CN114124422B - Key management method and device - Google Patents
Key management method and device Download PDFInfo
- Publication number
- CN114124422B CN114124422B CN202010899689.1A CN202010899689A CN114124422B CN 114124422 B CN114124422 B CN 114124422B CN 202010899689 A CN202010899689 A CN 202010899689A CN 114124422 B CN114124422 B CN 114124422B
- Authority
- CN
- China
- Prior art keywords
- key
- authentication
- identity
- decryption key
- character
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
The application provides a key management method and device, and relates to the technical field of encryption. The method comprises the following steps: after confirming that a user logs in a digital identity through a first identity authentication mode, acquiring a first authentication decryption key corresponding to the first identity authentication mode; obtaining an initial encryption first character decryption key from a server side, decrypting the initial encryption first character decryption key by using a first authentication decryption key to obtain a first character decryption key, wherein the first character decryption key corresponds to a first character in at least one character of the digital identity; decrypting the encrypted target key stored in the digital identity based on the first character decryption key to obtain a target key, wherein the target key is used for managing the asset corresponding to the first character. The technical scheme provided by the application enables a user to log in a digital identity through the existing identity information, realizes asset management without memorizing complicated keys, and provides great convenience for the user.
Description
Technical Field
The present application relates to the field of encryption technologies, and in particular, to a method and an apparatus for managing a key.
Background
As blockchain technology grows, more and more investors come into contact with digital currency. However, keys for managing digital money are often very difficult to memorize due to the large number of digits and irregularities, which is a threshold on the way digital money is popular. In order to enable users to store keys more conveniently and more surely, some solutions have emerged in the market in recent years, however, no solution has emerged to truly counteract the pressure of users in terms of key management.
Meanwhile, the Internet of things is developing at a high speed, and more products in life begin to realize intelligent management. However, various intelligent products cause users to need to manage numerous scattered accounts, which is rather inconvenient for users. Even a potential safety hazard to the user's assets can be brought if an poorly managed situation occurs.
Disclosure of Invention
In view of the above, in order to solve the above-mentioned problems faced by users in asset management in the prior art, embodiments of the present application provide a key management method and apparatus.
According to a first aspect of an embodiment of the present application, there is provided a key management method, including: after confirming that a user logs in a digital identity through a first identity authentication mode, acquiring a first authentication decryption key corresponding to the first identity authentication mode; obtaining an initial encryption first character decryption key from a server side, decrypting the initial encryption first character decryption key by using a first authentication decryption key to obtain a first character decryption key, wherein the first character decryption key corresponds to a first character in at least one character of the digital identity; decrypting the encrypted target key stored in the digital identity based on the first character decryption key to obtain a target key, wherein the target key is used for managing the asset corresponding to the first character.
According to a second aspect of an embodiment of the present application, there is provided a key management apparatus including: the key acquisition module is used for acquiring a first authentication decryption key corresponding to the first authentication mode when confirming that the user logs in the digital identity through the first authentication mode; the first decryption module is used for acquiring an initial encryption first character decryption key from the server side, decrypting the initial encryption first character decryption key by using the first authentication decryption key to obtain a first character decryption key, wherein the first character decryption key corresponds to a first character in at least one character of the digital identity; and the second decryption module is used for decrypting the encrypted target key stored in the digital identity based on the first character decryption key to obtain the target key, wherein the target key is the asset corresponding to the first character.
According to a third aspect of an embodiment of the present application, there is provided a computer apparatus comprising: a processor; a memory comprising computer instructions stored thereon which, when executed by a processor, implement the key management method provided in the first aspect above.
According to a fourth aspect of embodiments of the present application, there is provided a computer readable storage medium comprising computer instructions stored thereon, which when executed by a processor, cause the processor to perform the key management method provided in the first aspect above.
The key management method and device provided by the embodiment of the application at least comprise the following effects:
the user can log in the digital identity through the existing identity information, and can manage the asset without memorizing complicated keys, so that great convenience is provided for the user; meanwhile, the risk of key leakage or loss is eliminated, so that a user does not need to worry about whether the mode of keeping the key is stable or not, and the asset safety of the user can be ensured to a great extent.
It is to be understood that the foregoing description of the technical effects is exemplary and explanatory only and is not restrictive of the application.
Drawings
Fig. 1 is a schematic system architecture of a key management system according to an exemplary embodiment of the present application.
Fig. 2 is a flow chart of a key management method according to an exemplary embodiment of the present application.
Fig. 3 is a schematic diagram of a key management device according to an exemplary embodiment of the present application.
Fig. 4 is a block diagram of an electronic device according to an exemplary embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present application fall within the scope of the present application.
Summary of the application
As described above, in the environment in which the internet has been rapidly developed and popularized, users need to manage their own assets by using various account passwords, keys, and the like. However, many products and platforms are dazzled, account passwords which are not commonly used are easy to forget, keys are long and difficult to remember, and management is very difficult.
Aiming at the technical problems, the basic idea of the application is to provide a key management method and a device, wherein the digital identity is introduced into a key management system, and the digital identity is utilized to replace a user to manage assets by utilizing a cryptography method, so that the key management method and the device are very convenient, and the asset security of the user can be ensured to a great extent. The key management system provided by the application can ensure that the user can properly manage the own assets only by managing the digital identity, thereby greatly reducing the pressure of the user and saving a great deal of energy for the user.
Exemplary System
Fig. 1 is a schematic system architecture of a key management system according to an exemplary embodiment of the present application. As shown in fig. 1, the key management system includes an electronic device 11, an electronic device 12, and a server 20.
The electronic equipment can be mobile equipment such as a mobile phone, a game host, a tablet personal computer, a camera, a video camera, a vehicle-mounted computer and the like; computers, such as notebook computers, desktop computers, and the like; but may be other electronic devices that include a processor and memory. The embodiment of the application does not limit the type of electronic device.
The electronic device 11 obtains the authorization of the user through the first identity authentication mode to generate a first authentication encryption key, encrypts the role decryption key based on the first authentication encryption key, and stores the encrypted role decryption key to the server 20 to realize the creation process of the digital identity. Further, the electronic device 12 may implement a process of managing or using the character decryption key by acquiring the encrypted character decryption key from the server 20 and decrypting it. Specifically, in practical applications, the above-described process may be performed by a client installed on the electronic device 11 and/or the electronic device 12. It should be appreciated that in some embodiments, electronic device 11 may be the same electronic device as electronic device 12.
The server 20 is provided on the internet for establishing a communication connection with the electronic device, receiving and executing instructions from the electronic device, and/or receiving and storing data from the electronic device.
It should be noted that the above application scenario is only shown for the convenience of understanding the spirit and principle of the present application, and the embodiment of the present application is not limited thereto. Rather, embodiments of the present application may be applied to any scenario where it may be applicable.
Exemplary method
Fig. 2 is a flow chart of a key management method according to an exemplary embodiment of the present application. The method may be performed by a client on the electronic device 12 (hereinafter referred to as a client for registration). As shown in fig. 2, the method may include the steps of:
s210: after confirming that a user logs in the digital identity through a first identity authentication mode, a first authentication decryption key corresponding to the first identity authentication mode is obtained.
Specifically, a user may have at least one authentication means for authenticating a digital identity, including a first authentication means. Here, the authentication means is used to prove that the user has the right to login to the digital identity.
Further, one digital identity may be associated with only one identity authentication method, or may be associated with a plurality of identity authentication methods. The plurality of identity authentication modes can correspond to the same user or a plurality of different users. In practical application, the login client can display all identity authentication modes available for user selection to the user in a list form and the like so that the user can select; the automatic selection can also be performed by fingerprint identification, facial identification or card swiping and the like. When the user selects to log in through the first identity authentication mode, the login client performs identity authentication on the user through the first identity authentication mode, and allows the user to log in the digital identity after the authentication is passed.
In an embodiment, the digital identity may correspond to a natural person, a virtual identity, or an organization. That is, all natural persons, virtual identities or organizations may hold at least one digital identity for managing assets that they have administrative rights to. For example, company a acts as an organization, having a company a digital identity; staff B of company A is taken as a natural person and has a digital identity of B; in addition, B has created a virtual identity C and has a C digital identity. Embodiments of the present application are not limited herein to holders of digital identities.
In another embodiment, a user may have login rights for multiple digital identities, and may further manage assets corresponding to the multiple digital identities. For example, a user may log in to his or her own digital identity, to the company to which he or she belongs, or to the virtual identity. Here, the embodiment of the present application does not limit the number of digital identities that one user can correspond to.
Further, when a user has login rights for a plurality of digital identities, at least one authentication method of the user may be set to correspond to the plurality of digital identities for which the user has login rights. That is, the user can log in a plurality of digital identities through at least one identity authentication mode, so that assets corresponding to the plurality of digital identities can be managed.
It should be understood that the term "user" as used in the present application is not limited to natural persons, but may include, for example, machines, monkeys, virtual identities, organizations, etc., and the present application is not limited to the true identity of a user.
The at least one authentication means may be means for authenticating the user by at least one existing information of the user, where the existing information of the user may include all existing authentication means held by the user. Such as a third party platform account, a terminal system account, a cell phone number account, an identity authentication chip, a digital certificate, a proprietary memory space account, a key, a password, a human body biometric, etc., held by the user. The third party platform account may be a social platform account, a shopping platform account, a financial platform account, a network service account, an intelligent internet of things platform account, etc. held by the user, for example: weChat account, panda account, mobile phone bank account, etc. It should be understood that embodiments of the present application are not limited to a particular type of information present to a user.
In practical application, each identity authentication mode may have a corresponding authentication key, and the authentication key may include a pair of authentication encryption keys and authentication decryption keys that correspond to each other. For example, in the key management method shown in fig. 2, the first authentication method corresponds to the first authentication encryption key and the first authentication decryption key. For example, the first authentication encryption key may be used to encrypt corresponding data according to the management authority of the first identity authentication mode, and the first authentication decryption key may be used to decrypt the encrypted data to obtain the data. It should be appreciated that the authentication encryption key and the authentication decryption key may be a pair of asymmetric keys, such as a public key and a private key, or may be symmetric keys, which is not limited in this respect.
In an embodiment, after confirming that the user logs in the digital identity through the first identity authentication mode, the login client may obtain a first authentication decryption key corresponding to the first identity authentication mode.
In a preferred embodiment, the first authentication decryption key is stored in an encrypted form on the server side, where the process of obtaining the first authentication decryption key by the client for login may include: acquiring an encrypted first authentication decryption key from a server side; acquiring a third storage key; and decrypting the encrypted first authentication decryption key by using the third storage key to obtain the first authentication decryption key.
Specifically, when the first authentication method is created, a client on the electronic device 11 (hereinafter referred to as a creation client) may generate a third storage key, encrypt the first authentication decryption key using the third storage key, and store the encrypted first authentication decryption key in the server.
Further, in an embodiment, in order to reduce the risk of disclosure of the third storage key, the third storage key may be generated based on the first authentication method, or the third storage key may be stored in association with the first authentication method, so that the client for login can only acquire the third storage key when the user logs in the digital identity through the first authentication method. Here, the manner in which the third storage key is created with the client may be different depending on the type of the first authentication manner. Correspondingly, the manner in which the login client obtains the third storage key may be different depending on the generation manner.
For example, when the first authentication method is a third party platform account, the login client may send a verification request to the first authentication end corresponding to the third party platform account, so as to obtain first authentication information. After the first authentication end receives the authentication request, authentication can be performed on the user. After the verification is passed, the first identity authentication end can send the first identity authentication information containing the user identity information to the client for registration, so that the client for registration can calculate and obtain a third storage key according to the first identity authentication information. For example: when the first identity authentication mode is WeChat, the WeChat authentication end can send the WeChat ID of the user to the client for registration after verifying the identity of the user, and the client for registration can calculate and obtain a third storage key according to the WeChat ID of the user.
For example, the first authentication method may be an authentication chip capable of interacting with the login client. Here, the login client may directly read the first authentication information including the user identity information from the authentication chip, and calculate the third storage key.
For another example, the first authentication method may be a method of authenticating a human body biometric feature of the user. Here, the login client may acquire a human body biometric characteristic of the user, extract the first identity authentication information therefrom, and calculate a third storage key.
It should be understood that the specific form of the authentication information and the specific manner of acquiring the authentication information are not limited in the present application, and any non-public information that can be acquired after passing the authentication and can verify the identity of the user may be used.
In another embodiment, the process of obtaining the third storage key by the login client may include: obtaining first identity authentication information through a first identity authentication mode; obtaining a first salt value from a server side; and calculating to obtain a third storage key according to the first identity authentication information and the first salt value. The creating client may generate a first salt value for calculating the third storage key when creating the first authentication method, and store the first salt value in the server.
In another embodiment, the process of obtaining the third storage key by the login client may include: obtaining first identity authentication information through a first identity authentication mode; acquiring personal information of a user; obtaining a first salt value from a server side; and calculating to obtain a third storage key according to the first identity authentication information, the user personal information and the first salt value. The login client can present a personal information input request to a user through a user interface and receive personal information input by the user. For example, the personal information of the user may be the name of the parent of the user.
In another embodiment, the third storage key may be pre-generated and stored locally and have an association with the first authentication means. The login client may obtain the third storage key associated with the first authentication method from the local after confirming that the user has logged in the digital identity by the first authentication method.
In another implementation manner of the foregoing embodiment, when the first authentication mode has a corresponding cloud service account, the third storage key may also be pre-generated and stored in a corresponding cloud of the first authentication mode. After confirming that the user logs in the digital identity through the first identity authentication mode, the login client can acquire a third storage key from the corresponding cloud of the first identity authentication mode.
Alternatively, the login client may establish a secure connection with the server side before acquiring the encrypted first authentication decryption key from the server side. For example, a secure connection can be established with the server through a means with higher security such as a private key negotiation algorithm, so as to ensure the data security in the communication process.
According to the key management method provided by the embodiment of the application, the authentication key is stored in an encrypted form, and the user is required to verify the corresponding identity authentication mode during decryption, so that the role key can be stored more safely, and the asset security of the user is further improved.
Alternatively, in another embodiment, the server side may be provided with a key database, and the encrypted first authentication decryption key may be stored in the key database. The process of obtaining the encrypted first authentication decryption key from the server side may include: acquiring a first login account and a first login password based on a first identity authentication mode; logging in a key database by using a first login account and a first login password; and acquiring the encrypted first authentication decryption key from the key database.
Specifically, when the first authentication mode is created, the creating client may send an account creation request to the server, so that the server creates a first key database account for logging in the key database. The first key database account corresponds to a first identity authentication mode and is used for storing the encrypted first authentication decryption key. Here, the first key database account may have a pair of account numbers and passwords, that is, the first login account number and the first login password, and the login client may login the key database according to the first login account number and the first login password and acquire data therefrom. It should be understood that the first login account and the first login password may be generated by the creation client and then sent to the server, or may be directly generated by the server, which is not limited by the embodiment of the present application.
When the client for login obtains the first login account number and the first login password based on the first authentication mode, the first login account number and the first login password can be obtained through calculation according to the first authentication mode, the first login account number and the first login password which are stored in advance can be obtained through a corresponding cloud of the first authentication mode, and the first login account number and the first login password which are associated with the first authentication mode can be directly obtained from the local. It should be understood that, the obtaining manner of the first login account and the first login password may correspond to the generating manner of the first login account and the first login password when the first identity authentication manner is created, and the embodiment of the present application does not limit the specific generating, obtaining and storing manners of the first login account and the first login password.
According to the key management method provided by the embodiment of the application, the authentication key can be stored in an encrypted form, and the database account is established at the server end so as to better store the authentication key, so that the security of the key management system is further enhanced, and the asset security of a user can be ensured to a greater extent.
S220: and acquiring an initial encryption first character decryption key from the server, and decrypting the initial encryption first character decryption key by using the first authentication decryption key to obtain a first character decryption key.
Wherein the first persona decryption key corresponds to a first persona of the at least one persona of the digital identity.
Specifically, a digital identity may comprise at least one role, including a first role. At least one role is used to manage assets held by the digital identity, different roles corresponding to different assets of the digital identity. When a digital identity has only one role, namely a first role, the first role can have the management authority for all the assets held by the digital identity; when a digital identity contains multiple roles, different roles in the multiple roles can respectively have management rights to different assets in the assets held by the digital identity, wherein the assets corresponding to the two different roles can be partially identical or completely different. For example, a digital identity may include a first role, a second role, and a third role, where the first role has the authority to manage a WeChat account, a microblog account, and a bus card, the second role has the authority to manage an intelligent door lock, a digital currency account, and the third role has the authority to manage a WeChat account and an intelligent door lock.
According to the key management method provided by the embodiment of the application, different roles are set in the digital identity, and different asset management authorities are allocated for the different roles, so that the assets can be divided according to the user requirements or the security level, the convenience of a key management system is improved, and the user can manage the assets more conveniently.
Further, each of the at least one character has a corresponding character key, respectively, which may include a pair of a character encryption key and a character decryption key corresponding to each other. For example, the first character corresponds to a first character encryption key and a first character decryption key. When a role is given with the management authority for at least one asset, at least one target key corresponding to at least one asset in the management authority can be respectively encrypted by using a role encryption key corresponding to the role, so that at least one encrypted target key is obtained and stored in the digital identity. For example, the target key of the asset corresponding to the first character is encrypted by using the first character encryption key, and the encrypted target key is obtained. Thus, when the login client obtains the role decryption key, the encrypted target key can be decrypted using the role decryption key, thereby obtaining the target key. It should be appreciated that the role encryption key and the role decryption key may be a pair of asymmetric keys, such as a public key and a private key, or may be symmetric keys, which is not limited in this respect.
After confirming that the user logs in the digital identity through the first identity authentication mode, the login client can acquire an initial encryption first character decryption key corresponding to the first identity authentication mode from the server side, and decrypt the initial encryption first character decryption key by using the first authentication decryption key to obtain a first character decryption key.
Specifically, when the user creates the first identity authentication mode for the digital identity, at least one role of the digital identity may be selected to be associated with the first identity authentication mode. After receiving the instruction of the user, the creating client can give the management authority of the asset corresponding to the at least one role to the first identity authentication mode. Specifically, in an embodiment, when the user selects the first role as the corresponding role of the first authentication mode, the creation client may generate a first authentication encryption key and a first authentication decryption key corresponding to the first authentication mode when creating the first authentication mode, encrypt the first role decryption key using the first authentication encryption key, and store the initial encrypted first role decryption key in the server after generating the initial encrypted first role decryption key.
S230: and decrypting the encrypted target key stored in the digital identity based on the first character key to obtain the target key.
The target key is used for managing the asset corresponding to the first role. Specifically, the digital identity may possess at least one asset, such as an account number of digital currency, an account number of various login modes, and the like. Wherein each asset has a corresponding at least one target key for managing the corresponding asset, such as may represent ownership, usage, viewing or other rights of the asset.
Preferably, in another embodiment, after obtaining the target key, the login client may further use the target key to implement management of the asset corresponding to the target key according to the instruction of the user. For example, when the target key is a key of a digital money account, the user may issue an operation instruction to perform balance check on the digital money account. After receiving the operation instruction, the login client can find the corresponding encrypted target key, decrypt the target key by using the first character decryption key, thereby obtaining the target key, and execute the operation instruction sent by the user.
Based on the key management method provided by the embodiment of the application, a user can log in the digital identity through the existing identity information, and the management of the assets can be realized without memorizing complicated keys, thereby providing great convenience for the user. Meanwhile, the key management method provided by the embodiment of the application eliminates the risk of key leakage or loss, so that a user does not need to worry about whether the mode of keeping the key is stable or not, and the asset safety of the user can be ensured to a great extent. Furthermore, all data are stored in the server after being encrypted with zero knowledge, so that the risk of data loss is avoided to a great extent on the premise of ensuring the safety of a secret key, and a good basis is provided for services such as loss reporting, freezing, resetting and the like in emergency.
In an embodiment, the digital identity may further include a plurality of authority levels, each authority level in the plurality of authority levels having an authority to manage an asset corresponding to at least one of the plurality of roles, respectively.
Specifically, each identity authentication mode in all identity authentication modes corresponding to a digital identity has a permission level, and then has asset management permission of at least one role corresponding to the permission level. For example, the first authentication method may correspond to a first authority level of the plurality of authority levels, where the first authority level may have authority to manage an asset corresponding to the first role, and a user who logs in the digital identity through the first authentication method may be able to manage the asset corresponding to the first role; the second identity authentication mode can correspond to a second authority level in the plurality of authority levels, the second authority level can have authority for managing the assets corresponding to the first role and the second role, and then the user logging in the digital identity through the second identity authentication mode can manage the assets corresponding to the first role and the second role simultaneously.
In practical application, when a certain authority level needs to be given to one identity authentication mode, for example, when a first authority level is given to a first identity authentication mode, a first authentication encryption key may be used to encrypt a first character decryption key corresponding to the first authority level, so as to obtain an initial encrypted first character decryption key. Thus, when the user logs in the digital identity through the first identity authentication mode, the login client can obtain the first authentication decryption key, find the initial encryption first character decryption key, and decrypt the initial encryption first character decryption key by using the first authentication decryption key to obtain the first character decryption key. For another example, when the second authentication method is given the second authority level, the first role decryption key and the second role decryption key corresponding to the second authority level may be encrypted by using the second authentication encryption key, respectively, to obtain the initial encrypted first role decryption key and the initial encrypted second role decryption key. Similarly, when the user logs in the digital identity through the second identity authentication mode, the login client can obtain a second authentication decryption key, find an initial encryption first role decryption key and/or an initial encryption second role decryption key according to the requirement of the user, and decrypt the initial encryption first role decryption key and/or the initial encryption second role decryption key by using the second authentication decryption key to obtain the first role decryption key and/or the second role decryption key.
It should be understood that the specific division and corresponding modes of the assets, roles and authority levels can be set by those skilled in the art according to actual requirements, and can also be set by users in a user-defined manner in the system, which is not limited by the embodiment of the present application.
Based on the key management method provided by the embodiment of the application, on the basis of helping users to manage the keys, different identity authentication modes can be respectively provided with asset management authorities of different levels by setting authority levels, so that the performance of a key management system is more comprehensive and complete, convenience is brought to the users, and the safety of the user assets is further improved.
Exemplary apparatus
Fig. 3 is a schematic diagram of a key management device 300 according to an exemplary embodiment of the present application. For example, the apparatus may be an electronic device 12 in a key management system. As shown in fig. 3, the apparatus 300 may include: a key obtaining module 310, configured to obtain a first authentication decryption key corresponding to the first authentication mode when confirming that the user logs in the digital identity through the first authentication mode; a first decryption module 320, configured to obtain an initial encrypted first role decryption key from a server, and decrypt the initial encrypted first role decryption key with a first authentication decryption key to obtain a first role decryption key, where the first role decryption key corresponds to a first role in at least one role of the digital identity; the second decryption module 330 is configured to decrypt the encrypted target key stored in the digital identity based on the first role decryption key to obtain the target key, where the target key is an asset corresponding to the first role.
Specifically, a user may have at least one authentication means for authenticating a digital identity, including a first authentication means. One digital identity may be associated with only one identity authentication mode, or may be associated with a plurality of identity authentication modes. The plurality of identity authentication modes can correspond to the same user or a plurality of different users.
In an embodiment, the digital identity may correspond to a natural person, a virtual identity, or an organization. That is, all natural persons, virtual identities or organizations may hold at least one digital identity for managing assets that they have administrative rights to.
In another embodiment, a user may have login rights for multiple digital identities, and may further manage assets corresponding to the multiple digital identities.
Further, when a user has login rights for a plurality of digital identities, at least one authentication method of the user may be set to correspond to the plurality of digital identities for which the user has login rights. That is, the user can log in a plurality of digital identities through at least one identity authentication mode, so that assets corresponding to the plurality of digital identities can be managed.
It should be understood that the term "user" as used in the present application is not limited to natural persons, but may include, for example, machines, monkeys, virtual identities, organizations, etc., and the present application is not limited to the true identity of a user.
The at least one authentication means may be means for authenticating the user by at least one existing information of the user, where the existing information of the user may include all existing authentication means held by the user.
In practical application, each identity authentication mode may have a corresponding authentication key, and the authentication key may include a pair of authentication encryption keys and authentication decryption keys that correspond to each other. It should be appreciated that the authentication encryption key and the authentication decryption key may be a pair of asymmetric keys, such as a public key and a private key, or may be symmetric keys, which is not limited in this respect.
In another embodiment, the key acquisition module 310 may specifically include: the acquisition unit is used for acquiring the encrypted first authentication decryption key from the server side; the computing unit is used for acquiring a third storage key; and the decryption unit is used for decrypting the encrypted first authentication decryption key by using the third storage key to obtain the first authentication decryption key.
Specifically, when the first authentication method is created, the creating client on the electronic device 11 may generate a third storage key, encrypt the first authentication decryption key using the third storage key, and store the encrypted first authentication decryption key in the server.
Further, in an embodiment, in order to reduce the risk of disclosure of the third storage key, the third storage key may be generated based on the first authentication method, or the third storage key may be stored in association with the first authentication method, so that the client for login can only acquire the third storage key when the user logs in the digital identity through the first authentication method.
In this case, when the computing unit obtains the third storage key, the first authentication information may be obtained first by the first authentication method, and then the third storage key may be obtained by computing based on the first authentication information.
Further, in another embodiment, the creating client may generate a first salt value for calculating the third storage key when creating the first authentication method, and calculate the third storage key according to the first authentication information and the first salt value.
In this case, the process of the computing unit acquiring the third storage key may include: obtaining first identity authentication information through a first identity authentication mode; obtaining a first salt value from a server side; and calculating to obtain a third storage key according to the first identity authentication information and the first salt value.
In an embodiment, the server may be provided with a key database, and the encrypted first authentication decryption key may be stored in the key database. The obtaining unit may obtain the first login account number and the first login password based on the first authentication method, log in the key database using the first login account number and the first login password, and obtain the encrypted first authentication decryption key from the key database.
Based on the key management device provided by the embodiment of the application, a user can log in the digital identity through the existing identity information, and the management of the assets can be realized without memorizing complicated keys, thereby providing great convenience for the user. Meanwhile, the key management device provided by the embodiment of the application eliminates the risk of key leakage or loss, so that a user does not need to worry about whether the mode of keeping the key is stable or not, and the asset safety of the user can be ensured to a great extent. Furthermore, all data are stored in the server after being encrypted with zero knowledge, so that the risk of data loss is avoided to a great extent on the premise of ensuring the safety of a secret key, and a good basis is provided for services such as loss reporting, freezing, resetting and the like in emergency.
It should be understood that, for convenience and brevity of description, details of the foregoing description of the apparatus and specific working scenarios, processes, effects, etc. of the modules and units therein may refer to corresponding content in the method embodiment of fig. 2, and are not described in detail herein.
Fig. 4 is a block diagram of an electronic device according to an exemplary embodiment of the present application. Referring to fig. 4, an electronic device 400 includes a processor 410, and memory resources represented by a memory 420 for storing computer instructions, such as applications, executable by the processor 410. The application program stored in memory 420 may include one or more modules each corresponding to a set of instructions. Further, the processor 410 is configured to execute instructions to perform the key management methods described above.
The electronic device 400 may also include a power component configured to perform power management of the electronic device 400, a wired or wireless network interface configured to connect the electronic device 400 to a network, and an input output (I/O) interface. The electronic device 400 may be operated based on an operating system stored in the memory 420, such as Windows Server, mac OS XTM, unixTM, linuxTM, freeBSDTM, or the like.
A computer readable storage medium comprising computer instructions stored thereon. The instructions in the storage medium, when executed by the processor of the electronic device 400, enable the electronic device 400 to perform a key management method. The key management method comprises the following steps: after confirming that a user logs in a digital identity through a first identity authentication mode, acquiring a first authentication decryption key corresponding to the first identity authentication mode; obtaining an initial encryption first character decryption key from a server side, decrypting the initial encryption first character decryption key by using a first authentication decryption key to obtain a first character decryption key, wherein the first character decryption key corresponds to a first character in at least one character of the digital identity; decrypting the encrypted target key stored in the digital identity based on the first character decryption key to obtain a target key, wherein the target key is used for managing the asset corresponding to the first character.
Any combination of the above optional solutions may be adopted to form an optional embodiment of the present application, which is not described herein.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, and for example, the division of the modules and units is merely a logical function division, and there may be additional divisions when actually implemented, for example, multiple modules or units may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program verification codes.
It should be noted that in the description of the present application, the terms "first," "second," "third," and the like are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. Furthermore, in the description of the present application, unless otherwise indicated, the meaning of "a plurality" is two or more.
The foregoing description of the preferred embodiments of the application is not intended to be limiting, but rather is to be construed as including any modifications, equivalents, and alternatives falling within the spirit and principles of the application.
Claims (10)
1. A key management method, comprising:
after a user is confirmed to log in a digital identity through a first identity authentication mode, a first authentication decryption key corresponding to the first identity authentication mode is obtained, wherein the first identity authentication mode is one of a plurality of identity authentication modes which are authorized to log in the digital identity, the plurality of identity authentication modes comprise modes for carrying out identity authentication on the user through the existing identity authentication modes held by the user, different identity authentication modes respectively have different authority levels, the first identity authentication mode corresponds to a first authority level in a plurality of authority levels, the first authority level has authority for managing assets corresponding to a first role in a plurality of roles of the digital identity, each authority level in the plurality of authority levels has authority for managing assets corresponding to at least one role in the plurality of roles, and roles corresponding to the different authority levels are not identical;
Obtaining an initial encryption first character decryption key from a server, and decrypting the initial encryption first character decryption key by using the first authentication decryption key to obtain a first character decryption key, wherein the first character decryption key corresponds to the first character;
decrypting the encrypted target key stored in the digital identity based on the first character decryption key to obtain a target key, wherein the target key is used for managing the asset corresponding to the first character.
2. The key management method according to claim 1, wherein the first authentication mode is one of a third party platform account, a terminal system account, a mobile phone number account, an identity authentication chip, a digital certificate, a proprietary storage space account, a key, a password, and a human body biometric feature held by the user.
3. The key management method of claim 1, wherein the first authentication means corresponds to a plurality of digital identities.
4. The key management method of claim 1, wherein the digital identity corresponds to a natural person, a virtual identity, or an organization.
5. The key management method according to any one of claims 1 to 4, wherein the acquiring a first authentication decryption key corresponding to the first authentication means comprises:
acquiring an encrypted first authentication decryption key from the server side;
acquiring a third storage key;
and decrypting the encrypted first authentication decryption key by using the third storage key to obtain the first authentication decryption key.
6. The key management method of claim 5, wherein the obtaining the third storage key comprises:
obtaining first identity authentication information through the first identity authentication mode, wherein the first identity authentication information is non-public information;
and calculating the third storage key according to the first identity authentication information.
7. The key management method according to claim 5, wherein the encrypted first authentication decryption key is stored in a key database of the server side, and the obtaining the encrypted first authentication decryption key from the server side includes:
acquiring a first login account and a first login password based on the first identity authentication mode, wherein the first login account corresponds to the first identity authentication mode, and the first login password corresponds to the first login account;
Logging in the key database by using the first login account and the first login password;
and acquiring the encrypted first authentication decryption key from the key database.
8. A key management apparatus, comprising:
the key acquisition module is used for acquiring a first authentication decryption key corresponding to a first authentication mode when a user is confirmed to log in a digital identity through the first authentication mode, wherein the first authentication mode is one of a plurality of authentication modes which are authorized to log in the digital identity, the plurality of authentication modes comprise modes for carrying out identity authentication on the user through the existing authentication modes held by the user, different authentication modes respectively have different authority levels, the first authentication mode corresponds to a first authority level in the plurality of authority levels, the first authority level has authority for managing assets corresponding to a first role in the plurality of roles of the digital identity, each authority level in the plurality of authority levels has authority for managing assets corresponding to at least one role in the plurality of roles, and the roles corresponding to the different authority levels are not identical;
The first decryption module is used for acquiring an initial encryption first character decryption key from the server side, decrypting the initial encryption first character decryption key by using the first authentication decryption key to obtain a first character decryption key, wherein the first character decryption key corresponds to the first character;
and the second decryption module is used for decrypting the encrypted target key stored in the digital identity based on the first character decryption key to obtain a target key, wherein the target key is used for managing the asset corresponding to the first character.
9. An electronic device, comprising:
a processor;
a memory comprising computer instructions stored thereon that, when executed by the processor, cause the processor to perform the key management method of any of claims 1 to 7.
10. A computer readable storage medium comprising computer instructions stored thereon, which when executed by a processor, cause the processor to perform the key management method of any of claims 1 to 7.
Priority Applications (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010899689.1A CN114124422B (en) | 2020-08-31 | 2020-08-31 | Key management method and device |
| PCT/CN2021/115722 WO2022042745A1 (en) | 2020-08-31 | 2021-08-31 | Key management method and apparatus |
| US18/175,886 US20230208637A1 (en) | 2020-08-31 | 2023-02-28 | Key management method and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010899689.1A CN114124422B (en) | 2020-08-31 | 2020-08-31 | Key management method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114124422A CN114124422A (en) | 2022-03-01 |
| CN114124422B true CN114124422B (en) | 2023-09-12 |
Family
ID=80360082
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010899689.1A Active CN114124422B (en) | 2020-08-31 | 2020-08-31 | Key management method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114124422B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114666064B (en) * | 2022-03-25 | 2024-08-06 | 广东启链科技有限公司 | Digital asset management method, device, storage medium and equipment based on blockchain |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101951384A (en) * | 2010-09-29 | 2011-01-19 | 南京信息工程大学 | Distributed security domain logic boundary protection method |
| CN102420690A (en) * | 2010-09-28 | 2012-04-18 | 上海可鲁系统软件有限公司 | Fusion and authentication method and system of identity and authority in industrial control system |
| CN108092808A (en) * | 2017-12-12 | 2018-05-29 | 郑州云海信息技术有限公司 | A kind of method for managing security of data center's total management system |
| CN111090622A (en) * | 2019-10-18 | 2020-05-01 | 西安电子科技大学 | Cloud storage information processing system and method based on dynamic encryption RBAC model |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10367643B2 (en) * | 2016-03-28 | 2019-07-30 | Symantec Corporation | Systems and methods for managing encryption keys for single-sign-on applications |
-
2020
- 2020-08-31 CN CN202010899689.1A patent/CN114124422B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102420690A (en) * | 2010-09-28 | 2012-04-18 | 上海可鲁系统软件有限公司 | Fusion and authentication method and system of identity and authority in industrial control system |
| CN101951384A (en) * | 2010-09-29 | 2011-01-19 | 南京信息工程大学 | Distributed security domain logic boundary protection method |
| CN108092808A (en) * | 2017-12-12 | 2018-05-29 | 郑州云海信息技术有限公司 | A kind of method for managing security of data center's total management system |
| CN111090622A (en) * | 2019-10-18 | 2020-05-01 | 西安电子科技大学 | Cloud storage information processing system and method based on dynamic encryption RBAC model |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114124422A (en) | 2022-03-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102044749B1 (en) | Method for obtaining one-time authentication information for authentication based on blockchain | |
| US11411730B2 (en) | Cryptoasset custodial system with different rules governing access to logically separated cryptoassets and proof-of-stake blockchain support | |
| CN106537403B (en) | System for accessing data from multiple devices | |
| US8135180B2 (en) | User authentication method based on the utilization of biometric identification techniques and related architecture | |
| US8485438B2 (en) | Mobile computing device authentication using scannable images | |
| EP3997606B1 (en) | Cryptoasset custodial system with custom logic | |
| EP3997605A1 (en) | Cryptoasset custodial system with proof-of-stake blockchain support | |
| EP1791073A1 (en) | Processing device, helper data generating device, terminal device, authentication device and biometrics authentication system | |
| EA035080B1 (en) | System and method for providing block chain-based multifactor personal identity verification | |
| CN109067766A (en) | A kind of identity identifying method, server end and client | |
| JP2009510644A (en) | Method and configuration for secure authentication | |
| CN112039665A (en) | Key management method and device | |
| US20230208637A1 (en) | Key management method and apparatus | |
| CN114124422B (en) | Key management method and device | |
| CN114124395B (en) | Key management method and device | |
| Bhargav-Spantzel | TRUSTED EXECUTION ENVIRONMENT FOR PRIVACY PRESERVING BIOMETRIC AUTHENTICATION. | |
| CN111970126A (en) | Key management method and device | |
| CN111600721A (en) | Asset management system, method and device based on multi-user voting mechanism | |
| US20230208634A1 (en) | Key management method and apparatus | |
| Kuznetsov et al. | A Comprehensive Decentralized Digital Identity System: Blockchain, Artificial Intelligence, Fuzzy Extractors, and NFTs for Secure Identity Management. | |
| CN102624709A (en) | Divulgence prevention method based on Bluetooth for cloud architecture | |
| Mathur et al. | Assessment of Strong User Authentication Schemes in Cloud based Computing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |