113259723B (en) | Decentralized video key management method, device and system | |
| CN106685646B (en) | Digital certificate key management method and management server | |
| CN116032472B (en) | Method and device for generating quantum security key and authentication parameter and root key center | |
| CN114499891B (en) | Signature server system and signature verification method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |