CN114553557A - Key calling method, key calling device, computer equipment and storage medium - Google Patents

Key calling method, key calling device, computer equipment and storage medium Download PDF

Info

Publication number
CN114553557A
CN114553557A CN202210175980.3A CN202210175980A CN114553557A CN 114553557 A CN114553557 A CN 114553557A CN 202210175980 A CN202210175980 A CN 202210175980A CN 114553557 A CN114553557 A CN 114553557A
Authority
CN
China
Prior art keywords
key
copy
encryption
terminal
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210175980.3A
Other languages
Chinese (zh)
Other versions
CN114553557B (en
Inventor
梅发茂
周安
马腾腾
吴勤勤
邓大为
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Power Grid Co Ltd
Electric Power Dispatch Control Center of Guangdong Power Grid Co Ltd
Original Assignee
Guangdong Power Grid Co Ltd
Electric Power Dispatch Control Center of Guangdong Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Power Grid Co Ltd, Electric Power Dispatch Control Center of Guangdong Power Grid Co Ltd filed Critical Guangdong Power Grid Co Ltd
Priority to CN202210175980.3A priority Critical patent/CN114553557B/en
Priority claimed from CN202210175980.3A external-priority patent/CN114553557B/en
Publication of CN114553557A publication Critical patent/CN114553557A/en
Application granted granted Critical
Publication of CN114553557B publication Critical patent/CN114553557B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions

Abstract

The application relates to a key calling method, a key calling device, a computer device, a storage medium and a computer program product. The method comprises the following steps: receiving authentication information sent by a terminal, and carrying out validity verification according to the authentication information; under the condition that the validity verification is passed, acquiring password information sent by the terminal, and performing identity verification according to the password information; under the condition that the identity authentication is passed, determining corresponding encryption key copy according to the received password information, wherein the encryption key copy is matched with an encryption key stored in an encryption dictionary; the encrypted key copy is sent to the terminal so that the terminal can decrypt the encrypted key copy based on a locally stored decryption key to obtain a data key, and the data key is used for encrypting and decrypting power grid data; wherein, the decryption key and the encryption key are matched key pairs. By adopting the method, the safety of the key calling can be improved.

Description

Key calling method and device, computer equipment and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, a computer device, a storage medium, and a computer program product for key invocation.
Background
At present, most of communication between a terminal and a server adopts symmetric encryption, most of keys of the symmetric encryption are plaintext character string constants which are directly written in the terminal and a cloud code, and the terminal is easy to attack when the key stored in the cloud needs to be called. Once the secret key is leaked, all the ciphertexts transmitted by the terminal or the application butted with the cloud end are cracked, and further serious data leakage is caused.
Therefore, a secure key invoking method is urgently needed to ensure the transmission security of the terminal when invoking the key.
Disclosure of Invention
In view of the above, it is necessary to provide a key invoking method, an apparatus, a computer device, a computer readable storage medium, and a computer program product, which can improve security of key invocation.
In a first aspect, the present application provides a key invoking method. The method comprises the following steps:
receiving authentication information sent by a terminal, and carrying out validity verification according to the authentication information;
under the condition that the validity verification is passed, acquiring password information sent by a terminal, and performing identity verification according to the password information;
under the condition that the identity authentication is passed, determining a corresponding encryption key copy according to the received password information, wherein the encryption key copy is matched with an encryption key stored in an encryption dictionary;
the encrypted key copy is sent to the terminal so that the terminal can decrypt the encrypted key copy based on a locally stored decryption key to obtain a data key, and the data key is used for encrypting and decrypting power grid data; wherein the decryption key and the encryption key are a matching key pair.
In some embodiments, the authentication information is obtained by the terminal obtaining a symmetric key through a one-way hash algorithm, encrypting an authentication encryption key carried in the stored digital certificate by using the symmetric key, and using an encryption result as the authentication information.
In some embodiments, the performing validity verification according to the authentication information includes:
decrypting the authentication information according to a pre-stored authentication decryption key matched with the authentication encryption key to obtain a symmetric key;
calculating the authentication information by using a one-way hash algorithm to obtain a symmetric key copy;
and comparing the symmetric key copy with the symmetric key, and confirming that the validity verification is passed when the symmetric key copy is consistent with the symmetric key.
In some embodiments, the performing authentication according to the password information includes:
encrypting the password information by using a one-way hash algorithm to obtain an encrypted password copy;
and comparing the encrypted password copy with an encrypted password stored in an encrypted dictionary in advance, and determining that the identity authentication is passed when the encrypted password copy is consistent with the encrypted password.
In some embodiments, the method further comprises: and analyzing the identification information carried in the password information, and searching an encrypted password corresponding to the identification information in an encrypted dictionary according to the identification information.
In some embodiments, said determining a corresponding copy of an encryption key from said received password information comprises:
analyzing the equipment information carried in the password information, and calling an asymmetric cryptographic algorithm to generate an encryption key according to the equipment information;
and binding and storing the generated encryption key and the password information into an encryption dictionary, and copying the encryption key to obtain an encryption key copy matched with the encryption key.
In a second aspect, the present application further provides a key invoking device. The device comprises:
the authentication module is used for receiving authentication information sent by the terminal and carrying out validity verification according to the authentication information;
the verification module is used for acquiring password information sent by the terminal under the condition that the validity verification is passed, and performing identity verification according to the password information;
the calling module is used for determining corresponding encryption key copy according to the received password information under the condition that the identity authentication is passed, wherein the encryption key copy is matched with an encryption key stored in an encryption dictionary;
the sending module is used for sending the encrypted key copy to the terminal so that the terminal can decrypt the encrypted key copy based on a locally stored decryption key to obtain a data key, and the data key is used for encrypting and decrypting power grid data; wherein the decryption key and the encryption key are a matching key pair.
In some embodiments, the authentication information is obtained by the terminal obtaining a symmetric key through a one-way hash algorithm, encrypting an authentication encryption key carried in the stored digital certificate by using the symmetric key, and using an encryption result as the authentication information.
In some embodiments, the authentication module is further configured to decrypt the authentication information according to a pre-stored authentication decryption key that matches the authentication encryption key, so as to obtain a symmetric key; calculating the authentication information by using a one-way hash algorithm to obtain a symmetric key copy; and comparing the symmetric key copy with the symmetric key, and confirming that the validity verification is passed when the symmetric key copy is consistent with the symmetric key.
In some embodiments, the authentication module is further configured to encrypt the password information using a one-way hash algorithm to obtain an encrypted password copy; and comparing the encrypted password copy with an encrypted password stored in an encrypted dictionary in advance, and determining that the identity authentication is passed when the encrypted password copy is consistent with the encrypted password.
In some embodiments, the apparatus further includes a lookup module, where the lookup module is configured to analyze identification information carried in the password information, and lookup an encrypted password corresponding to the identification information in an encrypted dictionary according to the identification information.
In some embodiments, the calling module is further configured to analyze device information carried in the password information, and call an asymmetric cryptographic algorithm to generate an encryption key according to the device information; and binding and storing the generated encryption key and the password information into an encryption dictionary, and copying the encryption key to obtain an encryption key copy matched with the encryption key.
In a third aspect, the present application also provides a computer device. The computer device comprises a memory storing a computer program and a processor implementing the following steps when executing the computer program:
receiving authentication information sent by a terminal, and carrying out validity verification according to the authentication information;
under the condition that the validity verification is passed, acquiring password information sent by a terminal, and performing identity verification according to the password information;
under the condition that the identity authentication is passed, determining a corresponding encryption key copy according to the received password information, wherein the encryption key copy is matched with an encryption key stored in an encryption dictionary;
the encrypted key copy is sent to the terminal so that the terminal can decrypt the encrypted key copy based on a locally stored decryption key to obtain a data key, and the data key is used for encrypting and decrypting power grid data; wherein the decryption key and the encryption key are a matching key pair.
In a fourth aspect, the present application further provides a computer-readable storage medium. The computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of:
receiving authentication information sent by a terminal, and carrying out validity verification according to the authentication information;
under the condition that the validity verification is passed, acquiring password information sent by a terminal, and performing identity verification according to the password information;
under the condition that the identity authentication is passed, determining a corresponding encryption key copy according to the received password information, wherein the encryption key copy is matched with an encryption key stored in an encryption dictionary;
the encrypted key copy is sent to the terminal so that the terminal can decrypt the encrypted key copy based on a locally stored decryption key to obtain a data key, and the data key is used for encrypting and decrypting power grid data; wherein the decryption key and the encryption key are a matching key pair.
In a fifth aspect, the present application further provides a computer program product. The computer program product comprising a computer program which when executed by a processor performs the steps of:
receiving authentication information sent by a terminal, and carrying out validity verification according to the authentication information;
under the condition that the validity verification is passed, acquiring password information sent by a terminal, and performing identity verification according to the password information;
under the condition that the identity authentication is passed, determining a corresponding encryption key copy according to the received password information, wherein the encryption key copy is matched with an encryption key stored in an encryption dictionary;
the encrypted key copy is sent to the terminal so that the terminal can decrypt the encrypted key copy based on a locally stored decryption key to obtain a data key, and the data key is used for encrypting and decrypting power grid data; wherein, the decryption key and the encryption key are matched key pairs.
The key calling method, the key calling device, the computer equipment, the storage medium and the computer program product are used for receiving the authentication information sent by the terminal and verifying the validity; under the condition that the validity verification is passed, password information sent by the terminal is obtained and identity verification is carried out; under the condition that the identity authentication is passed, determining a corresponding encryption key copy according to the received password information, and sending the encryption key copy to the terminal so that the terminal can decrypt the encryption key copy based on a locally stored decryption key to obtain a data key, wherein the terminal can encrypt and decrypt the power grid data according to the data key, thereby realizing safe and efficient key calling.
Drawings
FIG. 1 is a diagram of an application environment for a key invocation method in one embodiment;
FIG. 2 is a flowchart illustrating a key invocation method according to one embodiment;
FIG. 3 is a flowchart illustrating the steps of validity verification in one embodiment;
FIG. 4 is a schematic flow chart diagram illustrating the steps of authentication in one embodiment;
FIG. 5 is a flowchart illustrating the steps of determining a copy of an encryption key in one embodiment;
FIG. 6 is a block diagram showing the structure of a key calling apparatus according to one embodiment;
FIG. 7 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The key calling method provided by the embodiment of the application can be applied to the application environment shown in fig. 1. Wherein the terminal 102 communicates with the server 104 via a network. The data storage system may store data that the server 104 needs to process. The data storage system may be integrated on the server 104, or may be located on the cloud or other network server. The server 104 sequentially performs validity verification and identity verification on the terminal 102, and calls the encryption key copy from the data dictionary and sends the encryption key copy to the terminal 102 under the condition that the double verification is passed; therefore, the terminal 102 can copy the data key according to the encryption key and use the data key to encrypt and decrypt the power grid data. The terminal 102 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices and portable wearable devices, and the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart car-mounted devices, and the like. The portable wearable device can be a smart watch, a smart bracelet, a head-mounted device, and the like. The server 104 may be implemented as a stand-alone server or as a server cluster comprised of multiple servers.
In one embodiment, as shown in fig. 2, a key invoking method is provided, which is described by taking the application of the method to the server in fig. 1 as an example, and includes the following steps:
step S202, receiving the authentication information sent by the terminal, and verifying the validity according to the authentication information.
Specifically, the server receives authentication information sent by the terminal, and verifies the legality of the terminal according to the authentication information; and if the validity verification is not passed, refusing the terminal to call the key.
The authentication information is obtained by acquiring a symmetric key through a one-way hash algorithm by the terminal, encrypting an authentication encryption key carried in the stored digital certificate by using the symmetric key, and taking an encryption result as the authentication information.
Specifically, the terminal calculates a hash value through a one-way hash algorithm, uses the hash value as a symmetric key, encrypts an authentication encryption key carried in a locally stored digital certificate by using the symmetric key to obtain an encryption result, and sends the encryption result as authentication information to the server for the server to perform validity verification. The one-way Hash algorithm is also called Hash algorithm, and the generation of message digest, key encryption and the like are realized by a function of changing an input message string with any length into an output string with fixed length. The digital certificate may be issued by a CA (Certification Authority) and stored by the terminal to the local storage space. Therefore, the authentication information obtained according to the digital certificate is provided through the terminal, and the validity verification is carried out according to the authentication information, so that the security of key calling is improved.
In some embodiments, as shown in fig. 3, performing validity verification according to the authentication information includes:
step S302, according to the pre-stored authentication decryption key matched with the authentication encryption key, the authentication information is decrypted to obtain a symmetric key.
And step S304, calculating the authentication information by using a one-way hash algorithm to obtain a symmetric key copy.
And step S306, comparing the symmetric key copy with the symmetric key, and confirming that the validity verification is passed when the symmetric key copy is consistent with the symmetric key.
Specifically, the server stores in advance an authentication decryption key that matches the authentication encryption key in the database, where the authentication encryption key and the authentication decryption key are a pair of matched keys, the authentication encryption key is used as a public key for encryption, and the authentication decryption key is used as a private key for decryption. The server issues the public key to the terminal in advance, and stores the private key. And the server decrypts the authentication information by using the authentication decryption key to obtain the symmetric key transmitted by the terminal. Meanwhile, the server calculates the authentication information by using a single three-column algorithm to obtain a hash value serving as a symmetric key copy. And the server compares the calculated symmetric key copy with the symmetric key extracted by decryption, and if the symmetric key copy is consistent with the symmetric key, the terminal is confirmed to pass the validity verification. Otherwise, if the two are not consistent, the terminal is determined to fail to pass the validity verification, and the terminal is refused to call the key so as to ensure the security of the key.
In the above embodiment, the terminal is subjected to validity verification, and the subsequent steps are continuously executed on the premise that the validity verification is passed, otherwise, the key calling is refused, so that the security of the key is ensured.
And step S204, acquiring password information sent by the terminal under the condition that the validity verification is passed, and performing identity verification according to the password information.
Specifically, under the condition that the server verifies that the legality of the terminal passes, the server continues to further verify the terminal so as to guarantee the security of key calling. Namely, the server receives the password information sent by the terminal and carries out identity authentication according to the password information, thereby determining the identity security of the terminal. Illustratively, the password information includes, for example, a login account number, a login password, and the like.
In some embodiments, as shown in fig. 4, the authentication based on password information includes:
step S402, the password information is encrypted by using a one-way hash algorithm to obtain an encrypted password copy.
And S404, comparing the encrypted password copy with the encrypted password pre-stored in the encrypted dictionary, and determining that the identity authentication is passed when the encrypted password copy is consistent with the encrypted password.
The encryption dictionary is used for storing encryption information, and intensively storing all secret keys for encrypting data, public keys and private keys of all data encryption users and other necessary information; the encryption dictionary firstly determines which password table the encrypted field belongs to; secondly, determining whether the user authorizes to access the encrypted field; and manages all authorized users and the keys they use.
The password table is a data association table created in advance for storing passwords, for example, a record must be added to the account in the database for storing the passwords and corresponding account numbers in the database every time an account number is created, and the user password is encrypted and calculated in the record to store the obtained value in the record.
Specifically, the server encrypts the password information by using a one-way hash algorithm, calculates a hash value, and copies the hash value as an encrypted password. And meanwhile, the server acquires the encrypted password stored in the encrypted dictionary in advance, compares the encrypted password copy obtained by calculation with the encrypted password stored in advance, and if the encrypted password copy is consistent with the encrypted password, the server determines that the authentication of the terminal is passed. Otherwise, if the two are not consistent, the server determines that the terminal fails to pass the identity authentication, and refuses the terminal to call the key so as to ensure the security of the key.
In some embodiments, the server obtains the encrypted password pre-stored in the encrypted dictionary by parsing the identification information carried in the password information and looking up the encrypted password corresponding to the identification information in the encrypted dictionary according to the identification information. Specifically, identification information is also included in the password information, and the identification information is used for referring to a storage index of the encrypted password. For example, the identification information may be account information, or ID information assigned in advance and corresponding to the terminal, or the like. Therefore, the server can use the identification information as an index for searching the encryption dictionary according to the identification information carried in the password information, search the encryption dictionary stored in the database and determine the encrypted password pointed by the identification information. Therefore, the quick search in the encryption dictionary can be realized through the identification information, the key calling efficiency is improved, and meanwhile, the encryption password is determined according to the identification information, so that the safety is further improved.
In the embodiment, the password information is provided by the terminal and the identity authentication is carried out according to the password information, the password authentication is required no matter the terminal stores the key or calls the key to the server, the stored key is protected by using a password encryption mode, and the security of key management is improved.
And step S206, under the condition that the identity authentication is passed, determining a corresponding encryption key copy according to the received password information, wherein the encryption key copy is matched with the encryption key stored in the encryption dictionary.
Wherein the encryption key copy is obtained by copying the encryption key stored in the encryption dictionary.
Specifically, under the condition that the server determines that the terminal passes the authentication, the server looks up the corresponding encryption key in the data dictionary according to the received password information, and copies the encryption key to obtain an encryption key copy for subsequent transmission.
In some cases, the data dictionary may not have an encryption key stored therein that corresponds to the password information, and thus the server may not look up the corresponding result. To this end, in some embodiments, as shown in FIG. 5, determining a corresponding copy of the encryption key based on the received password information includes:
and step S502, analyzing the equipment information carried in the password information, and calling an asymmetric cryptographic algorithm to generate an encryption key according to the equipment information.
Step S504, the generated encryption key and the password information are bound and stored in the encryption dictionary, and the encryption key is copied to obtain an encryption key copy matched with the encryption key.
The password information also carries device information, which includes, for example, an IP (Internet Protocol Address) Address, an MAC (Media Access Control Address) Address, an algorithm identifier, and the like of the terminal.
Specifically, when the server cannot find the encryption key corresponding to the password information in the data dictionary, the server analyzes and extracts the equipment information carried in the password information, and calculates the equipment information by calling an asymmetric cryptographic algorithm, so as to generate the encryption key. The server binds the generated encryption key and the password information and stores the encryption key and the password information in an encryption dictionary in an associated manner, so that the server can search for the encryption key according to the password information when the terminal calls the key next time. Meanwhile, the server copies the encryption key to obtain a copy of the encryption key, which is called as an encryption key copy and used for subsequent issuing.
In the embodiment, the key is generated by the asymmetric key technology, so that the security of the key in the static storage process is ensured; and cryptographic operations such as key generation of related algorithm identification are introduced, so that the key corresponding to the terminal is prevented from being falsely used or tampered, and the security of key management is improved.
Step S208, the encrypted key copy is sent to the terminal so that the terminal can decrypt the encrypted key copy based on a locally stored decryption key to obtain a data key, and the data key is used for encrypting and decrypting the power grid data; wherein, the decryption key and the encryption key are matched key pairs.
The decryption key and the encryption key are a pair of key pairs matched with each other, the encryption key is stored in the encryption dictionary as a public key, and the decryption key is stored by the terminal as a private key.
Specifically, the server copies the encryption key to the terminal, and after receiving the copy of the encryption key, the terminal decrypts the copy of the encryption key through a decryption key locally stored in the terminal to obtain a data key, so that the terminal calls the key, and after calling the key, the terminal can encrypt and decrypt the power grid data by using the data key to ensure the security of the power grid data in the transmission process.
In the key calling method, the validity is verified by receiving the authentication information sent by the terminal; under the condition that the validity verification is passed, password information sent by the terminal is obtained and identity verification is carried out; under the condition that the identity authentication is passed, determining a corresponding encryption key copy according to the received password information, and sending the encryption key copy to the terminal so that the terminal can decrypt the encryption key copy based on the locally stored decryption key to obtain a data key, wherein the terminal can encrypt and decrypt the power grid data according to the data key, thereby realizing safe and efficient key calling.
Since the key is kept secret at the core of the storage, exchange and transmission processes of the key, the key information should be in a ciphertext form when flowing. The key is usually encrypted and protected in the static storage process, and reliable hardware with a secure storage module can be used for protecting the key, so that an attacker cannot acquire key information in a static storage state, and the security of the key is ensured to the maximum extent. If there is a security environment operating independently and capable of strictly controlling access of external users, providing security functions such as separate execution and secure storage, it can fully provide security protection function for the key, such as TEE (Trusted execution environment).
For this reason, in some embodiments, the key calling method provided by the embodiment of the present application is applicable to TEE. Illustratively, the key calling method provided by the embodiment of the application is realized through an EAKMF key management framework. In an EAKMF key management framework, two conditions of symmetric key storage and asymmetric key storage are mainly provided, for an asymmetric key, the key is divided into a public key and a private key, the public key is public and does not need to be protected, the private key is private, and a strict protection mechanism is needed to ensure the safety of the private key, so that the EAKMF framework also ensures the safety of private key information by means of a TEE environment, the public key information is stored in a specific database, the integrity of the public key is verified before the public key is used each time, subsequent operations are continuously executed after the verification is passed, and otherwise, the operation is quitted.
In some embodiments, the data dictionary is stored in the TEE of the server, so that an attacker is prevented from attacking and damaging the database to cause a large amount of key leakage, and the security of the user key is further guaranteed.
In some embodiments, the decryption key stored in the terminal is stored in a TEE of local hardware, so as to prevent an attacker from attacking the TEE to cause the leakage of the key, ensure the security of the key, and further ensure the privacy security of the power grid data.
Therefore, the embodiment of the application encrypts the distribution of the secret key by using the asymmetric cryptographic algorithm, so that the safety of the secret key in the static storage process is ensured; the key generation and other cryptographic operations are introduced, the whole cryptographic operation process related to the key is completed in a trusted execution environment, and even an attacker with the ROOT authority cannot track the whole key generation process, so that the key information of a user cannot be acquired, and the security of the key in the use process is ensured.
It should be understood that, although the steps in the flowcharts related to the embodiments are shown in sequence as indicated by the arrows, the steps are not necessarily executed in sequence as indicated by the arrows. The steps are not limited to being performed in the exact order illustrated and, unless explicitly stated herein, may be performed in other orders. Moreover, at least a part of the steps in the flowcharts related to the above embodiments may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of performing the steps or stages is not necessarily sequential, but may be performed alternately or alternately with other steps or at least a part of the steps or stages in other steps.
Based on the same inventive concept, the embodiment of the present application further provides a key invoking device for implementing the above-mentioned key invoking method. The implementation scheme for solving the problem provided by the device is similar to the implementation scheme described in the above method, so specific limitations in one or more embodiments of the key calling device provided below may refer to the above limitations on the key calling method, and details are not described here.
In one embodiment, as shown in fig. 6, there is provided a key invocation apparatus 600, including: an authentication module 601, a verification module 602, a calling module 603, and a sending module 604, wherein:
the authentication module 601 is configured to receive authentication information sent by a terminal, and perform validity verification according to the authentication information.
The verification module 602 is configured to, in a case that the validity verification passes, obtain password information sent by the terminal, and perform identity verification according to the password information.
And a calling module 603, configured to determine, according to the received password information, a corresponding encryption key copy in the case that the authentication is passed, where the encryption key copy is matched with an encryption key stored in the encryption dictionary.
A sending module 604, configured to send the encrypted key copy to the terminal, so that the terminal decrypts the encrypted key copy based on a locally stored decryption key to obtain a data key, where the data key is used to encrypt and decrypt the power grid data; wherein, the decryption key and the encryption key are matched key pairs.
In some embodiments, the authentication information is obtained by the terminal obtaining a symmetric key through a one-way hash algorithm, encrypting the authentication encryption key carried in the stored digital certificate by using the symmetric key, and using the encryption result as the authentication information.
In some embodiments, the authentication module is further configured to decrypt the authentication information according to a pre-stored authentication decryption key that matches the authentication encryption key to obtain a symmetric key; calculating the authentication information by using a one-way hash algorithm to obtain a symmetric key copy; and comparing the symmetric key copy with the symmetric key, and confirming that the validity verification is passed when the symmetric key copy is consistent with the symmetric key.
In some embodiments, the verification module is further configured to encrypt the password information using a one-way hash algorithm to obtain an encrypted password copy; and comparing the encrypted password copy with the encrypted password stored in the encrypted dictionary in advance, and determining that the identity authentication is passed when the encrypted password copy is consistent with the encrypted password.
In some embodiments, the apparatus further includes a lookup module, where the lookup module is configured to parse the identification information carried in the password information, and lookup an encrypted password corresponding to the identification information in the encrypted dictionary according to the identification information.
In some embodiments, the calling module is further configured to analyze device information carried in the password information, and call an asymmetric cryptographic algorithm to generate an encryption key according to the device information; and binding and storing the generated encryption key and the password information into an encryption dictionary, and copying the encryption key to obtain an encryption key copy matched with the encryption key.
The various modules in the key invoking device described above may be implemented in whole or in part by software, hardware, and combinations thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a server, the internal structure of which may be as shown in fig. 7. The computer device includes a processor, a memory, an Input/Output interface (I/O for short), and a communication interface. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface is connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing key data. The input/output interface of the computer device is used for exchanging information between the processor and an external device. The communication interface of the computer device is used for connecting and communicating with an external terminal through a network. The computer program is executed by a processor to implement a key invocation method.
Those skilled in the art will appreciate that the architecture shown in fig. 7 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having a computer program stored therein, the processor implementing the following steps when executing the computer program: receiving authentication information sent by a terminal, and carrying out validity verification according to the authentication information; under the condition that the validity verification is passed, acquiring password information sent by the terminal, and performing identity verification according to the password information; under the condition that the identity authentication is passed, determining corresponding encryption key copy according to the received password information, wherein the encryption key copy is matched with an encryption key stored in an encryption dictionary; the encrypted key copy is sent to the terminal so that the terminal can decrypt the encrypted key copy based on a locally stored decryption key to obtain a data key, and the data key is used for encrypting and decrypting power grid data; wherein, the decryption key and the encryption key are matched key pairs.
In one embodiment, the processor, when executing the computer program, further performs the steps of: decrypting the authentication information according to a pre-stored authentication decryption key matched with the authentication encryption key to obtain a symmetric key; calculating the authentication information by using a one-way hash algorithm to obtain a symmetric key copy; and comparing the symmetric key copy with the symmetric key, and confirming that the validity verification is passed when the symmetric key copy is consistent with the symmetric key.
In one embodiment, the processor, when executing the computer program, further performs the steps of: encrypting the password information by using a one-way hash algorithm to obtain an encrypted password copy; and comparing the encrypted password copy with the encrypted password stored in the encrypted dictionary in advance, and determining that the identity authentication is passed when the encrypted password copy is consistent with the encrypted password.
In one embodiment, the processor when executing the computer program further performs the steps of: and analyzing the identification information carried in the password information, and searching the encrypted password corresponding to the identification information in the encrypted dictionary according to the identification information.
In one embodiment, the processor when executing the computer program further performs the steps of: analyzing the equipment information carried in the password information, and calling an asymmetric cryptographic algorithm to generate an encryption key according to the equipment information; and binding and storing the generated encryption key and the password information into an encryption dictionary, and copying the encryption key to obtain an encryption key copy matched with the encryption key.
In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of: receiving authentication information sent by a terminal, and carrying out validity verification according to the authentication information; under the condition that the validity verification is passed, acquiring password information sent by the terminal, and performing identity verification according to the password information; under the condition that the identity authentication is passed, determining corresponding encryption key copy according to the received password information, wherein the encryption key copy is matched with an encryption key stored in an encryption dictionary; the encrypted key copy is sent to the terminal so that the terminal can decrypt the encrypted key copy based on a locally stored decryption key to obtain a data key, and the data key is used for encrypting and decrypting power grid data; wherein, the decryption key and the encryption key are matched key pairs.
In one embodiment, the computer program when executed by the processor further performs the steps of: decrypting the authentication information according to a pre-stored authentication decryption key matched with the authentication encryption key to obtain a symmetric key; calculating the authentication information by using a one-way hash algorithm to obtain a symmetric key copy; and comparing the symmetric key copy with the symmetric key, and confirming that the validity verification is passed when the symmetric key copy is consistent with the symmetric key.
In one embodiment, the computer program when executed by the processor further performs the steps of: encrypting the password information by using a one-way hash algorithm to obtain an encrypted password copy; and comparing the encrypted password copy with the encrypted password stored in the encrypted dictionary in advance, and determining that the identity authentication is passed when the encrypted password copy is consistent with the encrypted password.
In one embodiment, the computer program when executed by the processor further performs the steps of: and analyzing the identification information carried in the password information, and searching the encrypted password corresponding to the identification information in the encrypted dictionary according to the identification information.
In one embodiment, the computer program when executed by the processor further performs the steps of: analyzing the equipment information carried in the password information, and calling an asymmetric cryptographic algorithm to generate an encryption key according to the equipment information; and binding and storing the generated encryption key and the password information into an encryption dictionary, and copying the encryption key to obtain an encryption key copy matched with the encryption key.
In one embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, performs the steps of: receiving authentication information sent by a terminal, and carrying out validity verification according to the authentication information; under the condition that the validity verification is passed, acquiring password information sent by the terminal, and performing identity verification according to the password information; under the condition that the identity authentication is passed, determining corresponding encryption key copy according to the received password information, wherein the encryption key copy is matched with an encryption key stored in an encryption dictionary; the encrypted key copy is sent to the terminal so that the terminal can decrypt the encrypted key copy based on a locally stored decryption key to obtain a data key, and the data key is used for encrypting and decrypting power grid data; wherein, the decryption key and the encryption key are matched key pairs.
In one embodiment, the computer program when executed by the processor further performs the steps of: decrypting the authentication information according to a pre-stored authentication decryption key matched with the authentication encryption key to obtain a symmetric key; calculating the authentication information by using a one-way hash algorithm to obtain a symmetric key copy; and comparing the symmetric key copy with the symmetric key, and confirming that the validity verification is passed when the symmetric key copy is consistent with the symmetric key.
In one embodiment, the computer program when executed by the processor further performs the steps of: encrypting the password information by using a one-way hash algorithm to obtain an encrypted password copy; and comparing the encrypted password copy with the encrypted password stored in the encrypted dictionary in advance, and determining that the identity authentication is passed when the encrypted password copy is consistent with the encrypted password.
In one embodiment, the computer program when executed by the processor further performs the steps of: and analyzing the identification information carried in the password information, and searching the encrypted password corresponding to the identification information in the encrypted dictionary according to the identification information.
In one embodiment, the computer program when executed by the processor further performs the steps of: analyzing the equipment information carried in the password information, and calling an asymmetric cryptographic algorithm to generate an encryption key according to the equipment information; and binding and storing the generated encryption key and the password information into an encryption dictionary, and copying the encryption key to obtain an encryption key copy matched with the encryption key.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high-density embedded nonvolatile Memory, resistive Random Access Memory (ReRAM), Magnetic Random Access Memory (MRAM), Ferroelectric Random Access Memory (FRAM), Phase Change Memory (PCM), graphene Memory, and the like. Volatile Memory can include Random Access Memory (RAM), external cache Memory, and the like. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others. The databases referred to in various embodiments provided herein may include at least one of relational and non-relational databases. The non-relational database may include, but is not limited to, a block chain based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic devices, quantum computing based data processing logic devices, etc., without limitation.
All possible combinations of the technical features in the above embodiments may not be described for the sake of brevity, but should be considered as being within the scope of the present disclosure as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.

Claims (10)

1. A key invocation method, characterized in that the method comprises:
receiving authentication information sent by a terminal, and carrying out validity verification according to the authentication information;
under the condition that the validity verification is passed, acquiring password information sent by a terminal, and performing identity verification according to the password information;
under the condition that the identity authentication is passed, determining a corresponding encryption key copy according to the received password information, wherein the encryption key copy is matched with an encryption key stored in an encryption dictionary;
the encrypted key copy is sent to the terminal so that the terminal can decrypt the encrypted key copy based on a locally stored decryption key to obtain a data key, and the data key is used for encrypting and decrypting power grid data; wherein the decryption key and the encryption key are a matching key pair.
2. The method according to claim 1, wherein the authentication information is obtained by the terminal obtaining a symmetric key through a one-way hash algorithm, encrypting the authentication encryption key carried in the stored digital certificate with the symmetric key, and using the encryption result as the authentication information.
3. The method according to claim 2, wherein the performing validity verification according to the authentication information comprises:
decrypting the authentication information according to a pre-stored authentication decryption key matched with the authentication encryption key to obtain a symmetric key;
calculating the authentication information by using a one-way hash algorithm to obtain a symmetric key copy;
and comparing the symmetric key copy with the symmetric key, and confirming that the validity verification is passed when the symmetric key copy is consistent with the symmetric key.
4. The method of claim 1, wherein the performing identity verification according to the password information comprises:
encrypting the password information by using a one-way hash algorithm to obtain an encrypted password copy;
and comparing the encrypted password copy with an encrypted password stored in an encrypted dictionary in advance, and determining that the identity authentication is passed when the encrypted password copy is consistent with the encrypted password.
5. The method of claim 4, further comprising:
and analyzing the identification information carried in the password information, and searching an encrypted password corresponding to the identification information in an encrypted dictionary according to the identification information.
6. The method of claim 1, wherein determining a corresponding copy of an encryption key based on the received password information comprises:
analyzing the equipment information carried in the password information, and calling an asymmetric cryptographic algorithm to generate an encryption key according to the equipment information;
and binding and storing the generated encryption key and the password information into an encryption dictionary, and copying the encryption key to obtain an encryption key copy matched with the encryption key.
7. A key recall apparatus, the apparatus comprising:
the authentication module is used for receiving authentication information sent by the terminal and carrying out validity verification according to the authentication information;
the verification module is used for acquiring password information sent by the terminal under the condition that the validity verification is passed, and performing identity verification according to the password information;
the calling module is used for determining a corresponding encryption key copy according to the received password information under the condition that the identity authentication is passed, wherein the encryption key copy is matched with an encryption key stored in an encryption dictionary;
the sending module is used for sending the encrypted key copy to the terminal so that the terminal can decrypt the encrypted key copy based on a locally stored decryption key to obtain a data key, and the data key is used for encrypting and decrypting power grid data; wherein the decryption key and the encryption key are a matching key pair.
8. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor realizes the steps of the method of any one of claims 1 to 6 when executing the computer program.
9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 6.
10. A computer program product comprising a computer program, characterized in that the computer program realizes the steps of the method of any one of claims 1 to 6 when executed by a processor.
CN202210175980.3A 2022-02-24 Key calling method, device, computer equipment and storage medium Active CN114553557B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210175980.3A CN114553557B (en) 2022-02-24 Key calling method, device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210175980.3A CN114553557B (en) 2022-02-24 Key calling method, device, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN114553557A true CN114553557A (en) 2022-05-27
CN114553557B CN114553557B (en) 2024-04-30

Family

ID=

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115361168A (en) * 2022-07-15 2022-11-18 北京海泰方圆科技股份有限公司 Data encryption method, device, equipment and medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101764690A (en) * 2008-12-24 2010-06-30 广东电子工业研究院有限公司 Internet-based secret information communicating method
US20140372752A1 (en) * 2012-02-03 2014-12-18 David Sallis Method and database system for secure storage and communication of information
CN106230840A (en) * 2016-08-04 2016-12-14 南京邮电大学 A kind of command identifying method of high security
CN106446713A (en) * 2016-10-10 2017-02-22 广州智慧城市发展研究院 Encryption method and system for database content
CN113595742A (en) * 2021-08-02 2021-11-02 广东电网有限责任公司佛山供电局 Data transmission method, system, computer device and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101764690A (en) * 2008-12-24 2010-06-30 广东电子工业研究院有限公司 Internet-based secret information communicating method
US20140372752A1 (en) * 2012-02-03 2014-12-18 David Sallis Method and database system for secure storage and communication of information
CN106230840A (en) * 2016-08-04 2016-12-14 南京邮电大学 A kind of command identifying method of high security
CN106446713A (en) * 2016-10-10 2017-02-22 广州智慧城市发展研究院 Encryption method and system for database content
CN113595742A (en) * 2021-08-02 2021-11-02 广东电网有限责任公司佛山供电局 Data transmission method, system, computer device and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115361168A (en) * 2022-07-15 2022-11-18 北京海泰方圆科技股份有限公司 Data encryption method, device, equipment and medium

Similar Documents

Publication Publication Date Title
US11088850B2 (en) Retrieving public data for blockchain networks using highly available trusted execution environments
CN110417750B (en) Block chain technology-based file reading and storing method, terminal device and storage medium
CN103138939B (en) Based on the key access times management method of credible platform module under cloud memory module
CN113691502B (en) Communication method, device, gateway server, client and storage medium
US11831753B2 (en) Secure distributed key management system
CN110445840B (en) File storage and reading method based on block chain technology
CN112685786A (en) Financial data encryption and decryption method, system, equipment and storage medium
CN114244508A (en) Data encryption method, device, equipment and storage medium
CN117240625B (en) Tamper-resistant data processing method and device and electronic equipment
CN114499875A (en) Service data processing method and device, computer equipment and storage medium
CN113326529A (en) Decentralized architecture unifying method based on trusted computing
CN116049802B (en) Application single sign-on method, system, computer equipment and storage medium
CN117155549A (en) Key distribution method, key distribution device, computer equipment and storage medium
CN115473655B (en) Terminal authentication method, device and storage medium for access network
CN111382451A (en) Security level identification method and device, electronic equipment and storage medium
Jabbar et al. Design and Implementation of Hybrid EC-RSA Security Algorithm Based on TPA for Cloud Storage
CN115348107A (en) Internet of things equipment secure login method and device, computer equipment and storage medium
CN111541708B (en) Identity authentication method based on power distribution
CN114553557B (en) Key calling method, device, computer equipment and storage medium
CN112673591B (en) System and method for providing authorized third parties with secure key escrow access to a secret public ledger
CN114679299A (en) Communication protocol encryption method, device, computer equipment and storage medium
Malik et al. Cloud computing security improvement using Diffie Hellman and AES
WO2022199796A1 (en) Method and computer-based system for key management
Bojanova et al. Cryptography classes in bugs framework (BF): Encryption bugs (ENC), verification bugs (VRF), and key management bugs (KMN)
CN113285934A (en) Server cipher machine client IP detection method and device based on digital signature

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant