CN114154185A - Data encryption storage method based on national cryptographic algorithm - Google Patents
Data encryption storage method based on national cryptographic algorithm Download PDFInfo
- Publication number
- CN114154185A CN114154185A CN202111476473.5A CN202111476473A CN114154185A CN 114154185 A CN114154185 A CN 114154185A CN 202111476473 A CN202111476473 A CN 202111476473A CN 114154185 A CN114154185 A CN 114154185A
- Authority
- CN
- China
- Prior art keywords
- key
- data
- encryption
- value
- algorithm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 31
- 238000007726 management method Methods 0.000 claims abstract description 29
- 230000005540 biological transmission Effects 0.000 claims abstract description 11
- 230000008569 process Effects 0.000 claims description 12
- 238000012795 verification Methods 0.000 claims description 10
- 230000003993 interaction Effects 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 3
- 238000013500 data storage Methods 0.000 abstract description 7
- 210000001503 joint Anatomy 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Signal Processing (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a data encryption storage method based on a national cryptographic algorithm, which belongs to the field of data security and comprises the following four parts: issuing a contract Key, generating a master Key, generating a data Key and encrypting data; the key management service is used as a life cycle management center of the key, is responsible for centralized management of the key, cannot be taken by the periphery and can be used by deriving a data key through a master key; the encryption and decryption of the data are realized locally in the form of a secure transmission data key. The data storage risk is reduced, and the security of the encryption key is improved.
Description
Technical Field
The invention relates to the field of data security, in particular to a data encryption storage method based on a national cryptographic algorithm.
Background
Security technologies for data are classified into three major categories: hiding, access control, cryptography. Security of data transmission, security of data storage, security control of data access, and the like are all categories of data security. To address this type of security problem for data, national encryption algorithms have been pursued, with commercial versions containing the SM1, SM2, SM3, SM4, SM7, and SM9 algorithms,
in the process of encrypting and storing the large file, the large file is transmitted to a physical encryption machine for encryption and then returned for storage in a traditional mode, so that although the security of the data can be ensured, the security in the transmission process cannot be ensured, and the efficiency is low (depending on various factors such as bandwidth and the like).
Disclosure of Invention
In order to solve the technical problems, the invention provides a data encryption storage method based on a cryptographic algorithm. The data storage risk can be reduced, and the security of the encryption key can be improved without using ssl _ vpn to ensure the security of transmission. The invention can be expanded to other business application scenes without being limited to the use of the butt joint with the key management service, and the safe encrypted storage of the data can be ensured by the invention.
The technical scheme of the invention is as follows:
a data encryption storage method based on a cryptographic algorithm comprises four parts: issuing a contract Key, generating a master Key (CMK), generating a data Key (DEK) and encrypting data; the key management service is used as a life cycle management center of the key, is responsible for centralized management of the key, cannot be obtained by the periphery, and can be used by deriving a data key through a master key. The encryption and decryption of data are realized locally by adopting a butt joint key management service and a form of safely transmitting a data key.
Further, in the above-mentioned case,
the method comprises the following steps:
step 1): delivery of appointment keys
Generating a symmetric key value of SM4 as a key calculated by HMACSM3 through online or offline operation, and issuing the key to users (one key for each user); after the user takes the key value, the key value is placed in a configuration file of the SDK of the calling end, so that subsequent code calling is facilitated;
step 2): master key generation
Generating a master key by calling a key management service;
step 3): data key generation
3.1) initializing, generating and calculating client information;
and 3.2) after receiving the request, the server side carries out verification and other logic processing.
Step 4): data encryption
And after the user takes the data key, carrying out data encryption operation on the local plaintext data.
In a still further aspect of the present invention,
in step 2), the key is a master key encrypted based on the cryptographic card, the keys stored by the key management service are all based on the content encrypted by the hardware device, and the keys cannot be directly taken by the key management service and can only be obtained after being decrypted by the hardware device.
The master key only supports two types of SM4 and SM2, wherein SM4 is a symmetric key, a key value is generated, and the key value is stored in a key management service in an encrypted mode; SM2 generates a key pair that a user can obtain to obtain a public key value to facilitate subsequent encryption and decryption operations.
In a still further aspect of the present invention,
step 3.1) further comprises:
3.11) the local cryptographic module generates a key pair based on SM2 algorithm, and then generates seed information;
3.12) calculating a sign value by the HMACSM3 algorithm based on the rule for the join participant (the encryption key of the HMACSM3 is the key value issued in the first step of execution);
3.13) the generated public key, the seed information and the sign value call a data key generation interface through the client sdk.
Step 3.2) further comprises:
3.21) verifying the signature based on the information transmitted to the server; calculating by using the key issued in the first step based on the HMACSM3 algorithm;
3.22) after the signature verification is finished, generating a data key a (at this time, the data key is a plaintext) based on an SM4 algorithm;
3.23) calling the server encryption machine to encrypt the data key by the master key to generate a ciphertext b. The ciphertext b generated in the step is mainly reserved for decryption later;
3.24) carrying out public key encryption on the data key a by an SM2 algorithm according to the transmitted public key and the seed information to obtain a ciphertext key c, and obtaining a plaintext data key after the value is transmitted back to the user side for decryption.
3.25) finally returns b and c to the calling user (the returned data are encrypted data).
When data decryption is performed, a key management service is called according to the stored data key b to obtain a plaintext data key, then a data ciphertext is decrypted, and signature verification and public key information transmission are also required.
The asymmetric key pair generated based on SM2 belongs to a session-level key, one-time pad; in the whole interaction process, SM2, HMACSM3 and SM4 cryptographic algorithms are adopted.
The invention adopts a key transmission mode to carry out encryption operation, and improves the encryption efficiency of large files on the premise of ensuring safety;
the security of the data key is guaranteed against being tampered based on the national secret signature algorithm of the agreed key;
the data storage is safe without plaintext, so that the database dragging data is prevented from being leaked;
the master key is protected by a hardware encryption card, and the security level is high and cannot be copied.
The invention has the advantages that
(1) The invention brings a new implementation mode for encrypting and storing the large file, and greatly improves the encryption efficiency on the premise of meeting the security.
(2) The invention is suitable for the encryption service of other service scenes, and the performance overhead of a physical encryption machine can be reduced by the invention.
(3) The invention can improve the safety of the communication between the services.
Drawings
FIG. 1 is a schematic workflow diagram of the present invention;
FIG. 2 is a master key generation flow diagram;
fig. 3 is a data key acquisition flow chart.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer and more complete, the technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention, and based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without creative efforts belong to the scope of the present invention.
The invention mainly aims at designing how to ensure the safety of data storage of large files in the process of using the key management service, and realizes the safe storage of data on the premise of ensuring the efficiency.
The invention comprises three algorithms of SM2, SM3 and SM4 which are relatively mature and commonly used. By combining different algorithms for use, the mode and the complement mode of the algorithm are adjusted, so that the transmission confidentiality and the integrity of data are ensured, the safety of data storage is ensured, and data leakage caused by manual library dragging is prevented.
The invention mainly comprises four parts: issuing a contract Key, generating a master Key (CMK), generating a data Key (DEK) and encrypting data. The key management service is used as a life cycle management center of the key, is responsible for centralized management of the key, cannot be obtained by the periphery, and can be used by deriving a data key through a master key. In the process of encrypting and storing large files, the invention adopts butt-joint key management service and realizes data encryption and decryption locally in a form of safely transmitting data keys, thereby greatly improving the encryption efficiency and reducing the bandwidth dependence.
The technical scheme comprises the following steps:
the method comprises the following steps: delivery of appointment keys
The step is mainly that a symmetric key value of SM4 is generated through online or offline operation, and is used as a key calculated by HMACSM3 and is issued to users (one key for each user); after the user takes the key value, the key value is placed in a configuration file of the SDK of the calling end, so that subsequent code calling is facilitated.
Step two: master key generation
The step is to generate a master key (supporting symmetric SM4 and asymmetric SM2) by calling a key management service, the key is generally a master key encrypted based on a cryptographic card, keys stored by the key management service are based on content encrypted by hardware equipment, and the keys cannot be directly taken by the key management service and can be obtained only after being decrypted by the hardware equipment. The master key only supports two types of SM4 and SM2 at present, wherein SM4 is a symmetric key, and a key value is generated and stored in a key management service in an encrypted mode; SM2 generates a key pair that a user can obtain to obtain a public key value to facilitate subsequent encryption and decryption operations. This is explained with particular reference to fig. 2.
Step three: data key generation
The step is a core link of the invention, and not only relates to the generation of the data key, but also relates to the return of the data key and the authentication process.
1) And initializing, generating and calculating the client information.
2) After receiving the request, the server side carries out verification and other logic processing.
The above is the whole execution process, and the specific flow is explained with reference to fig. 3.
Step four: data encryption
In the step, after the user takes the data keys b and c, the encryption operation of the data is carried out aiming at the local plaintext data. The method mainly comprises the following steps:
And the user decrypts the data key c according to a private key in a key pair initially generated based on the SM2 algorithm to obtain a plaintext data key.
Encrypting the plaintext using a plaintext data key based on an SM4 encryption algorithm, obtaining data ciphertext,
And (4) performing off-disk storage on the data key b and the data ciphertext, wherein all the stored data are encrypted at the moment, and the user side does not store data and keys related to the plaintext.
When data decryption is performed, a key management service is also called according to the stored data key b to obtain a plaintext data key, and then a data ciphertext is decrypted. The process is similar to the encryption process, and signature verification and public key information transmission are also required. Therefore, the integrity and confidentiality of the data in the whole encryption and decryption process are ensured, and the data is prevented from being intercepted and tampered.
Remarking: the asymmetric key pair generated based on SM2 belongs to a session-level key, one-time pad. In the whole interaction process, cryptographic algorithms such as SM2, HMACSM3 and SM4 are adopted.
The invention mainly solves the problems of the security of the process of obtaining the key from the key management service, the security of the storage of the key and the security of the storage of data. By the method, the data storage risk can be reduced, the security of the encryption key is improved, and the transmission security is ensured without using ssl _ vpn. The invention can be expanded to other business application scenes without being limited to the use of the butt joint with the key management service, and the safe encrypted storage of the data can be ensured by the invention.
The above description is only a preferred embodiment of the present invention, and is only used to illustrate the technical solutions of the present invention, and not to limit the protection scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.
Claims (8)
1. A data encryption storage method based on a cryptographic algorithm is characterized in that,
the device comprises four parts: issuing a contract Key, generating a master Key, generating a data Key and encrypting data; the key management service is used as a life cycle management center of the key, is responsible for centralized management of the key, cannot be taken by the periphery and can be used by deriving a data key through a master key; the encryption and decryption of the data are realized locally in the form of a secure transmission data key.
2. The method of claim 1,
the method comprises the following steps:
step 1): delivery of appointment keys
Generating a symmetric key value of SM4 as a key calculated by HMACSM3 through online or offline operation, and issuing the key to users (one key for each user); after the user takes the key value, the key value is placed in a configuration file of the SDK of the calling end, so that subsequent code calling is facilitated;
step 2): master key generation
Generating a master key by calling a key management service;
step 3): data key generation
3.1) initializing, generating and calculating client information;
3.2) after receiving the request, the server side carries out verification and other logic processing;
step 4): data encryption
And after the user takes the data key, carrying out data encryption operation on the local plaintext data.
3. The method of claim 2,
in step 2), the key is a master key encrypted based on the cryptographic card, the keys stored by the key management service are all based on the content encrypted by the hardware device, and the keys cannot be directly taken by the key management service and can only be obtained after being decrypted by the hardware device.
4. The method of claim 3,
the master key only supports two types of SM4 and SM2, wherein SM4 is a symmetric key, a key value is generated, and the key value is stored in a key management service in an encrypted mode; SM2 generates a key pair that a user can obtain to obtain a public key value to facilitate subsequent encryption and decryption operations.
5. The method of claim 4,
step 3.1) further comprises:
3.11) the local cryptographic module generates a key pair based on SM2 algorithm, and then generates seed information;
3.12) calculating a sign value by the HMACSM3 algorithm based on the rule for the join participant (the encryption key of the HMACSM3 is the key value issued in the first step of execution);
3.13) the generated public key, the seed information and the sign value call a data key generation interface through the client sdk.
6. The method of claim 5,
step 3.2) further comprises:
3.21) verifying the signature based on the information transmitted to the server; calculating by using the key issued in the first step based on the HMACSM3 algorithm;
3.22) after the signature verification is finished, generating a data key a (at this time, the data key is a plaintext) based on an SM4 algorithm;
3.23) calling the server encryption machine to encrypt the data key by the master key to generate a ciphertext b. The ciphertext b generated in the step is mainly reserved for decryption later;
3.24) carrying out public key encryption on the data key a by an SM2 algorithm according to the transmitted public key and the seed information to obtain a ciphertext key c, and obtaining a plaintext data key after the value is transmitted back to the user side for decryption.
3.25) finally returns b and c to the calling user (the returned data are encrypted data).
7. The method of claim 6,
when data decryption is performed, a key management service is called according to the stored data key b to obtain a plaintext data key, then a data ciphertext is decrypted, and signature verification and public key information transmission are also required.
8. The method of claim 7,
the asymmetric key pair generated based on SM2 belongs to a session-level key, one-time pad; in the whole interaction process, SM2, HMACSM3 and SM4 cryptographic algorithms are adopted.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111476473.5A CN114154185A (en) | 2021-12-06 | 2021-12-06 | Data encryption storage method based on national cryptographic algorithm |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111476473.5A CN114154185A (en) | 2021-12-06 | 2021-12-06 | Data encryption storage method based on national cryptographic algorithm |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114154185A true CN114154185A (en) | 2022-03-08 |
Family
ID=80452682
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111476473.5A Pending CN114154185A (en) | 2021-12-06 | 2021-12-06 | Data encryption storage method based on national cryptographic algorithm |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114154185A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114598757A (en) * | 2022-03-17 | 2022-06-07 | 浪潮云信息技术股份公司 | Cloud native country secret key management method |
-
2021
- 2021-12-06 CN CN202111476473.5A patent/CN114154185A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114598757A (en) * | 2022-03-17 | 2022-06-07 | 浪潮云信息技术股份公司 | Cloud native country secret key management method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111130757B (en) | Multi-cloud CP-ABE access control method based on block chain | |
| CN106789052B (en) | Remote key issuing system based on quantum communication network and use method thereof | |
| CN111464301B (en) | Key management method and system | |
| CN109495274B (en) | Decentralized intelligent lock electronic key distribution method and system | |
| CN107528688A (en) | A kind of keeping of block chain key and restoration methods, device based on encryption commission technology | |
| TW202127831A (en) | Determining a common secret for the secure exchange of information and hierarchical, deterministic cryptographic keys | |
| CN107948156A (en) | The closed key management method and system of a kind of identity-based | |
| CN110599163B (en) | Transaction record outsourcing method facing block chain transaction supervision | |
| CN110519046A (en) | Quantum communications service station cryptographic key negotiation method and system based on disposable asymmetric key pair and QKD | |
| CN111625791B (en) | Key management method and system based on software cryptographic module | |
| CN109861956B (en) | Data verification system, method, device and equipment based on state channel | |
| WO2014114080A1 (en) | Method and system for data encryption protection | |
| CN113824551B (en) | Quantum key distribution method applied to secure storage system | |
| CN109547218A (en) | It is a kind of improve BIP agreement alliance's chain node code key distribution and standby system | |
| CN110138548A (en) | Based on unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method and system | |
| TWI476629B (en) | Data security and security systems and methods | |
| CN109120399A (en) | A kind of data ciphering method based on asymmetric encryption, decryption method and system | |
| CN105871866B (en) | A kind of password management system and method based on computer hardware information | |
| CN114154181A (en) | Privacy calculation method based on distributed storage | |
| CN114154185A (en) | Data encryption storage method based on national cryptographic algorithm | |
| CN103532709A (en) | IBE (Identity Based Encryption) cryptographic equipment and data encryption and decryption method | |
| US11777745B2 (en) | Cloud-side collaborative multi-mode private data circulation method based on smart contract | |
| CN103916237A (en) | Method and system for managing user encrypted-key retrieval | |
| CN110266483A (en) | Based on unsymmetrical key pond to and the quantum communications service station cryptographic key negotiation method of QKD, system, equipment | |
| CN115204876A (en) | Quantum security U shield equipment and method for mobile payment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |