CN115412288A

CN115412288A - Key management method and device

Info

Publication number: CN115412288A
Application number: CN202210837262.8A
Authority: CN
Inventors: 谢绒娜; 史国振; 李宗俞; 李莉; 董秀则; 娄嘉鹏; 宋坤原
Original assignee: School Of Electronic Technology Central Office Of Communist Party Of China (beijing Institute Of Electronic Technology)
Current assignee: School Of Electronic Technology Central Office Of Communist Party Of China (beijing Institute Of Electronic Technology)
Priority date: 2022-07-15
Filing date: 2022-07-15
Publication date: 2022-11-29

Abstract

The invention provides a key management method and a device, which are applied to group communication, wherein the connection between group members adopts a tree structure, and the method comprises the following steps: generating a new group key according to a group key when the trigger item occurs and a random number or an identity of a newly added node in the tree structure based on a preset trigger item, and finishing updating the group key when the trigger item occurs; the trigger items comprise node adding, node leaving, preset time period, subgroup leaving and subgroup adding, and the random numbers are generated by root nodes in a tree structure; the invention independently completes the update of each group key by each node, avoids man-in-the-middle attack in key distribution, and simultaneously improves the freshness and confidentiality of the group key.

Description

Key management method and device

Technical Field

The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for managing a secret key.

Background

In the prior art, in the initialization stage, a manager of the entire group completes generation and distribution of a group key, the manager of the entire group performs distribution of the group key using a key negotiated with a group user, and the group user decrypts the group key using the key negotiated with the manager of the entire group after receiving a ciphertext of the group key to obtain the group key. The updating of the group key and the distribution of the group key to the group users are done by the administrator of the entire group as the group users change dynamically.

However, in terms of communication security, although the prior art realizes that the user newly joining the group cannot obtain the group key before joining and the user exiting the group cannot obtain the group key after exiting, the following two drawbacks still exist: the security of the technology is poor, the integrity and non-repudiation of the group key cannot be guaranteed, and the potential safety hazard of man-in-the-middle attack exists; the timing update of the group key cannot be realized, and the freshness of the group key cannot be ensured. In addition, the prior art has the defect of large calculation and communication burden of the manager of the whole group in terms of communication performance.

Disclosure of Invention

The invention provides a key management method and a device, which are used for solving the problems of poor communication safety and insufficient communication performance of the key management method in the prior art, and the updating of respective group keys is independently completed through each node, and simultaneously a key derivation function and an encryption authentication scheme are introduced, thereby avoiding man-in-the-middle attack in key distribution, and improving the freshness, confidentiality, integrity and non-repudiation of the group keys.

The invention provides a key management method, which is applied to group communication, wherein the connection between group members adopts a tree structure, and the method comprises the following steps:

generating a new group key according to a group key when the trigger item occurs and a random number or an identity of a newly added node in the tree structure based on a preset trigger item, and finishing updating the group key when the trigger item occurs;

the trigger items comprise node joining, node leaving, a preset time period, subgroup leaving and subgroup joining, and the random numbers are generated by root nodes in a tree structure.

According to the key management method provided by the present invention, before the generating a new group key based on the preset trigger item, according to the group key when the trigger item occurs, and the random number or the identity of the newly added node in the tree structure, and completing the updating of the group key when the trigger item occurs, the method further includes:

an individual key initialization step, namely generating respective seed keys and individual keys of respective child nodes by non-leaf nodes in a tree structure, and distributing the individual keys of the respective child nodes to the respective child nodes;

and initializing a group key, namely generating respective group keys by the non-leaf nodes based on the respective seed keys generated by the non-leaf nodes and the individual keys of the respective child nodes, and distributing the respective group keys to the leaf nodes of the tree structure layer by layer.

According to the key management method provided by the present invention, the generating respective seed keys and respective individual keys of respective child nodes by non-leaf nodes in the tree structure, and distributing the individual keys of the respective child nodes to the respective child nodes, specifically includes:

all nodes except the root node in the tree structure perform identity authentication with respective father nodes and negotiate respective session keys;

calling a random number generation function by the non-leaf node to generate respective seed keys;

calling a key derivation function by the non-leaf nodes to generate individual keys of the respective child nodes based on the identity of the child nodes of the non-leaf nodes and the seed keys of the non-leaf nodes;

sending, by the non-leaf nodes, individual keys of respective child nodes to the respective child nodes based on the session key.

According to the key management method provided by the present invention, after the sending, by the non-leaf node, the individual key of the respective child node to the respective child node based on the session key, the method further includes:

verifying, by child nodes of the non-leaf nodes, respective personal keys based on respective session keys;

and after the verification is passed, the child nodes of the non-leaf nodes store the respective personal keys.

According to the key management method provided by the present invention, the generating of the respective group key by the non-leaf node based on the respective seed key generated by the non-leaf node and the individual key of the respective child node, and the layer-by-layer distribution to the leaf nodes of the tree structure specifically includes:

calling a random number generation function by the root node of the tree structure to generate a random number initial state value;

calling, by the non-leaf nodes, key derivation functions to generate respective group keys based on the respective seed keys generated by the non-leaf nodes and the individual keys of the respective child nodes;

distributing group keys and initial random number values of all nodes from the node to the root node to the child nodes by all nodes including the root node except the leaf child nodes and the father nodes of the leaf nodes in the tree structure;

the parent node of the leaf node in the tree structure distributes the group keys of all nodes from the self node to the root node to the respective child nodes.

According to the key management method provided by the present invention, after the distributing the group key and the initial random number value of all nodes from the self node to the root node, the method further comprises:

verifying the group key and the initial random number value of all nodes from the parent node to the root node of each child node except the parent node of the leaf node and the parent node of the leaf node in the tree structure based on each individual key;

and after verification is passed, the child nodes of all nodes including the root node except the parent nodes of the leaf nodes and the parent nodes of the leaf nodes in the tree structure store the group keys and the random number initial state values of all nodes from the parent nodes to the root node, which are received by the child nodes respectively.

According to the key management method provided by the present invention, after said distributing the group keys of all nodes from the self node to the root node, the method further comprises:

verifying, by the leaf nodes in the tree structure, the received group keys of all nodes from the self node to the root node, which are sent by the respective parent nodes, based on the respective individual keys;

and after the verification is passed, the leaf child nodes in the tree structure store the received group keys of all the nodes from the self node to the root node, which are sent by the respective parent nodes.

According to the key management method provided by the present invention, the preset trigger item is a node join, and correspondingly, the new group key is generated according to the group key when the trigger item occurs, and the random number or the identity of the newly added node in the tree structure, and the update of the group key when the trigger item occurs is completed, which specifically includes:

generating an individual key of a newly added node by a father node of the newly added node, and sending the individual key of the newly added node to the newly added node;

based on the stored group keys and the identity identification of the newly added node when the node is added, calling a key derivation function by a non-leaf node of the tree structure, updating the stored group keys by itself, and sending the updated group keys of all nodes from the node to a root node to the leaf node by a parent node of the leaf node, wherein the updated group keys stored by the non-leaf node comprise the respective group keys;

or based on the respective group key when the node is added and the identity of the newly added node, calling a key derivation function by the non-leaf node of the tree structure, updating the respective group key by itself, and distributing the updated group keys of all nodes from the node to the root node to the leaf nodes of the tree structure layer by the non-leaf node;

or the nodes in the tree structure call a key derivation function to update the respective stored group keys according to the respective stored group keys when the nodes are added and the identity of the newly added node, and the parent node of the newly added node sends the updated group keys of all nodes from the node to the root node to the newly added node.

According to the key management method provided by the present invention, the generating of the individual key of the newly added node by the parent node of the newly added node and the sending of the individual key of the newly added node to the newly added node specifically include:

the newly added node and the father node of the newly added node carry out identity authentication and negotiate out a session key;

based on the identity of the newly added node and the seed key of the father node of the newly added node, calling a key derivation function by the father node of the newly added node to generate an individual key of the newly added node;

and sending the generated personal key of the newly-added node to the newly-added node by the parent node of the newly-added node based on the session key.

According to the key management method provided by the present invention, after the parent node of the newly joining node transmits the generated individual key of the newly joining node to the newly joining node, the method further includes:

verifying the personal key of the new joining node based on the session key;

and if the verification is passed, the newly added node stores the received personal key of the newly added node.

According to the key management method provided by the present invention, after the non-leaf node distributes the updated group key layer by layer from its own node to all nodes of the root node to the leaf node, the method further comprises:

verifying the group keys of all the nodes from the father node to the root node after the updating received by the nodes of the tree structure;

and after verification is passed, the node of the tree structure stores the updated group keys of all the nodes from the parent node to the root node after the update is received by the node of the tree structure.

According to the key management method provided by the present invention, the preset trigger item is a node leaving, and correspondingly, a new group key is generated according to the group key when the trigger item occurs, and the random number or the identity of the newly added node in the tree structure, and the update of the group key when the trigger item occurs is completed, which specifically includes:

based on the respective group key and the random number when the node leaves, the non-leaf node calls a key derivation function to update the respective group key by itself, and the non-leaf node distributes the updated group keys of all nodes from the self node to the root node to the leaf node layer by layer;

or calling a key derivation function to update the respective stored group key by the non-leaf nodes in the tree structure according to the respective stored group key and random number when the nodes leave, and sending the updated group keys of all nodes from the self node to the root node to the leaf node by the parent node of the leaf node.

According to the key management method provided by the present invention, after the non-leaf node distributes the updated group key layer by layer from its own node to all nodes of the root node to the leaf node, the method further includes:

According to the key management method provided by the present invention, when the preset trigger item is a preset time period, correspondingly, a new group key is generated according to the group key when the trigger item occurs, and the random number or the identity of the newly added node in the tree structure, and the update of the group key when the trigger item occurs is completed, which specifically includes:

based on the respective group key and the random number when the preset time period is reached, the non-leaf node calls a key derivation function to update the respective group key by itself, and the non-leaf node distributes the updated group keys of all nodes from the self node to the root node to the leaf node layer by layer;

or calling a key derivation function to update the respective stored group key by the non-leaf nodes in the tree structure according to the respective stored group key and random number when the preset time period is reached, and distributing the updated group keys of all nodes from the self node to the root node to the leaf node by the parent node of the leaf node.

According to the key management method provided by the present invention, after the non-leaf node distributes the updated group keys of all nodes from its own node to the root node to the leaf nodes layer by layer, the method further includes:

verifying the updated group keys of all nodes from the father node to the root node, which are received by the nodes of the tree structure;

According to the key management method provided by the present invention, the preset trigger item is a subgroup departure, and correspondingly, a new group key is generated according to the group key when the trigger item occurs, and the random number or the identity of the newly added node in the tree structure, and the update of the group key when the trigger item occurs is completed, which specifically includes:

calling a random number generating function by a root node of the tree structure to generate a new random number, and distributing the new random number to respective child nodes by all nodes including the root node except parent nodes of leaf nodes and leaf nodes in the tree structure;

based on the respective group key and the new random number when the subgroup leaves, calling a key derivation function by the non-leaf node, and updating the respective group key by self;

and the non-leaf node distributes the updated group keys of all the nodes from the self node to the root node to the leaf nodes layer by layer.

According to the key management method provided by the present invention, after said distributing said new random number, the method further comprises:

verifying the new random numbers received by the non-leaf nodes except the root node in the tree structure;

and after the verification is passed, storing the respectively received new random numbers by all the non-leaf nodes except the root node in the tree structure.

and after verification, the nodes of the tree structure store the updated group keys of all the nodes from the father node to the root node, which are received by the nodes of the tree structure.

According to the key management method provided by the present invention, the preset trigger item is added to a subgroup, and correspondingly, a new group key is generated according to the group key when the trigger item occurs, and the random number or the identity of the newly added node in the tree structure, and the update of the group key when the trigger item occurs is completed, which specifically includes:

generating a personal key of the highest management node of the newly added subgroup by a parent node of the highest management node of the newly added subgroup, and sending the generated personal key of the highest management node of the newly added subgroup to the highest management node of the newly added subgroup;

based on the respective group key when the subgroups are added and the identity of the highest management node of the newly added subgroups, calling a key derivation function by a non-leaf node in the tree structure, updating the respective group key by itself, and distributing the updated group keys of all nodes from the self node to the root node to the leaf nodes of the tree structure layer by the non-leaf node;

or the nodes in the tree structure call a key derivation function to update the stored group keys according to the stored group keys when the subgroups are added and the identity of the highest management node newly added into the subgroups;

sending the updated group key and random number of all nodes from the node to the root node to the newly-added subgroup highest management node by the father node of the newly-added subgroup highest management node;

and the initialization of the individual key and the group key of the newly added subgroup is realized by the highest management node of the newly added subgroup.

According to the key management method provided by the present invention, the generating, by the parent node of the highest management node of the newly added subgroup, the personal key of the highest management node of the newly added subgroup, and sending the generated personal key of the highest management node of the newly added subgroup to the highest management node of the newly added subgroup, specifically includes:

the newly added highest management node of the subgroup and a father node of the newly added subgroup carry out identity authentication and negotiate out a session key;

based on the identity of the highest management node of the newly added subgroup, calling a key derivation function by the parent node of the highest management node of the newly added subgroup, and generating the personal key of the highest management node of the newly added subgroup;

and based on the session key, sending the generated individual key of the newly-added subgroup highest management node to the newly-added subgroup highest management node by the parent node of the newly-added subgroup highest management node.

According to the key management method provided by the present invention, after the parent node of the newly added subgroup highest management node sends the generated individual key of the newly added subgroup highest management node to the newly added subgroup highest management node, the method further comprises:

verifying, by a newly-joined subgroup highest management node, the personal key based on the session key;

and after the verification is passed, the newly added subgroup highest management node saves the received personal key.

According to the key management method provided by the present invention, after the non-leaf node distributes the updated group key layer by layer from its own node to all nodes of the root node to the leaf nodes of the tree structure, the method further comprises:

According to the key management method provided by the invention, the initialization of the individual key and the group key of the newly added subgroup is realized by the highest management node of the newly added subgroup, and the method specifically comprises the following steps:

generating respective seed keys and individual keys of respective child nodes by non-leaf nodes newly added into the subgroups;

and generating respective group keys by the non-leaf nodes in the newly added subgroup based on the respective seed keys generated by the non-leaf nodes in the newly added subgroup and the individual keys of the respective child nodes, and distributing the group keys of all the nodes from the self node to the root node to the leaf nodes of the newly added subgroup layer by the non-leaf nodes of the newly added subgroup.

According to the key management method provided by the invention, the individual keys and the group keys are distributed by using a verifiable encryption scheme.

The invention also provides a key management device, which is applied to group communication, the connection between the group members adopts a tree structure, and the device comprises:

the group key updating module is used for generating a new group key according to a preset trigger item, the group key when the trigger item occurs and a random number or an identity of a newly added node in the tree structure, and updating the group key when the trigger item occurs;

The invention also provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the method for the purpose of identification of an intention of audio data as described when executing the program.

The invention also provides a non-transitory computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the key management method as described.

The key management method and the device are applied to group communication, a tree structure is adopted for connection among group members, a new group key is generated according to the group key when a trigger item occurs and a random number or an identity of a newly added node in the tree structure based on a preset trigger item, and the group key when the trigger item occurs is updated; the random number is used for updating a key when the trigger item is a preset time period or a group member leaves, and is generated by a root node in a tree structure; the invention independently completes the update of each group key by each node, avoids man-in-the-middle attack in key distribution, and simultaneously improves the freshness, confidentiality, integrity and non-repudiation of the group key.

Drawings

In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.

FIG. 1 is a flow chart illustrating a key management method provided by the present invention;

FIG. 2 is a first diagram illustrating a tree structure provided by the present invention;

FIG. 3 is a second schematic structural diagram of a tree structure provided by the present invention;

FIG. 4 is a third schematic structural diagram of a tree structure provided by the present invention;

FIG. 5 is a schematic diagram of a key management device according to the present invention;

fig. 6 is a schematic structural diagram of an electronic device provided in the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The following describes the key management method, apparatus, electronic device and storage medium of the present invention in detail by using embodiments with reference to fig. 1 to 6.

Fig. 1 is a schematic flowchart of a key management method provided by the present invention, and as shown in fig. 1, the key management method provided by the present invention is applied to group communication, and connections between group members adopt a tree structure, including:

step S110, based on a preset trigger item, generating a new group key according to the group key when the trigger item occurs and a random number or an identity of a newly added node in the tree structure, and completing updating of the group key when the trigger item occurs;

In a specific embodiment, nodes of a tree structure correspond to group members one to one, the group members include a group manager and group members, a root node in the tree structure corresponds to a highest manager representing the whole group in the group manager, each non-leaf node except the root node in the tree structure corresponds to a highest manager representing a subgroup in the group manager, and leaf nodes in the tree structure correspond to group members representing the group members in the group members; each node except the root node in the tree structure has one father node, and each node except the leaf nodes in the tree structure has at least one child node. The preset trigger item refers to a condition for triggering real-time update of the group key, and once the trigger item appears, the group key is updated, mainly including change of group members in the group or a preset timing update period. The group key is used for communication between groups, and the non-leaf nodes are used for maintaining own individual keys and group keys and storing the group keys of all nodes from own parent nodes to the root node.

In this embodiment, when the triggering item occurs as node joining or subgroup joining, the non-leaf nodes in the tree structure generate respective new group keys according to the respective group keys when the triggering item occurs and the identity of the newly added node in the tree structure; when the triggering items are node leaving, subgroup leaving and a preset time period, the non-leaf nodes in the tree structure generate respective new group keys according to respective group keys and random numbers when the triggering items occur, wherein the random numbers are generated by root nodes in the tree structure.

The key management method provided by the invention is characterized in that based on a preset trigger item, non-leaf nodes in a tree structure complete the updating of respective group keys according to the respective group keys when the trigger item occurs; the invention independently completes the update of each group key by each node, avoids man-in-the-middle attack in key distribution, and simultaneously improves the freshness, confidentiality, integrity and non-repudiation of the group key.

In a specific embodiment, according to the key management method provided by the present invention, before the generating a new group key based on a preset trigger item according to the group key when the trigger item occurs and a random number or an identity of a newly added node in the tree structure, and completing updating the group key when the trigger item occurs, the method further includes:

In the present embodiment, the individual key is used for distribution of the group key, and the leaf node stores the individual key of itself and the group key of all nodes from the parent node of itself to the root node.

In this embodiment, the initialization of the individual key and the group key is completed for all nodes on the tree structure, the respective seed key and the individual key of the respective child node are generated by the non-leaf nodes in the tree structure, the respective group key is generated by the non-leaf nodes based on the respective seed key and the individual key of the respective child node generated by the non-leaf nodes, and the generated group key is distributed layer by layer to the leaf nodes of the tree structure by the non-leaf nodes.

It should be emphasized that the layer-by-layer distribution in this application means that the group keys of all nodes from the own node to the root node are distributed to the own child nodes in sequence from the root node until the leaf nodes in the tree structure, and the distribution process is finished.

The key management method provided by the invention further discloses the personal key initialization step and the group key initialization step, thereby powerfully supporting the updating of the subsequent group key, avoiding man-in-the-middle attack in key distribution, and simultaneously improving the freshness, confidentiality, integrity and non-repudiation of the group key.

In a specific embodiment, according to the key management method provided by the present invention, the generating respective seed keys and respective individual keys of child nodes by non-leaf nodes in a tree structure, and distributing the individual keys of the respective child nodes to the respective child nodes specifically includes:

sending, by the non-leaf nodes, the individual keys of the respective child nodes to the respective child nodes based on the session key.

In this embodiment, all nodes except the root node in the tree structure perform identity authentication with their respective parent nodes and negotiate out their respective session keys; calling a random number generation function (PRF) by a non-leaf node to generate respective seed keys, wherein the PRF comprises but is not limited to a noise chip, a pseudo-random number generator and sampling; based on the identity of the child node of the non-leaf node and the seed Key of the non-leaf node, calling a Key derivation function KDF (Key derivation Functions) by the non-leaf node to generate the personal Key of each child node, wherein the Key derivation function KDF includes but is not limited to a HASH function, an HMAC function, a symmetric cryptographic algorithm, an asymmetric cryptographic algorithm, and a pseudo-random number generator, which is not specifically limited in the present invention; and calling an encryption authentication function CE-Enc () by the non-leaf node according to the session key negotiated with each child node to encrypt and authenticate the personal key of each child node to generate a ciphertext C and a commitment value T of the personal key of each child node, and sending the ciphertext C and the commitment value T to each child node. In addition, the individual key of the root node in the tree structure is generated by calling a random number generation function PRF, or a key derivation function KDF is called according to the seed key and the identity of the individual key.

The key management method provided by the invention strongly supports the updating of the subsequent group key by further disclosing the specific implementation path of the individual key initialization step, avoids man-in-the-middle attack in key distribution, and simultaneously improves the freshness, confidentiality, integrity and non-repudiation of the group key.

In a specific embodiment, according to the key management method provided by the present invention, after the sending, by the non-leaf node, the individual key of the respective child node to the respective child node based on the session key, the method further includes:

and if the verification is passed, the child nodes of the non-leaf nodes store the respective personal keys.

In the embodiment, the child nodes of the non-leaf nodes call the encryption authentication function CE-Dec () to generate the plaintext M of the personal key of the child node according to the respective session key, the received ciphertext C and the commitment value T of the personal key, and call the encryption authentication function CE-Ver () to verify the integrity and the authenticity of the plaintext M of the respective personal key according to the respective session key, the plaintext M and the commitment value T; and if the verification is passed, the child nodes of the non-leaf nodes store the respective personal keys, if the verification is not passed, the child nodes of the non-leaf nodes generate key error messages and send the key error messages to the respective father nodes.

The key management method provided by the invention further discloses the verification step of the individual key in the individual key initialization step, improves the safety of the individual key, and powerfully supports the confidentiality, the integrity and the non-repudiation of the group key.

In order to better explain the personal key initialization step, in this embodiment, assuming that the height of the tree structure is h, and h is a positive integer greater than or equal to 2, the whole process of the personal key initialization step includes: the nodes with the height of 2 to h and the corresponding father nodes carry out identity authentication and negotiate out respective session keys; nodes with the height of 1 to h-1 call a random number generation function PRF (pseudo random Functions) to generate respective seed keys; the nodes with the height of 1 to h-1 call a Key derivation function KDF (Key derived Functions) to calculate the personal keys of the child nodes according to the identity identifications of the child nodes and the seed keys of the child nodes; the nodes with the height of 1 to h-1 call an encryption authentication function CE-Enc () according to the session key negotiated with each child node and the personal key of each child node to generate a ciphertext C and a commitment value T of the personal key of each child node, and distribute the ciphertext C and the commitment value T of the personal key of the corresponding child node to each child node; respective child nodes of the nodes with the height of 1 to h-1 call an encryption authentication function CE-Dec () to generate plaintext M of respective personal keys based on respective session keys, and received ciphertext C and commitment value T of respective personal keys, and call the encryption authentication function CE-Ver () to verify the integrity and authenticity of respective personal keys according to the respective session keys, the plaintext M of respective personal keys and the commitment value T; and if the verification is not passed, the child nodes of the non-leaf nodes generate key error messages and send the key error messages to respective father nodes.

To better illustrate the personal key initialization step. In this embodiment, fig. 2 is a first schematic structural diagram of a tree structure provided by the present invention, and as shown in fig. 2, the height of the tree structure is taken as 4, and at the same time:

u _1，1 the manager represents the layer 1, the level 1 user, namely the whole group;

u _x，y represents the xth user of the xth layer;

ID _x，y represents u _x，y The identity of (2);

k _x，y represents u _x，y The personal key of (1);

gk _x，y denotes u _x，y A maintained group key;

sk _x，y represents u _x，y A session key negotiated with a parent node of the user;

representing group key gk _x，y Updating the state after z times, wherein the z values of different nodes can be the same or different;

GK: all group keys from the root node to a node;

CE-Enc (k, m) represents the generation of ciphertext C and commitment value T by performing verifiable encryption on message m using key k; the CE-Enc () may be encrypted by a symmetric cryptographic algorithm or an asymmetric cryptographic algorithm, and the commitment value may be a symmetric algorithm, a HASH, an asymmetric algorithm, a code, or the like, which is not specifically limited in the present invention.

CE-Dec (k, C, T) represents performing decryptable verification on ciphertext C and commitment value T using key k; CE-Dec () corresponds to CE-Enc () and decryption verification is performed using an algorithm corresponding to CE-Enc ().

CE-Ver (k, m, T) represents the integrity and authenticity verification of the message m using the key k and the commitment value T; CE-Ver () corresponds to CE-Enc () and is verified using an algorithm corresponding to CE-Enc ().

h represents the height of the key tree;

represents an exclusive or operation;

| represents join operation;

s _x，y denotes u _x，y The seed key of (1);

u _{childrenix，y} represents u _x，y The ith child node of (2);

t represents a key updating mark, and t = t + random number during key updating;

r represents by u _1，1 The generated random number is used for key updating or timing key updating when the user leaves.

The above settings are applicable to all embodiments in the present application, and are not described in detail in other embodiments.

The overall process steps of the personal key initialization step specifically include:

1. node u _2，1 ～u _4，10 Identity authentication is carried out with respective father node and respective session key sk is negotiated _2，1 ～sk _4，10 。

2. Node u _1，1 ～u _3，4 Calling a random number generating function PRF () to generate respective seed keys s _1，1 ～s _3，4 ＝PRF()。

3. Node u _i，1 ～u _3，4 Calculate respective child node u _2，1 ～u _4，10 Personal key k of _2，1 ～k _4，10 . By node u _1，1 Calculating own child node u _2，1 Personal key k _2，1 For example, node u _1，1 According to own child node u _2，1 ID of _2，1 Its own seed key s _1，1 Calling key derivation function KDF to generate own child node u _2，1 Personal key k of _2，1 ，k _2，1 ＝KDF(ID _2，1 ，s _1，1 ). Node u _2，2 ～u _4，10 Personal key k of _2，2 ～k _4，10 The calculation method is analogized by the following steps:

k _2，2 ＝KDF(ID _2，2 ，s _1，1 )；

k _3，1 ＝KDF(ID _3，1 ，s _2，1 )；

k _3，2 ＝KDF(ID _3，2 ，s _2，1 )；

k _3，3 ＝KDF(ID _3，3 ，s _2，2 )；

k _3，4 ＝KDF(ID _3，4 ，s _2，2 )；

k _4，1 ＝KDF(ID _4，1 ，s _3，1 )；

k _4，2 ＝KDF(ID _4，2 ，s _3，1 )；

k _4，3 ＝KDF(ID _4，3 ，s _3，1 )；

k _4，4 ＝KDF(ID _4，4 ，s _3，2 )；

k _4，5 ＝KDF(ID _4，5 ，s _3，2 )；

k _4，6 ＝KDF(ID _4，6 ，s _3，2 )；

k _4，7 ＝KDF(ID _4，7 ，s _3，3 )；

k _4，8 ＝KDF(ID _4，8 ，s _3，3 )；

k _4，9 ＝KDF(ID _4，9 ，s _3，4 )；

k _4，10 ＝KDF(ID _4，10 ，s _3，4 )。

4. node u _1，1 ～u _3，4 To respective child node u _2，1 ～u _4，10 Distributing the corresponding personal key k _2，1 ～k _4，10 . By node u _1，1 To own child node u _2，1 Distributing a personal key k _2，1 For example, node u _1，1 According to the child node u _2，1 Negotiated session key sk _2，1 Node u of its own child _2，1 Personal key k of _2，1 Calling the encryption authentication function CE-Enc () to generate the individual key k _2，1 Cipher text C of _2，1 And a commitment value T _2，1 And C is _2，1 And a commitment value T _2，1 Child node u sent to itself _2，1 ，u _1，1 →u _2，1 ：C _2，1 ||T _2，1 ＝CE-Enc(sk _2，1 ，k _2，1 ). Node u _1，1 ～u _3，4 The process is repeated:

u _1，1 →u _2，2 ：C _2，2 ||T _2，2 ＝CE-Enc(sk _2，2 ，k _2，2 )；

u _2，1 →u _3，1 ：C _3，1 ||T _3，1 ＝CE-Enc(sk _3，1 ，k _3，1 )；

u _2，1 →u _3，2 ：C _3，2 ||T _3，2 ＝CE-Enc(sk _3，2 ，k _3，2 )；

u _2，2 →u _3，3 ：C _3，3 ||T _3，3 ＝CE-Enc(sk _3，3 ，k _3，3 )；

u _2，2 →u _3，4 ：C _3，4 ||T _3，4 ＝CE-Enc(sk _3，4 ，k _3，4 )；

u _3，1 →u _4，1 ：C _4，1 ||T _4，1 ＝CE-Enc(sk _4，1 ，k _4，1 )；

u _3，1 →u _4，2 ：C _4，2 ||T _4，2 ＝CE-Enc(sk _4，2 ，k _4，2 )；

u _3，1 →u _4，3 ：C _4，3 ||T _4，3 ＝CE-Enc(sk _4，3 ，k _4，3 )；

u _3，2 →u _4，4 ：C _4，4 ||T _4，4 ＝CE-Enc(sk _4，4 ，k _4，4 )；

u _3，2 →u _4，5 ：C _4，5 ||T _4，5 ＝CE-Enc(sk _4，5 ，k _4，5 )；

u _3，2 →u _4，6 ：C _4，6 ||T _4，6 ＝CE-Enc(sk _4，6 ，k _4，6 )；

u _3，3 →u _4，7 ：C _4，7 ||T _4，7 ＝CE-Enc(sk _4，7 ，k _4，7 )；

u _3，3 →u _4，8 ：C _4，8 ||T _4，8 ＝CE-Enc(sk _4，8 ，k _4，8 )；

u _3，4 →u _4，9 ：C _4，9 ||T _4，9 ＝CE-Enc(sk _4，9 ，k _4，9 )；

u _3，4 →u _4，10 ：C _4，10 ||T _4，10 ＝CE-Enc(sk _4，10 ，k _4，10 )。

5. node u _2，1 ～u _4，10 For individual key k _2，1 ～k _4，10 Integrity and authenticity verification is performed. By node u _2，1 For individual key k _2，1 For integrity and authenticity verification, node u _2，1 According to the session key sk _2，1 Personal key k received in step 4 _2，1 Cipher text C of _2，1 And a commitment value T _2，1 Calling encryption authentication function CE-Dec () to generate individual key k _2，1 Clear text M of _2，1 ，u _2，1 ：M _2，1 ＝CE-Dec(sk _2，1 ，C _2，1 ，T _2，1 ) According to the session key sk _2，1 Personal key k _2，1 Clear text M of _2，1 A commitment value T _2，1 Calling encryption authentication function CE-Ver () to personal key k _2，1 Carry out integrity and authenticity verification u _2，1 ：CE-Ver(sk _2，1 ，M _2，1 ，T _2，1 ). If the verification passes, u _2，1 Personal key k _2，1 Saving, if the verification fails, u _2，1 Generating a key error message and sending the key error message to u _1，1 . Node u _2，2 ～u _4，10 The same operations are performed:

u _2，2 ：M _2，2 ＝CE-Dec(sk _2，2 ，C _2，2 ，T _2，2 )；

u _2，2 ：CE-Ver(sk _2，2 ，M _2，2 ，T _2，2 )；

u _3，1 ：M _3，1 ＝CE-Dec(sk _3，1 ，C _3，1 ，T _3，1 )；

u _3，1 ：CE-Ver(sk _3，1 ，M _3，1 ，T _3，1 )；

u _3，2 ：M _3，2 ＝CE-Dec(sk _3，2 ，C _3，2 ，T _3，2 )；

u _3，2 ：CE-Ver(sk _3，2 ，M _3，2 ，T _3，2 )；

u _3，3 ：M _3，3 ＝CE-Dec(sk _3，3 ，C _3，3 ，T _3，3 )；

u _3，3 ：CE-Ver(sk _3，3 ，M _3，3 ，T _3，3 )；

u _3，4 ：M _3，4 ＝CE-Dec(sk _3，4 ，C _3，4 ，T _3，4 )；

u _3，4 ：CE-Ver(sk _3，4 ，M _3，4 ，T _3，4 )；

u _4，1 ：M _4，1 ＝CE-Dec(sk _4，1 ，C _4，1 ，T _4，1 )；

u _4，1 ：CE-Ver(sk _4，1 ，M _4，1 ，T _4，1 )；

u _4，2 ：M _4，2 ＝CE-Dec(sk _4，2 ，C _4，2 ，T _4，2 )；

u _4，2 ：CE-Ver(sk _4，2 ，M _4，2 ，T _4，2 )；

u _4，3 ：M _4，3 ＝CE-Dec(sk _4，3 ，C _4，3 ，T _4，3 )；

u _4，3 ：CE-Ver(sk _4，3 ，M _4，3 ，T _4，3 )；

u _4，4 ：M _4，4 ＝CE-Dec(sk _4，4 ，C _4，4 ，T _4，4 )；

u _4，4 ：CE-Ver(sk _4，4 ，M _4，4 ，T _4，4 )；

u _4，5 ：M _4，5 ＝CE-Dec(sk _4，5 ，C _4，5 ，T _4，5 )；

u _4，5 ：CE-Ver(sk _4，5 ，M _4，5 ，T _4，5 )；

u _4，6 ：M _4，6 ＝CE-Dec(sk _4，6 ，C _4，6 ，T _4，6 )；

u _4，6 ：CE-Ver(sk _4，6 ，M _4，6， T _4，6 )；

u _4，7 ：M _4，7 ＝CE-Dec(sk _4，7 ，C _4，7 ，T _4，7 )；

u _4，7 ：CE-Ver(sk _4，7 ，M _4，7 ，T _4，7 )；

u _4，8 ：M _4，8 ＝CE-Dec(sk _4，8 ，C _4，8 ，T _4，8 )；

u _4，8 ：CE-Ver(sk _4，8 ，M _4，8 ，T _4，8 )；

u _4，9 ：M _4，9 ＝CE-Dec(sk _4，9 ，C _4，9 ，T _4，9 )；

u _4，9 ：CE-Ver(sk _4，9 ，M _4，9 ，T _4，9 )；

u _4，10 ：M _4，10 ＝CE-Dec(sk _4，10 ，C _4，10 ，T _4，10 )；

u _4，10 ：CE-Ver(sk _4，10 ，M _4，10 ，T _4，10 )。

in a specific embodiment, according to the key management method provided by the present invention, the generating, by the non-leaf node, a respective group key based on the respective seed key generated by the non-leaf node and the respective individual key of the child node, and distributing the respective group key to the leaf nodes of the tree structure layer by layer specifically includes:

In this embodiment, a root node of a tree structure calls a random number generation function PRF to generate a random number initial state value; based on respective seed keys generated by the non-leaf nodes and individual keys of respective child nodes, calling a key derivation function KDF by the non-leaf nodes to generate respective group keys; all nodes including root nodes except leaf nodes and father nodes of the leaf nodes in the tree structure call an encryption authentication function CE-Enc () to carry out encryption authentication on the group keys of all the nodes and the initial random number values according to personal keys of respective children, the group keys of all the nodes from the node to the root node and the initial random number values, generate ciphertext C and a commitment value T of the initial random number values and send the group keys of all the nodes and the ciphertext C and the commitment value T of the initial random number values to the respective child nodes; and calling an encryption authentication function CE-Enc () by a father node of a leaf node in the tree structure according to the individual key of each child node to carry out encryption authentication on the group keys of all nodes from the father node to the root node so as to generate a ciphertext C and a commitment value T of the group keys of all nodes from the father node to the root node, and sending the ciphertext C and the commitment value T to each child node.

The key management method provided by the invention strongly supports the updating of the subsequent group key by further disclosing the specific implementation path of the group key initialization step, avoids man-in-the-middle attack in key distribution, and simultaneously improves the freshness, confidentiality, integrity and non-repudiation of the group key.

In an embodiment, according to the key management method provided by the present invention, after the distributing the group key and the initial random number value of all nodes from the self node to the root node, the method further includes:

In the embodiment, the group keys of all nodes from the parent node to the root node and the ciphertexts C and the commitment values T of the random number initial state values are received by the child nodes of all nodes including the root node except the parent node of the leaf node and the parent node of the leaf node in the tree structure according to respective individual keys, the encryption authentication function CE-Dec () is called to generate the group keys of all nodes from the parent node to the root node and the plaintext M of the random number initial state values, and the encryption authentication function CE-Ver () is called according to the respective individual keys, the plaintext M and the commitment values T to verify the group keys and the random number initial state values of all nodes from the parent node to the root node; and after verification is passed, the child nodes of all nodes including the root node except the leaf child nodes and the parent nodes of the leaf nodes in the tree structure store the group keys and the random initial state values of all nodes from the parent nodes to the root node, which are received by the child nodes respectively.

According to the key management method provided by the invention, the verification steps of the group keys and the initial random number values of the group keys of all nodes from the parent node to the root node, which are respectively received by the child nodes of all nodes including the root node except the leaf child nodes and the parent nodes of the leaf nodes in the tree structure in the initialization step of the group key, are further disclosed, so that the security of the group key is improved, and the confidentiality, the integrity and the non-repudiation of the group key are powerfully supported.

In a specific embodiment, according to the key management method provided by the present invention, after the distributing the group key of all nodes from the self node to the root node, the method further includes:

In the embodiment, the leaf nodes in the tree structure call an encryption authentication function CE-Dec () according to the respective individual key, the received ciphertext C and the commitment value T of the group key of all the nodes from the self node to the root node, which are sent by the respective parent node, to generate a plaintext M of the group key of all the nodes from the self node to the root node, and call an encryption authentication function CE-Ver () according to the respective individual key, the plaintext M and the commitment value T to verify the group key of all the nodes from the self node to the root node, which is sent by the respective parent node; and if the verification is passed, the leaf nodes in the tree structure store the received group keys of all the nodes from the self node to the root node, which are sent by the respective father nodes, and if the verification is not passed, the leaf nodes in the tree structure generate key error messages and send the key error messages to the respective father nodes.

The key management method provided by the invention further discloses the verification step of the group keys of all the nodes from the self node to the root node, which are sent by the leaf child nodes in the tree structure to the respective parent nodes in the initialization step of the group keys, so that the security of the group keys is improved, and the confidentiality, the integrity and the non-repudiation of the group keys are powerfully supported.

To better explain the group key initialization step, in this embodiment, assuming that the height of the tree structure is h, and h is a positive integer greater than or equal to 2, the overall flow of the group key initialization step includes: a root node in the key tree structure calls a random number generation function PRF to generate a random number initial state value; the nodes with the height of 1 to h-1 call a key derivation function KDF to generate respective group keys according to respective seed keys and respective individual keys of child nodes; the distributing, by the nodes with a height of 1 to a height of h-2, the group keys and the initial random number values of all nodes from their own node to the root node to their respective child nodes includes: the nodes with the height of 1 to h-2 call an encryption authentication function CE-Enc () to generate the group keys of all the nodes from the respective nodes to the root node, the ciphertexts C and the commitment values T of the random number initial values according to the personal keys of the respective child nodes, the group keys of all the nodes from the respective nodes to the root node and the random number initial values, and distribute the corresponding group keys of all the nodes from the respective nodes to the root node and the ciphertexts C and the commitment values T of the random number initial values to the respective child nodes; the integrity and authenticity verification of the group key and the initial random number value of all nodes from the parent node to the root node by the respective child nodes of the nodes with the height of 1 to h-2 based on the respective individual keys specifically comprises the following steps: calling an encryption authentication function CE-Dec () by respective child nodes of the nodes with the height of 1 to h-2 according to respective individual keys, received group keys of all nodes from respective parent nodes to a root node and a ciphertext C and a commitment value T of a random number initial state value to generate group keys of all nodes from respective parent nodes to the root node and a plaintext M of the random number initial state value, calling an encryption authentication function CE-Ver () according to the respective individual keys, the plaintext M and the commitment value T to perform integrity and authenticity verification on the group keys of all nodes from respective parent nodes to the root node and the random number initial state value, if the verification is passed, storing the group keys of all nodes from respective parent nodes to the root node and the random number initial state value by respective child nodes of the nodes with the height of 1 to h-2, and if the verification is not passed, generating error messages by respective child nodes of the nodes with the height of 1 to h-2 to send the respective parent nodes; distributing the group key of all nodes from the own node to the root node to the respective child nodes by the nodes with the height h-1, specifically comprising: the nodes with the height h-1 call an encryption authentication function CE-Enc () to carry out encryption authentication on the group keys of all the nodes from the respective self nodes to the root node according to the individual keys of the respective child nodes, generate the ciphertext C and the commitment value T of the group keys of all the nodes from the respective self nodes to the root node, and send the ciphertext C and the commitment value T of the group keys of all the nodes from the respective self nodes to the root node to the respective child nodes; the integrity and authenticity verification of the group key of all the nodes from the parent node to the root node by the child nodes of the node with the height h-1 specifically comprises the following steps: and calling an encryption authentication function CE-Dec () by respective child nodes of the nodes with the height h-1 to generate plaintext M of the group keys of all the nodes from respective parent nodes to the root node according to respective personal keys and received ciphertext C and commitment value T of the group keys of all the nodes from respective parent nodes to the root node, calling an encryption authentication function CE-Ver () to verify the integrity and authenticity of the group keys of all the nodes from respective parent nodes to the root node according to the respective personal keys, the plaintext M and the commitment value T of the group keys of all the nodes from respective parent nodes to the root node, if the group keys are verified, storing the group keys of all the nodes from respective parent nodes to the root node by the respective child nodes of the nodes with the height h-1, and if the group keys are not verified, generating key error messages by the respective child nodes of the nodes with the height h-1 to send the respective parent nodes.

To better illustrate the group key initialization procedure. In this embodiment, fig. 2 is a schematic structural diagram of a tree structure provided by the present invention, as shown in fig. 2, if the height of the tree structure is 4 and the same setting is taken, the overall flow of the group key initialization step specifically includes:

1. highest management node u _1，1 Calling a random number generation function PRF to generate a random number initial state value r ⁰ ＝PRF()。

2. Node u _1，1 ～u _3，4 Computing group keys

By node u _1，1 Computing group keys

For example, node u _1，1 According to the seed key s _1，1 Personal key k of child node _2，1 、k _2，2 Invoking KDF function to generate group key

Node u _2，1 ～u _3，4 The same operations are performed:

u _2，1 ：

u _2，2 ：

u _3，1 ：

u _3，2 ：

u _3，3 ：

u _3，4 ：

3. node u _1，1 ～u _2，2 To child node u _2，1 ～u _3，4 Distributing groupsSecret key GK and random number initial state value r ⁰ 。

By node u _1，1 To child node u _2，1 Distributing group keys

And a random number initial state value r ⁰ For example, node u _1，1 According to child node u _2，1 Personal key k of _2，1 Group key

And a random number initial state value r ⁰ Calling encryption authentication function CE-Enc () to generate group key

And a random number initial state value r ⁰ C of _2，1 And a commitment value T _2，1 And the ciphertext C _2，1 And a commitment value T _2，1 Send to child node u _2，1 ，u _1，1 →u _2，1 ：

Node u _1，1 ～u _3，4 The same operations are performed:

u _1，1 →u _2，2 ：

u _2，1 →u _3，1 ：

u _2，1 →u _3，2 ：

u _2，2 →u _3，3 ：

u _2，2 →u _3，4 ：

4. node u _2，1 ～u _3，4 For group key GK and random number initial state r ⁰ Integrity and authenticity verification is performed.

By node u _2，1 Pair group key

And a random number initial state value r ⁰ For integrity and authenticity verification, node u _2，1 According to the personal key k _2，1 And the group key received in step 3

And a random number initial state value r ⁰ Cipher text C of _2，1 And a commitment value T _2，1 Generating group key by calling encryption authentication function CE-Dec ()

And a random number initial state value r ⁰ Clear text M of _2，1 ，u _2，1 ：M _2，1 ＝CE-Dec(k _2，1 ，C _2，1 ，T _2，1 ) According to the personal key k _2，1 Plaintext M _2，1 Commitment value T _2，1 Calling encryption authentication function CE-Ver () to group key

And a random number initial state value r ⁰ Carry out integrity and authenticity verification u _2，1 ：CE-Ver(k _2，，1 ，M _2，1 ，T _2，1 ). If the verification passes, u _2，1 Group key

And a random number initial state value r ⁰ Preservation ofIf the verification fails, u _2，1 Generating a key error message and sending the key error message to u _1，1 . Node u _2，2 ～u _3，4 The same operations are performed:

u _2，2 ：M _2，2 ＝CE-Dec(k _2，2 ，C _2，2 ，T _2，2 )；

u _2，2 ：CE-Ver(k _2，2 ，M _2，2 ，T _2，2 )；

u _3，1 ：M _3，1 ＝CE-Dec(k _3，1 ，C _3，1 ，T _3，1 )；

u _3，1 ：CE-Ver(k _3，1 ，M _3，1 ，T _3，1 )；

u _3，2 ：M _3，2 ＝CE-Dec(k _3，2 ，C _3，2 ，T _3，2 )；

u _3，2 ：CE-Ver(k _3，2 ，M _3，2 ，T _3，2 )；

u _3，3 ：M _3，3 ＝CE-Dec(k _3，3 ，C _3，3 ，T _3，3 )；

u _3，3 ：CE-Ver(k _3，3 ，M _3，3 ，T _3，3 )；

u _3，4 ：M _3，4 ＝CE-Dec(k _3，4 ，C _3，4 ，T _3，4 )；

u _3，4 ：CE-Ver(k _3，4 ，M _3，4 ，T _3，4 )。

5. node u _3，1 ～u _3，4 To child node u _4，1 ～u _4，10 The group key GK is distributed.

By node u _3，1 To child node u _4，1 Distributing group keys

For example, node u _3，1 According to child node u _4，1 Personal key k of _4，1 Group key

Calling encryption authentication function CE-Enc () to generate ciphertext C _4，1 And a commitment value T _4，1 And the ciphertext C _4，1 And a commitment value T _4，1 Sent to child node u _4，1 ，u _3，1 →u _4，1 ：

Node u _3，1 ～u _3，4 The same operations are performed:

u _3，1 →u _4，2 ：

u _3，1 →u _4，3 ：

u _3，2 →u _4，4 ：

u _3，2 →u _4，5 ：

u _3，2 →u _4，6 ：

u _3，3 →u _4，7 ：

u _3，3 →u _4，8 ：

u _3，4 →u _4，9 ：

u _3，4 →u _4，10 ：

6. node u _4，1 ～u _4，10 And carrying out integrity and authenticity verification on the group key GK.

By node u _4，1 For individual key k _4，1 Group key

For integrity and authenticity verification, node u _4，1 According to the personal key k _4，1 And the group key received in step 5

Cipher text C of _4，1 And a commitment value T _4，1 Generating group key by calling encryption authentication function CE-Dec ()

Clear text M of _4，1 ，u _4，1 ：M _4，1 ＝CE-Dec(k _4，1 ，C _4，1 ，T _4，1 ) According to the personal key k _4，1 Group key

Clear text M of _4，1 A commitment value T _4，1 Calling encryption authentication function CE-Ver () to group key

Performing integrity and authenticity verification, u _4，1 ：CE-Ver(k _4，1 ，M _4，1 ，T _4，1 ). If the verification passes, u _4，1 Group key

Saving, if the verification fails, u _4，1 Generating a key error message and sending the key error message to u _3，1 . Node u _4，2 ～u _4，10 The same operations are performed:

u _4，2 ：M _4，2 ＝CE-Dec(k _4，2 ，C _4，2 ，T _4，2 )；

u _4，2 ：CE-Ver(k _4，2 ，M _4，2 ，T _4，2 )；

u _4，3 ：M _4，3 ＝CE-Dec(k _4，3 ，C _4，3 ，T _4，3 )；

u _4，3 ：CE-Ver(k _4，3 ，M _4，3 ，T _4，3 )；

u _4，4 ：M _4，4 ＝CE-Dec(k _4，4 ，C _4，4 ，T _4，4 )；

u _4，4 ：CE-Ver(k _4，4 ，M _4，4 ，T _4，4 )；

u _4，5 ：M _4，5 ＝CE-Dec(k _4，5 ，C _4，5 ，T _4，5 )；

u _4，5 ：CE-Ver(k _4，5 ，M _4，5 ，T _4，5 )；

u _4，6 ：M _4，6 ＝CE-Dec(k _4.6 ，C _4，6 ，T _4，6 )；

u _4，6 ：CE-Ver(k _4，6 ，M _4，6 ，T _4，6 )；

u _4，7 ：M _4，7 ＝CE-Dec(k _4，7 ，C _4，7 ，T _4，7 )；

u _4，7 ：CE-Ver(k _4，7 ，M _4，7 ，T _4，7 )；

u _4，8 ：M _4，8 ＝CE-Dec(k _4，8 ，C _4，8 ，T _4，8 )；

u _4，8 ：CE-Ver(k _4，8 ，M _4，8 ，T _4，8 )；

u _4，9 ：M _4，9 ＝CE-Dec(k _4，9 ，C _4，9 ，T _4，9 )；

u _4，9 ：CE-Ver(k _4，9 ，M _4，9 ，T _4，9 )；

u _4，10 ：M _4，10 ＝CE-Dec(k _4，10 ，C _4，10 ，T _4，10 )；

u _4，10 ：CE-Ver(k _4，10 ，M _4，10 ，T _4，10 )。

in a specific embodiment, according to the key management method provided by the present invention, the preset trigger item is a node join, and correspondingly, the new group key is generated according to the group key when the trigger item occurs, and the random number or the identity of the node newly added in the tree structure, and the update of the group key when the trigger item occurs is completed, which specifically includes:

generating a personal key of a newly added node by a father node of the newly added node, and sending the personal key of the newly added node to the newly added node;

or based on the respective group key when the node is added and the identity of the newly added node, calling a key derivation function by a non-leaf node of the tree structure, updating the respective group key by itself, and distributing the updated group keys of all nodes from the node to the root node layer by layer to the leaf nodes of the tree structure by the non-leaf node;

In this embodiment, the newly added node defaults to a leaf node in the tree structure, and if the newly added node is a non-leaf node in the tree structure, it is processed as subgroup addition.

In this embodiment, first, a parent node of a newly added node generates an individual key of the newly added node, and sends the generated individual key of the newly added node to the newly added node; then, the group key of the tree structure is updated, and at this time, there are three update paths including:

the first node joins in the group key updating path, based on the stored group key and the identity of the newly joined node when the node joins in, the non-leaf node of the tree structure calls the key derivation function to update the stored group key, and the father node of the leaf node sends the updated group key of all nodes from the self node to the root node to the leaf node including the newly joined node, wherein the group key stored by the non-leaf node includes the group key;

the second node joins in a group key updating path, based on respective group keys when the nodes are joined and the identity identification of the newly joined node, a key derivation function is called by a non-leaf node of the tree structure, the respective group keys are updated by self, and the updated group keys of all nodes from the self node to the root node are distributed to leaf nodes of the tree structure including the newly joined node layer by the non-leaf node;

and a third node is added into the group key updating path, and the nodes in the tree structure call a key derivation function to update the respective stored group keys according to the respective stored group keys when the nodes are added and the identity of the newly added node.

In this embodiment, a first group key update path is taken as an example for expansion, and non-leaf nodes in a tree structure call a key derivation function KDF to generate a new group key according to an original group key stored in each node when a node is added, an identity of a newly added node, and/or a key update flag; and the parent node of the newly added node calls an encryption authentication function CE-Enc () according to the personal key of the newly added node to carry out encryption authentication on the group keys of all the nodes from the parent node of the newly added node to the root node, generates the ciphertext C and the commitment value T of the group keys of all the nodes from the parent node of the newly added node to the root node, and sends the ciphertext C and the commitment value T of the group keys of all the nodes from the parent node of the newly added node to the root node to the newly added node. The key update flag is used to mark key update, and is generally expressed by the number of key updates, but is not limited to the number of key updates. When generating the group key, the key updating mark is an optional parameter and is not an optional parameter; when the node changes, the updating mode of the key updating mark is the original key updating mark value plus a random number. The key update marks of different nodes may be the same or different, and the present invention is not limited thereto.

That is to say, when the preset trigger is node joining, the group key with changed group relationship must be updated, and other group keys without change may or may not be updated, which is not limited in the present invention. The new group key can be generated by the nodes calling key derivation functions respectively; or generating a new group key by a non-leaf node and distributing the new group key to leaf nodes of a tree structure layer by layer; or generating a new group key by a non-leaf node, and distributing the new group key to leaf nodes of the tree structure by parent nodes of the leaf nodes; the group key may also be updated in a manner combining the above manners, which is not limited in the present invention.

The key management method further discloses the updating step of the group key when the preset triggering item is added into the node, further explains the process that each node independently completes the updating of each group key, and improves the security and confidentiality of the group key.

In a specific embodiment, according to the key management method provided by the present invention, the generating, by a parent node of a newly joining node, an individual key of the newly joining node, and sending the individual key of the newly joining node to the newly joining node specifically includes:

based on the identity of the newly added node and the seed key of the father node of the newly added node, calling a key derivation function by the father node of the newly added node to generate a personal key of the newly added node;

and sending the generated individual key of the newly-added node to the newly-added node by the parent node of the newly-added node based on the session key.

In this embodiment, the newly added node performs identity authentication with its own parent node and negotiates a session key; the father node of the newly added node calls a key derivation function KDF to generate an individual key of the newly added node according to the identity of the newly added node and the seed key of the father node; and the parent node of the newly added node calls an encryption authentication function CE-Enc () to generate a ciphertext C and a commitment value T of the personal key of the newly added node according to the session key negotiated with the child node, namely the newly added node and the personal key of the newly added node, and sends the ciphertext C and the commitment value T of the personal key of the newly added node to the newly added node.

According to the key management method provided by the invention, through further disclosing the generation step of the personal key of the newly added node in the group key updating when the preset trigger item is the node, the support is provided for each subsequent node to independently complete the updating of the respective group key, and the safety and confidentiality of the group key are improved.

In a specific embodiment, according to the key management method provided by the present invention, after the parent node of the newly joining node sends the generated individual key of the newly joining node to the newly joining node, the method further includes:

verifying the personal key of the new joining node based on the session key;

and the newly added node stores the received personal key of the newly added node after passing the verification.

In the embodiment, the newly added node calls an encryption authentication function CE-Dec () to generate a plaintext M of the personal key according to the session key negotiated with the parent node of the newly added node and the received ciphertext C and the commitment value T of the personal key, and calls the encryption authentication function CE-Ver () to verify the personal key of the newly added node according to the session key, the plaintext M of the personal key and the commitment value T; and if the verification is passed, the newly added node stores the received personal key, and if the verification is not passed, the newly added node generates a key error message and sends the key error message to the father node of the new access node.

According to the key management method provided by the invention, the safety of the personal key is improved and the update of the group key is powerfully supported by further disclosing the preset triggering item as the verification step of the personal key of the newly added node generated when the node is added.

In a specific embodiment, according to the key management method provided by the present invention, after the non-leaf node distributes the updated group keys of all nodes from its own node to the root node layer by layer to the leaf node, the method further includes:

In this embodiment, the leaf node in the tree structure including the newly added node verifies the group keys of all the updated nodes from its parent node to the root node, which are received by the leaf node, and only if the verification passes, the group keys can be stored. Taking a verification process of a newly added node as an example for expansion, calling an encryption authentication function CE-Dec () by the newly added node according to a personal key of the newly added node, a received ciphertext C and a commitment value T of a group key of all nodes from a parent node of the newly added node to a root node to generate a plaintext M of the group key of all nodes from the parent node of the newly added node to the root node, and calling the encryption authentication function CE-Ver () according to the personal key of the newly added node, the plaintext M of the group key of all nodes from the parent node of the newly added node to the root node and the commitment value T to verify the received group key of all nodes from the parent node of the newly added node to the root node; and if the verification is passed, the newly added node saves the received group keys of all the nodes from the father node of the newly added node to the root node, and if the verification is not passed, the newly added node generates a key error message and sends the key error message to the father node of the newly added node.

According to the key management method provided by the invention, the security and confidentiality of the group key are improved by further disclosing the verification step of the generated group key when the preset trigger item is added as a node.

To better illustrate the update situation of the group key when the preset trigger is node joining. In this embodiment, fig. 3 is a schematic structural diagram of a tree structure provided by the present invention, and as shown in fig. 3, the height of the tree structure is taken as 4, and the same setting is simultaneously taken, assuming that after the group key initialization step, the node u _4，11 Apply for joining the group. Upon initialization, the group key of the non-leaf node in the tree structure is

In the initialization phase, the key update flag t =0. Due to the addition of the node, the key update flag t =0+1=1. Node u _4，11 Group key to be updated is added to a group

The overall process step of updating the group key specifically includes:

1. newly joining node u _4，11 With its own parent node u _3，4 Performs identity authentication and negotiates out a session key sk _4，11 。

2. Node u _3，4 Generating node u _4，11 Personal key k of _4，11 . Node u _3，4 According to node u _4，11 ID of _4，11 Seed key s _3，4 Invoking a Key derivation function KDF generating node u _4，11 The individual key of (2): k is a radical of _4，11 ＝KDF(ID _4，11 ，s _3，4 )。

3. Newly joining node u _4，11 Parent node u of _3，4 To child node u _4，11 Distributing personal key k _4，11 . Newly joining node u _4，11 Parent node u of _3，4 According to and child node u _4，11 Negotiated session key sk _4，11 Child node u _4，11 Personal key k of _4，11 Calling encryption authentication function CE-Enc () to generate individual key k _4，11 Cipher text C of _4，11 And a commitment value T _4，11 And the personal key k is combined _4，11 C of _4，11 And a commitment value T _4，11 Sent to child node u _4，11 Formulated as follows:

u _3，4 →u _4，11 ：C _4，11 ||T _4，11 ＝CE-Enc(sk _4，11 ，k _4，11 )

4. newly joined node u _4，11 For individual key k _4，11 Integrity and authenticity verification is performed.

Newly joining node u _4，11 From the session key sk _4，11 And the personal key k received in step 3 _4，11 Cipher text C of _4，11 And a commitment value T _4，11 Calling encryption authentication function CE-Dec () to generate individual key k _4，11 Clear text M of _4，11 ＝CE-Dec(sk _4，11 ，C _4，11 ，T _4，11 ) From the session key sk _4，11 Plaintext M _4，11 A commitment value T _4，11 Calling a cryptographic authentication function CE-Ver (sk) _4，11 ，M _4，11 ，T _4，11 ) For individual key k _4，11 Integrity and authenticity verification is performed. If the verification passes, u _4，11 Personal key k _4，11 Saving, if the verification fails, u _4，11 Generating a key error message and sending the key error message to u _3，4 。

5. Node u _1，1 ～u _4，10 And calculating the updated group key by itself.

1) Node u _1，1 ～u _4，10 Based on old group key

Newly added node u _4，11 ID of _4，11 Calling a key derivation function KDF to generate a new group key, with a key update flag t =1

2) Node u _2，2 、u _3，3 、u _3，4 、u _4，7 、u _4，8 、u _4，9 、u _4，10 According to old group key

3) Node u _3，4 、u _4，9 、u _4，10 Based on old group key

6. Node u _3，4 To node u _4，11 Distributing group keys

Newly added node u _4，11 Parent node u of _3，4 According to u _4，11 Personal key k of _4，11 、u _3，4 To u _1，1 Of all intermediate nodes

Calling encryption authentication function CE-Enc () to generate u _3，4 To u _1，1 Of all intermediate nodes

Cipher text C of _4，11 And a commitment value T _4，11 And the ciphertext C _4，11 And a commitment value T _4，11 Is sent to u _4，11 。

u _3，4 →u _4，11 ：

7. Newly joining node u _4，11 Based on the personal key k _4，11 For u to u _3，4 To u _1，1 Group key of all nodes of

Integrity and authenticity verification is performed.

Newly joining node u _4，11 According to the personal key k _4，11 And the step ofU received in 6 _3，4 To u _1，1 Of all intermediate nodes

C of _4，11 And a commitment value T _4，11 Calling encryption authentication function CE-Dec () to generate clear text M _4，11 ＝CE-Dec(k _4，11 ，C _4，11 ，T _4，11 ) According to the personal key k _4，11 Plaintext M _4，11 A commitment value T _4，11 Calling encrypted authentication function CE-Ver (k) _4，11 ，M _4，11 ，T _4，11 ) For u is paired _3，4 To u _1，1 Group key of all nodes of

Carrying out integrity and authenticity verification, if the verification is passed, u _4，11 Save slave u _3，4 To u _1，1 Group key of all nodes of

If the verification fails, u _4，11 Generating a key error message and sending the key error message to u _3，4 。

In the key update procedure of the above example, the key update flag t participates in the new group key

And (4) generating. The key update flag t may not participate in the generation of the new group key,

the invention is not explicitly limited herein.

The above example only updates the relevant group key

At a nodeGroup key for joining a group whose group relationship does not change

The update may or may not be performed, and the present invention is not limited explicitly. New group key

The self-updating is generated by calling a key derivation function by the node by referring to the method; or generating a new group key by a non-leaf node and distributing the new group key to leaf nodes of a tree structure layer by layer; or generating a new group key by a non-leaf node, and distributing the new group key to leaf nodes of the tree structure by parent nodes of the leaf nodes; the group key may also be updated by combining the above manners, and the present invention is not limited thereto.

In a specific embodiment, according to the key management method provided by the present invention, the preset trigger item is a node leaving, and correspondingly, the new group key is generated according to the group key when the trigger item occurs, and the random number or the identity of the node newly added to the tree structure, and the update of the group key when the trigger item occurs is completed, which specifically includes:

or non-leaf nodes in the tree structure call a key derivation function to update the respective stored group keys according to the respective stored group keys and random numbers when the nodes leave, and the parent nodes of the leaf nodes send the updated group keys of all nodes from the self nodes to the root nodes to the leaf nodes.

In this embodiment, when the trigger item is a node leave, there are two update paths of the group key in the tree structure, including:

the first node leaves the group key updating path, based on the respective group key and random number when the node leaves, the non-leaf node calls the key derivation function to update the respective group key, and the non-leaf node distributes the updated group keys of all nodes from the node to the root node to the leaf nodes layer by layer;

the second kind of node leaves the group key updating path, and the non-leaf nodes in the tree structure automatically update the respective stored group keys according to the respective original stored group keys and random numbers when the node leaves, wherein the respective stored group keys comprise the respective group keys; and the parent node of the leaf node in the tree structure sends the updated group key to the respective leaf node, the updating of the group key is participated by a random number when the triggering item is that the node leaves, and the leaf node does not keep the random number and can not update the group key stored by the leaf node, so the group key is distributed by the parent node of the leaf node.

In this embodiment, taking the second type of node leaving the group key update as an example, the expansion is performed. Non-leaf nodes in the tree structure call a key derivation function KDF to update the respective stored group keys according to the respective stored group keys, random numbers and/or key update marks when the nodes leave; and calling an encryption authentication function CE-Enc () by a father node of a leaf node in the tree structure according to the personal key of the child node or the group key of the father node to carry out encryption authentication on the group key of all the updated nodes from the father node to the root node, generating the ciphertext C and the commitment value T of the group key of all the nodes from the father node to the root node, and sending the ciphertext C and the commitment value T of the group key of all the nodes from the father node to the root node to the child nodes.

The key management method further discloses the updating step of the group key when the preset triggering item is the node leaves, further explains the process that each node independently completes the updating of each group key, and improves the security and confidentiality of the group key.

In a specific embodiment, according to the key management method provided in the present invention, after the non-leaf node distributes layer by layer the updated group keys of all nodes from its own node to the root node to the leaf node, the method further includes:

In this embodiment, the node of the tree structure is configured to store the received group key after verification is passed, and expand the received group key by using the leaf node as an example. Verifying the received updated group keys of all nodes from the father node to the root node by the leaf node, and calling an encryption authentication function CE-Dec () to generate a plaintext M of the updated group keys of all nodes from the father node to the root node according to the personal key or the group key of the father node, the received encrypted ciphertext C and a commitment value T of the updated group keys of all nodes from the father node to the root node; according to the personal key of the user or the group key of the father node of the user and the commitment value T, calling an encryption authentication function CE-Ver () to verify the integrity and the authenticity of the received and updated group key of all nodes from the father node of the user to the root node; and after the verification is passed, the leaf node stores the received updated group keys of all the nodes from the father node to the root node, and if the verification is not passed, the leaf node generates a key error message and sends the key error message to the father node.

When the preset trigger item is the node leaving, the group key with the changed group relationship must be updated, and other group keys without the change may be updated or not, which is not limited in the present invention. The new group key can be generated by calling a key derivation function by the non-leaf nodes respectively, and the updated group key is sent to the leaf nodes by the parent node of the leaf node in the tree structure; the new group key can also be generated by calling a key derivation function by the non-leaf nodes respectively, and is distributed to the leaf nodes of the tree structure layer by the non-leaf nodes; or the two ways are combined to update the group key, which is not limited in the present invention.

According to the key management method provided by the invention, the security and confidentiality of the group key are improved by further disclosing the preset triggering item as a verification step of the generated group key when the node leaves.

To better illustrate the updating situation of the group key when the preset trigger is the node leaving. In this embodiment, fig. 3 is a schematic structural diagram of a tree structure provided by the present invention, and as shown in fig. 3, the height of the tree structure is taken as 4, and the same setting is taken at the same time, assuming that the group key initialization step is performed later. Now in this embodiment, node u _4，11 Request for leaving the group. Assume that at this time, the group key of a non-leaf node in the tree structure is

Now node u _4，11 The application leaves, and the key update mark t =1+1=2. Due to the node u _4，11 Leaving the group, the group key being secured

Must be updated. The overall process step of updating the group key specifically includes:

1. node u _1，1 ～u _3，4 And calculating the updated group key by itself.

By node u _1，1 For example, node u _1，1 Based on old group key

Initial state value r of random number ⁰ And calling KDF function to generate new group key by the key updating mark t =2

1) Node u _1，1 ～u _3，4 According to old group key

Random number r ⁰ And calling KDF function to generate new group key by the key updating mark t =2

2) Node u _2，2 、u _3，3 、u _3，4 Based on old group key

3) Node u _3，4 Based on old group key

2. Node u _3，1 ～u _3，4 To respective children's festivalThe point distributes the updated group key GK.

By node u _3，1 To own child node { u _4，1 、u _4，2 、u _4，3 Distribute updated

For example. Node u _3，1 According to the original group key

Updated group key

Calling encryption authentication function CE-Enc () to generate updated group key

C of _{children 3，1} And a commitment value T _{children 3，1} And updating the group key

Cipher text C of _{children 3，1} And a commitment value T _{children 3，1} Sending to own child node { u _4，1 、u _4，2 、u _4，3 }，u _3，1 →{u _4，1 、u _4，2 、u _4，3 }：

Node u _3，2 ～u _3，4 The distribution of (a) is by analogy,

u _3，2 →{u _4，4 、u _4，5 、u _4，6 }：

u _3，3 →{u _4，7 、u _4，8 }：

u _3，4 →u _4，9 ：

u _3，4 →u _4，10 ：

3. node u _4，1 ～u _4，10 And carrying out integrity and authenticity verification on the updated group key GK.

With node { u _4，1 、u _4，2 、u _4，3 As an example, node { u } _4，1 、u _4，2 、u _4，3 According to the group key

And received in step 2

C of _{children3，1} And a commitment value T _{children 3，1} Calling encryption authentication function CE-Dec () generation

Clear text M of _{children 3，1} According to group keys

Plaintext M _{children 3，1} A commitment value T _{children 3，1} Calling encryption authentication function CE-Ver () to update group key

Integrity and authenticity verification is performed, and if verification is passed, { u _4，1 、u _4，2 、u _4，3 ProtectionStoring updated group keys

If not, { u } _4，1 、u _4，2 、u _4，3 The generated key error message is sent to the node u _3，1 。

Node u _4，4 ～u _4，10 The same operations are performed:

{u _4，1 、u _4，2 、u _4，3 }：

{u _4，1 、u _4，2 、u _4，3 }：

{u _4，4 、u _4，5 、u _4，6 }：

{u _4，4 、u _4，5 、u _4，6 }：

{u _4，7 、u _4，8 }：

{u _4，7 、u _4，8 }：

u _4，9 ：M _{children 3，4} ＝CE-Dec(k _4，9 ，C _4，9 ，T _{children 3，4} )

u _4，9 ：CE-Ver(k _4，9 ，M _{children 3，4} ，T _{children 3，4} )

u _4，10 ：M _{children 3，4} ＝CE-Dec(k _4，10 ，C _4，10 ，T _{children 3，4} )

u _4，10 ：CE-Ver(k _4，10 ，M _{children 3，4} ，T _{children 3，4} )。

the invention is not explicitly limited herein.

The above example only updates the associated group key

Group key of group with unchanged group relation when node leaves

Also referring to the method, a new group key is generated by a non-leaf node, and is distributed to leaf nodes of a tree structure by parent nodes of the leaf nodes; or generated by non-leaf nodesThe new group key is distributed to leaf nodes of the tree structure layer by layer; the group key may also be updated by combining the two ways, which is not limited in the present invention.

In a specific embodiment, according to the key management method provided by the present invention, when the preset trigger item is a preset time period, correspondingly, the generating a new group key according to the group key when the trigger item occurs, and the random number or the identity of the node newly added in the tree structure, and completing the updating of the group key when the trigger item occurs specifically includes:

In this embodiment, when the trigger is a preset time period, there are two update paths for the group key, including:

the group key updating path in the first time period calls a key derivation function to update the respective group key by the non-leaf node based on the respective group key, random number and/or key updating mark when the preset time period is reached, and the non-leaf node distributes the updated group keys of all nodes from the self node to the root node to the leaf node layer by layer;

in the group key updating path of the second time period, non-leaf nodes in the tree structure call a key derivation function KDF to calculate and update the group keys stored in the tree structure according to the original stored group keys, random numbers and/or key updating marks; and the parent node of the leaf node in the tree structure calls an encryption authentication function CE-Enc () to generate a ciphertext C and a commitment value T of each updated group key according to the individual key and the updated group key of each child node, and sends the ciphertext C and the commitment value T of each updated group key to each child node.

The key management method further discloses the updating step of the group key when the preset triggering item is the group key and the group key is updated at regular time, further explains the process that each node independently completes the updating of each group key, and improves the security and confidentiality of the group key.

In a specific embodiment, according to the key management method provided by the present invention, after the parent node of the leaf node sends the updated group keys of all nodes from its own node to the root node to the leaf node, the method further includes:

In this embodiment, the node of the tree structure is configured to store the received group key after verification is passed, and expand the received group key by using the leaf node as an example. And the leaf nodes in the tree structure call an encryption authentication function CE-Dec () to generate plaintext M of the updated group key of all nodes from the parent node to the root node according to the respective individual key, the received ciphertext C and the commitment value T of the updated group key of all nodes from the parent node to the root node, and call an encryption authentication function CE-Ver () to verify the integrity and the authenticity of the received updated group key of all nodes from the parent node to the root node according to the respective individual key, the updated plaintext M of the group key of all nodes from the parent node to the root node and the commitment value T. If the verification is passed, the leaf nodes store the updated group keys of all the nodes from the father node to the root node, and if the verification is not passed, the leaf nodes generate key error messages and send the key error messages to the father nodes.

The key management method provided by the invention has the advantages that the security and the confidentiality of the group key are improved by further disclosing the step of verifying the generated group key when the preset trigger item is used for updating the group key at regular time.

To better explain the updating situation of the group key when the preset trigger is a preset time period, i.e. the group key is updated regularly. In this embodiment, fig. 2 is a schematic structural diagram of the tree structure provided by the present invention, and as shown in fig. 2, the height of the tree structure is taken as 4, and the same setting is taken at the same time, so that the group key is updated at regular time. At this time, the group key of the non-leaf node in the tree structure is

If the key update flag t =2+1=3, the overall process step of group key update specifically includes:

1. node u _1，1 ～u _3，4 And calculating the updated group key by itself.

1) Node u _1，1 ～u _3，4 Based on old group key

Random number r ⁰ And calling KDF function to generate new group key by the key updating mark t =3

2) Node u _2，1 、u _3，1 、u _3，2 According to old group key

Random number r ⁰ And calling KDF function to generate new group key with key updating mark t =3

3) Node u _2，2 、u _3，3 、u _3，4 Based on old group key

4) Node u _3，1 Based on old group key

5) Node u _3，2 Based on old group key

6) Node u _3，3 According to old group key

7) Node u _3，4 Based on old group key

2. Node u _3，1 ～u _3，4 The updated group key GK is distributed to its child nodes.

With node u _3，1 To u _4，1 Distributing updated

For example, node u _3，1 According to u _4，1 Personal key k _4，1 After update

Calling encryption authentication function CE-Enc () to generate group key

C of _4，1 And a commitment value T _4，1 And combining the group key

C of _4，1 And a commitment value T _4，1 Send to child node u _4，1 ，u _3，1 →u _4，1 ：

Node u _4，2 →u _4，10 Group key GK distribution of (a) and so on:

u _3，1 →u _4，2 ：

u _3，1 →u _4，3 ：

u _3，2 →u _4，4 ：

u _3，2 →u _4，5 ：

u _3，2 →u _4，6 ：

u _3，3 →u _4，7 ：

u _3，3 →u _4，8 ：

u _3，4 →u _4，9 ：

u _3，4 →u _4，10 ：

3. node u _4，1 ～u _4，10 Based on the personal key k _4，1 ～k _4，10 And carrying out integrity and authenticity verification on the updated group key GK.

By node u _4，1 Based on the personal key k _4，1 For updated group key

For authenticity and integrity verification, node u _4，1 According to the personal key k _4，1 And the updated group key received in step 2

C of _4，1 And a commitment value T _4，1 Calling encryption authentication function CE-Dec () to generate updated group key

Clear text M of _4，1 ，u _4，1 ：M _4，1 ＝CE-Dec(k _4，1 ，C _4，1 ，T _4，1 )，u _4，1 According to the personal key k _4，1 Updated group key

Clear text M of _4，1 Commitment value T _4，1 Calling encryption authentication function CE-Ver () to update group key

Carry out integrity and authenticity verification u _4，1 ：CE-Ver(k _4，1 ，M _4，1 ，T _4，1 ) If the verification passes, u _4，1 Saving updated group keys

If not, u _4，1 Generating a key error message and sending the key error message to u _3，1 . Node u _4，2 ～u _4，10 The same operations are performed:

u _4，2 ：M _4，2 ＝CE-Dec(k _4，2 ，C _4，2 ，T _4，2 )；

u _4，2 ：CE-Ver(k _4，2 ，M _4，2 ，T _4，2 )；

u _4，3 ：M _4，3 ＝CE-Dec(k _4，3 ，C _4，3 ，T _4，3 )；

u _4，3 ：CE-Ver(k _4，3 ，M _4，3 ，T _4，3 )；

u _4，4 ：M _4，4 ＝CE-Dec(k _4，4 ，C _4，4 ，T _4，4 )；

u _4，4 ：CE-Ver(k _4，4 ，M _4，4 ，T _4，4 )；

u _4，5 ：M _4，5 ＝CE-Dec(k _4，5 ，C _4，5 ，T _4，5 )；

u _4，5 ：CE-Ver(k _4，5 ，M _4，5 ，T _4，5 )；

u _4，6 ：M _4，6 ＝CE-Dec(k _4，6 ，C _4，6 ，T _4，6 )；

u _4，6 ：CE-Ver(k _4，6 ，M _4，6 ，T _4，6 )；

u _4，7 ：M _4，7 ＝CE-Dec(k _4，7 ，C _4，7 ，T _4，7 )；

u _4，7 ：CE-Ver(k _4，7 ，M _4，7 ，T _4，7 )；

u _4，8 ：M _4，8 ＝CE-Dec(k _4，8 ，C _4，8 ，T _4，8 )；

u _4，8 ：CE-Ver(k _4，8 ，M _4，8 ，T _4，4 )；

u _4，9 ：M _4，9 ＝CE-Dec(k _4，9 ，C _4，9 ，T _4，9 )；

u _4，9 ：CE-Ver(k _4，9 ，M _4，9 ，T _4，9 )；

u _4，10 ：M _4，10 ＝CE-Dec(k _4，10 ，C _4，10 ，T _4，10 )；

u _4，10 ：CE-Ver(k _4，10 ，M _4，10 ，T _4，10 )。

in the key update process of the above example, the key update flag t participates in the generation of a new group key. The key update flag t may not be involved in the generation of a new group key, and the new group key

The key update flag t is not involved in the calculation at the time of generation,

other group key generation is similar. The invention is not explicitly limited herein.

In a specific embodiment, according to the key management method provided by the present invention, the preset trigger item is a subgroup departure, and correspondingly, the generating a new group key according to the group key when the trigger item occurs, and the random number or the identity of the node newly added in the tree structure, and completing the updating of the group key when the trigger item occurs specifically includes:

based on the respective group key and the new random number when the subgroups leave, calling a key derivation function by the non-leaf node, and updating the respective group key by self;

and the non-leaf node distributes the updated group key layer by layer from the self node to all nodes of the root node to the leaf node.

In this embodiment, a root node of a tree structure calls a random number generation function PRF to generate a new random number to replace a previous random number, all nodes including the root node except parent nodes of leaf nodes and leaf nodes in the tree structure call an encryption authentication function CE-Enc () to encrypt and authenticate the new random number according to individual keys of respective child nodes to generate a ciphertext C and a commitment value T of the respective new random number, and send the ciphertext C and the commitment value T of the respective new random number to the respective child nodes; non-leaf nodes in the tree structure call a key derivation function KDF to generate respective new group keys according to respective old group keys, new random numbers and/or key update marks when subgroups leave; then, the non-leaf node distributes the updated group keys of all the nodes from the self node to the root node to the leaf node layer by layer, taking the distribution process from the parent node of the leaf node to the leaf node as an example, the non-leaf node expands, the parent node of the leaf node calls an encryption authentication function CE-Enc () to generate the ciphertext C and the commitment value T of the group key of all the nodes from the self node to the root node after updating according to the group key of the parent node and the received updated group key of all the nodes from the self node to the root node, and sends the ciphertext C and the commitment value T of the group key of all the nodes from the self node to the root node after updating to the child nodes, namely the corresponding leaf nodes.

The key management method further discloses the updating step of the group key when the preset triggering item is a subgroup leaving, further explains the process that each node independently completes the updating of each group key, and improves the security and confidentiality of the group key.

In a specific embodiment, according to the key management method provided in the present invention, after the distributing the new random number, the method further includes:

verifying the new random numbers received by all non-leaf nodes except the root node in the tree structure;

In the embodiment, the non-leaf nodes except the root node in the tree structure call the encryption authentication function CE-Dec () to generate a plaintext M of a new random number according to the personal key of the non-leaf nodes, the ciphertext C of the received new random number and the commitment value T, the plaintext M and the commitment value T are obtained according to the personal key of the non-leaf nodes and the new random number, and the encryption authentication function CE-Ver () is called to verify the integrity and the authenticity of the received new random number; if the verification is passed, the non-leaf node stores the received new random number, and if the verification is not passed, the non-leaf node generates a key error message and sends the key error message to the respective father node.

The key management method provided by the invention strongly supports the security and confidentiality of the subsequently generated group key by further disclosing the step of verifying the generated new random number when the preset trigger item is taken as the subgroup leaving.

In this embodiment, the node of the tree structure is configured to store the received group key after verification is passed, and expand the received group key by using the leaf node as an example. A leaf node calls an encryption authentication function CE-Dec () to generate a plaintext M of the updated group key of all nodes from the parent node to the root node according to the group key of the parent node, the received encrypted C of the updated group key of all nodes from the parent node to the root node and a commitment value T, and calls an encryption authentication function CE-Ver () to verify the received updated group key of all nodes from the parent node to the root node according to the group key of the parent node, the updated plaintext M of the group key of all nodes from the parent node to the root node and the commitment value T; if the verification is passed, the leaf node stores the updated group keys of all the nodes from the father node to the root node; if the verification fails, the leaf nodes generate key error messages and send the key error messages to respective father nodes.

According to the key management method provided by the invention, the security and confidentiality of the group key are improved by further disclosing the step of verifying the generated group key when the preset trigger item is taken as a subgroup to leave.

To better explain the updating situation of the group key when the preset trigger item is the departure of the subgroup. In this embodiment, fig. 2 is a first schematic structural diagram of the tree structure provided by the present invention, and as shown in fig. 2, the height of the tree structure is taken as 4, and the same setting is taken at the same time, assuming that the subgroup { u } is _3，4 、u _4，9 u _4，10 Apply for exiting group. At this time, the group key of the non-leaf node in the tree structure is

If the key update flag t =3+1=4, the overall flow steps of group key update specifically include:

1. highest management node u _1，1 Calling PRF function to generate a random number r ¹ Initial state value r of random number before replacement ⁰ 。

2. Highest management node u _1，1 To child node { u _2，1 、u _2，2 Distribute random number r ¹ 。

By node u _1，1 To node u _2，1 Distribution as an example, highest management node u _1，1 According to own child node u _2，1 Personal key k of _2，1 A random number r ¹ Calling encryption authentication function CE-Enc () to generate random number r ¹ Cipher text C of _2，1 And a commitment value T _2，1 And a random number r ¹ Cipher text C of _2，1 And a commitment value T _2，1 Child node u sent to itself _2，1 . Highest management node u _1，1 For u is paired _2，2 The same operations are performed:

u _1，1 →u _2，1 ：C _2，1 ||T _2，1 ＝CE-Enc(k _2，1 ，r ¹ )；

u _1，1 →u _2，2 ：C _2，2 ||T _2，2 ＝CE-Enc(k _2，2 ，r ¹ )。

3. node { u } _2，1 、u _2，2 To random number r ¹ Integrity and authenticity verification is performed.

By node u _2，1 For random number r ¹ For integrity and authenticity verification, u _2，1 According to the personal key k _2，1 Received random number r ¹ Cipher text C of _2，1 And a commitment value T _2，1 Generating plaintext M by calling encryption authentication function CE-Dec () _2，1 Based on the individual key k _2，1 A random number r ¹ Clear text M of _2，1 A commitment value T _2，1 Calling the encryption authentication function CE-Ver () to the random number r ¹ Performing integrity and authenticity verification, if verification is passed, u _2，1 Saving random number r ¹ If not, u _2，1 Generating random number error message and sending u _1，1 . Node u _2，2 The same operations are performed:

u _2，1 ：M _2，1 ＝CE-Dec(k _2，1 ，C _2，1 ，T _2，1 )；

u _2，1 ：CE-Ver(k _2，1 ，M _2，1 ，T _2，1 )；

u _2，2 ：M _2，2 ＝CE-Dec(k _2，2 ，C _2，2 ，T _2，2 )；

u _2，2 ：CE-Ver(k _2，2 ，M _2，2 ，T _2，2 )。

4. node u _2，1 、u _2，2 Distributing random numbers r to respective child nodes ¹ 。

By u _2，1 To u _3，1 Distributing a random number r ¹ For example, u _2，1 According to u _3，1 Personal key k of _3，1 A random number r ¹ Invoking the encryption authentication function CE-Enc () to generateRandom number r ¹ C of _3，1 And a commitment value T _3，1 And a random number r ¹ Cipher text C of _3，1 And a commitment value T _3，1 Sent to child node u _3，1 ，u _2，1 →u _3，1 ：C _3，1 ||T _3，1 ＝CE-Enc(k _3，1 ，r ¹ ). Node u _2，1 、u _2，2 Repeating the operation direction u _3，2 、u _3，3 Distributing a random number r ¹ ：

u _2，1 →u _3，2 ：C _3，2 ||T _3，2 ＝CE-Enc(k _3，2 ，r ¹ )；

u _2，2 →u _3，3 ：C _3，3 ||T _3，3 ＝CE-Enc(k _3，3 ，r ¹ )。

5. Node u _3，1 、u _3，2 、u _3，3 For random number r ¹ Integrity and authenticity verification is performed.

With node u _3，1 For random number r ¹ For integrity and authenticity verification, u _3，1 According to the personal key k _3，1 And the random number r received in step 4 ¹ Cipher text C of _3，1 And a commitment value T _3，1 Calling encryption authentication function CE-Dec () to generate random number r ¹ Clear text M of _3，1 Based on the individual key k _3，1 A random number r ¹ Clear text M of _3，1 A commitment value T _3，1 Calling the encryption authentication function CE-Ver () to the random number r ¹ Carrying out integrity and authenticity verification, if the verification is passed, u _3，1 Saving random number r ¹ If not, u _3，1 Generating random number error message and sending u _2，1 . Node u _3，2 、u _3，3 The same operations are performed:

u _3，1 ：M _3，1 ＝CE-Dec(k _3，1 ，C _3，1 ，T _3，1 )；

u _3，1 ：CE-Ver(k _3，1 ，M _3，1 ，T _3，1 )；

u _3，2 ：M _3，2 ＝CE-Dec(k _3，2 ，C _3，2 ，T _3，2 )；

u _3，2 ：CE-Ver(k _3，2 ，M _3，2 ，T _3，2 )；

u _3，3 ：M _3，3 ＝CE-Dec(k _3，3 ，C _3，3 ，T _3，3 )；

u _3，3 ：CE-Ver(k _3，3 ，M _3，3 ，T _3，3 )。

6. node u _1，1 ～u _3，3 And calculating the updated group key by itself.

Node u _1，1 ～u _3，3 Based on old group key

Random number r ¹ And/or the key update flag t =4 invokes a KDF function to generate a new group key

Node u _2，2 、u _3，3 Based on old group key

Random number r ¹ And/or invoking the KDF function with the key update flag t =4 to generate a new group key

7. Node u _3，1 ～u _3，3 The updated group key GK is distributed to the respective child nodes.

By u _3，1 To { u } _4，1 、u _4，2 、u _4，3 Distribute updated group key

For example, u _3，1 According to group keys

Updated group key

Cipher text C of _{children 3，1} And a commitment value T _{children 3，1} And updating the group key

Cipher text C of _{children 3，1} And a commitment value T _{children 3，1} Is sent to { u } _4，1 、u _4，2 、u _4，3 }，u _3，1 →{u _4，1 、u _4，2 、u _4，3 }：

u _3，2 、u _3，3 The same operations are performed:

u _3，2 →{u _4，4 、u _4，5 、u _4，6 }：

u _3，3 →{u _4，7 、u _4，8 }：

8. node u _4，1 ～u _4，8 Based on group keys

And carrying out integrity and authenticity verification on the updated group key GK.

With node { u _4，1 、u _4，2 、u _4，3 Based on group key

For updated group key

For example, node { u } for integrity and authenticity verification _4，1 、u _4，2 、u _4，3 According to the group key

And the updated group key received in step 7

Cipher text C of _{children 3，1} And a commitment value T _{children 3，1} Calling encryption authentication function CE-Dec () to generate updated group key

Clear text M of _{children 3，1} According to the group key

For updated group key

Clear text M of _{children 3，1} A commitment value T _{children 3，1} Calling encryption authentication function CE-Ver () to update group key

Integrity and authenticity verification is performed, and if verification is passed, { u _4，1 、u _4，2 、u _4，3 Keep the updated group key

If not, { u } _4，1 、u _4，2 、u _4，3 The generated key error message is sent to u _3，1 。u _4，4 ～u _4，8 The same operations are performed:

{u _4，1 、u _4，2 、u _4，3 }：

{u _4，1 、u _4，2 、u _4，3 }：

{u _4，4 、u _4，5 、u _4，6 }：

{u _4，4 、u _4，5 、u _4，6 }：

{u _4，7 、u _4，8 }：

{u _4，7 、u _4，8 }：

in the key update process of the above embodiment, the key update flag t participates in the generation of a new group key. The key update flag t may not participate in the generation of the new group key,

other new group keys are generated similarly. The invention is not explicitly limited herein.

In a specific embodiment, according to the key management method provided by the present invention, the preset trigger item is a subgroup join, and correspondingly, the new group key is generated according to the group key when the trigger item occurs, and the random number or the identity of the node newly added to the tree structure, and the update of the group key when the trigger item occurs is completed, which specifically includes:

generating an individual key of the newly added subgroup highest management node by a parent node of the newly added subgroup highest management node, and sending the generated individual key of the newly added subgroup highest management node to the newly added subgroup highest management node;

In this embodiment, first, a parent node newly added to a subgroup highest management node generates an individual key of the newly added subgroup highest management node, and sends the generated individual key of the newly added subgroup highest management node to the newly added subgroup highest management node; then, updating the group key, and there are two kinds of tree-structured group key updating paths when the trigger item is added as a subgroup, including:

a first subgroup joining group key updating path, based on respective group keys when subgroups join, identity marks and/or key updating marks of the highest management node of the newly joined subgroups, a non-leaf node in the tree structure calls a key derivation function KDF to generate respective new group keys, namely, the respective group keys are updated by self, and the updated group keys of all nodes from the node to the root node are distributed to leaf nodes of the tree structure layer by the non-leaf node;

and the nodes in the tree structure call a key derivation function to update the respective stored group keys according to the respective stored group keys when the subgroups join and the identity of the highest management node newly join the subgroups, wherein the respective stored group keys comprise the respective group keys.

In this embodiment, in the first or second subgroup joining group key update path, the key update condition of the newly joining subgroup is consistent, including: a father node of the newly added subgroup highest management node calls an encryption authentication function CE-Enc () to generate a ciphertext C and a commitment value T according to the personal key of the newly added subgroup highest management node, the group keys of all nodes from the father node to the root node and a random number, and sends the ciphertext C and the commitment value T to the newly added subgroup highest management node, wherein the group key of the newly added subgroup highest management node is also generated by the father node and sent to the newly added subgroup highest management node; and finally, the highest management node of the newly added subgroup realizes the initialization of the individual key and the group key of the newly added subgroup.

The key management method further explains the process that each node independently finishes the updating of the respective group key by further disclosing the updating step of the group key when the preset triggering item is added as a subgroup, and improves the security and confidentiality of the group key.

In a specific embodiment, according to the key management method provided by the present invention, the generating, by the parent node of the newly added subgroup highest management node, the individual key of the newly added subgroup highest management node, and sending the generated individual key of the newly added subgroup highest management node to the newly added subgroup highest management node specifically includes:

the highest management node of the newly added subgroup and a parent node of the newly added subgroup carry out identity authentication and negotiate out a session key;

based on the identity of the highest management node of the newly added subgroup, calling a key derivation function by the parent node of the highest management node of the newly added subgroup to generate a personal key of the highest management node of the newly added subgroup;

and based on the session key, sending the generated personal key of the highest management node of the newly added subgroup to the highest management node of the newly added subgroup by the parent node of the highest management node of the newly added subgroup.

In this embodiment, the newly added highest management node of the subgroup performs identity authentication with its own parent node and negotiates a session key; the father node of the highest management node of the newly added subgroup calls a key derivation function according to the identity of the highest management node of the newly added subgroup and the seed key of the father node, and generates an individual key of the highest management node of the newly added subgroup; and the parent node of the highest management node of the newly added subgroup calls an encryption authentication function CE-Enc () to generate a ciphertext C and a commitment value T of the personal key of the highest management node of the newly added subgroup according to a session key negotiated with the child node of the parent node, namely the highest management node of the newly added subgroup and the personal key of the highest management node of the newly added subgroup, and sends the ciphertext C and the commitment value T of the personal key of the highest management node of the newly added subgroup to the highest management node of the newly added subgroup.

According to the key management method provided by the invention, through further disclosing the generation step of the individual key newly added to the highest management node of the subgroup in the group key update when the preset trigger item is added to the subgroup, support is provided for each subsequent node to independently complete the update of the respective group key, and the security and confidentiality of the group key are improved.

In a specific embodiment, according to the key management method provided by the present invention, after the parent node of the newly-added subgroup highest management node sends the generated individual key of the newly-added subgroup highest management node to the newly-added subgroup highest management node, the method further includes:

In the embodiment, the newly added highest management node of the subgroup calls an encryption authentication function CE-Dec () to generate a plaintext M of the personal key according to a session key negotiated with a parent node of the newly added highest management node, a received ciphertext C of the personal key and a commitment value T, and calls an encryption authentication function CE-Ver () to verify the integrity and the authenticity of the personal key according to the session key, the plaintext M of the personal key and the commitment value T; if the verification is passed, the newly added subgroup highest management node saves the received personal key, and if the verification is not passed, the newly added subgroup highest management node generates a key error message and sends the key error message to the parent node of the newly added subgroup highest management node.

According to the key management method provided by the invention, through further disclosing the step of verifying the generated personal key of the highest management node newly added into the subgroup when the preset trigger item is added into the subgroup, the safety and confidentiality of the personal key are improved, and the generation of the subsequent group key is powerfully supported.

In a specific embodiment, according to the key management method provided by the present invention, after the non-leaf node distributes layer by layer the updated group keys of all nodes from its own node to the root node to the leaf nodes of the tree structure, the method further includes:

In this embodiment, the node in the tree structure may store the received group key after verification, and expand the received group key by taking the highest management node of the new subgroup as an example. The newly added highest management node of the subgroup calls an encryption authentication function CE-Dec () according to an individual key of the newly added highest management node, and the received updated group keys of all nodes from a father node of the newly added highest management node to a root node and ciphertexts C and commitment values T of random numbers to generate the updated group keys of all nodes from the father node of the newly added highest management node to the root node and plaintext M of the random numbers, and calls the encryption authentication function CE-Ver () according to the individual key of the newly added highest management node, the updated group keys of all nodes from the father node of the newly added highest management node to the root node and the updated plaintext M of the random numbers, and the updated plaintext M of the random numbers to perform integrity and authenticity verification on the updated group keys and random numbers of all nodes from the father node of the newly added highest management node to the root node; if the verification is passed, the newly added subgroup highest management node saves the received updated group keys and random numbers of all nodes from the father node to the root node; and if the verification fails, the newly added subgroup highest management node generates a key error message and sends the key error message to the parent node of the newly added subgroup highest management node.

According to the key management method provided by the invention, the security and confidentiality of the group key are improved by further disclosing the verification step of the generated group key when the preset trigger item is added as a subgroup.

In a specific embodiment, according to the key management method provided by the present invention, the initializing of the individual key and the group key of the newly added subgroup by the highest management node of the newly added subgroup specifically includes:

generating respective seed keys and individual keys of respective child nodes by the non-leaf nodes newly added into the subgroup;

In this embodiment, the non-leaf nodes newly added to the subgroup generate respective seed keys and individual keys of respective child nodes; based on respective seed keys generated by non-leaf nodes in the newly added subgroup and individual keys of respective child nodes, respective group keys are generated by the non-leaf nodes in the newly added subgroup, the generated group keys of all nodes from the self node to the root node are distributed to the leaf nodes of the newly added subgroup layer by the non-leaf nodes in the newly added subgroup, and random numbers are distributed to the respective child nodes by all nodes except the leaf nodes and parent nodes of the leaf nodes in the newly added subgroup. Corresponding to the above-mentioned individual key initialization step and group key initialization step, no further description is given here.

According to the key management method provided by the invention, the security and confidentiality of the group key are improved by further disclosing the step of verifying the generated group key in the newly added subgroup when the preset trigger item is added as the subgroup.

When the preset trigger item is added to a subgroup, the group key with the changed group relationship needs to be updated, and other group keys without the changed group relationship may or may not be updated, which is not limited in the present invention. The new group key can be generated by the nodes calling key derivation functions respectively; or generating a new group key by a non-leaf node and distributing the new group key to leaf nodes of a tree structure layer by layer; or generating a new group key by a non-leaf node, and distributing the new group key to leaf nodes of the tree structure by parent nodes of the leaf nodes; combinations of the above are also possible, as the invention is not limited in this regard.

To better explain the updating situation of the group key when the preset trigger item is added as the subgroup. In this embodiment, fig. 4 is a schematic structural diagram of a tree structure provided by the present invention, and as shown in fig. 4, the height of the tree structure is taken as 4, and the same setting is simultaneously taken, assuming that subgroup { u } is a subgroup in the group key initialization step _3，5 、u _4，12 、u _4，13 Apply for joining group, at this time, the group key is

If the key update flag t =4+1=5, the overall flow steps of group key update specifically include:

1. node u _3，5 With its own parent node u _2，2 Performs identity authentication and negotiates out a session key sk _3，5 。

2. Node u _3，5 Parent node u of _2，2 Calculate node u _3，5 Personal key k of _3，5 。

Node u _2，2 According to node u _3，5 ID of _3，5 Seed key s _2，2 Invoking a Key derivation function KDF generating node u _3，5 Personal key k of _3，5 ：

k _3，5 ＝KDF(ID _3，5 ，s _2，2 )。

3. Node u _3，5 Parent node u of _2，2 To child node u _3，5 Distributing personal key k _3，5 。

Node u _3，5 Parent node u of _2，2 According to and child node u _3，5 Negotiated session key sk _3，5 Child node u _3，5 Personal key k of _3，5 Calling encryption authentication function CE-Enc () to generate individual key k _3，5 Cipher text C of _3，5 And a commitment value T _3，5 And the personal key k is combined _3，5 Cipher text C of _3，5 And a commitment value T _3，5 Sent to child node u _3，5 ，u _2，2 →u _3，5 ：C _3，5 ||T _3，5 ＝CE-Enc(sk _3，5 ，k _3，5 )。

4. Node u _3，5 For individual key k _3，5 Integrity and authenticity verification is performed.

Node u _3，5 According to the session key sk _3，5 And the personal key k received in step 3 _3，5 Cipher text C of _3，5 And a commitment value T _3，5 Calling encryption authentication function CE-Dec () to generate individual key k _3，5 Clear text M of _3，5 According to the session key sk _3，5 Personal key k _3，5 Clear text M of _3，5 A commitment value T _3，5 Calling encryption authentication function CE-Ver () to personal key k _3，5 Integrity and authenticity verification is performed. If it is usedVerification pass, u _3，5 Personal key k _3，5 Saving, if the verification fails, u _3，5 Generating personal key error message and sending to self father node u _2，2 ：

u _3，5 ：M3，5＝CE-Dec(sk _3，5 ，C _3，5 ，T _3，5 )；

u _3，5 ：CE-Ver(sk _3，5 ，M _3，5 ，T _3，5 )。

5. Node { u _1，1 ～u _3，3 、u _4，1 ～u _4，8 Calculate the updated group key by itself.

Node { u _1，1 ～u _3，3 、u _4，1 ～u _4，8 According to the old group key

Node u _3，5 ID of (2) _3，5 And calling KDF function to generate new group key by the key updating mark t =5

Node { u _2，2 、u _3，3 、u _4，7 、u _4，8 According to the old group key

Node u _3，5 ID of _3，5 And calling KDF function to generate new group key by the key updating mark t =5

6. Node u _2，2 To u _3，5 Distribution group key GK and random number r ¹ 。

Node u _2，2 According to child node u _3，5 Personal key k of _3，5 、u _2，2 To u _1，1 Of all intermediate nodes

And a random number r ¹ Calling encryption authentication function CE-Enc () to generate u _2，2 To u _1，1 Of all intermediate nodes

And a random number r ¹ Cipher text C of _3，5 And a commitment value T _3，5 And the ciphertext C _3，5 And a commitment value T _3，5 Sent to child node u _3，5 ：

u _2，2 →u _3，5 ：

7. Node u _3，5 For u is paired _2，2 To u _1，1 Group key GK and random number r of all intermediate nodes of (1) ¹ Integrity and authenticity verification is performed.

Node u _3，5 According to the personal key k _3，5 And u received in step 6 _2，2 To u _1，1 Of all intermediate nodes

And a random number r ¹ Cipher text C of _3，5 And a commitment value T _3，5 Calling encryption authentication function CE-Dec () to generate u _2，2 To u _1，1 Of all intermediate nodes

And a random number r ¹ Clear text M of _3，5 Based on the individual key k _3，5 、u _2，2 To u _1，1 Of all intermediate nodes

And a random number r ¹ Clear text M of _3，5 A commitment value T _3，5 Calling encryption authentication function CE-Ver () to u _2，2 To u _1，1 Of all intermediate nodes

And a random number r ¹ Carrying out integrity and authenticity verification, if the verification is passed, u _3，5 Preservation of u _2，2 To u _1，1 Of all intermediate nodes

And a random number r ¹ If not, u _3，5 Generating message error message and sending to self father node u _2，2 ：

u _3，5 ：M _3，5 ＝CE-Dec(k _3，5 ，C _3，5 ，T _3，5 )；

u _3，5 ：CE-Ver(k _3，5 ，M _3，5 ，T _3，5 )。

8. Node u _4，12 、u _4，13 And parent node u _3，5 Identity authentication is carried out and a session key sk is negotiated _4，12 、sk _4，13 。

9. Node u _3，5 Generating its own seed key s by calling PRF function _3，5 ＝PRF()。

10. Node u _3，5 Generating child node u _4，12 、u _4，13 Personal key k of _4，12 、k _4，13 。

Node u _3，5 According to node u _4，12 ID of (2) _4，12 Seed key s _3，5 Invoking a Key derivation function KDF generating node u _4，12 Personal key k _4，12 ：k _4，12 ＝KDF(ID _4，12 ，s _3，5 )。

Node u _3，5 According to node u _4，13 ID of _4，13 Seed key s _3，5 Invoking a Key derivation function KDF generating node u _4，13 Personal key k of _4，13 ：k _4，13 ＝KDF(ID _4，13 ，s _3，5 )。

11. Node u _3，5 To child node u _4，12 、u _4，13 Distributing personal key k _4，12 、k _4，13 。

By node u _3，5 To child node u _4，12 Distributing individual keys, e.g. node u _3，5 According to and child node u _4，12 Negotiated session key sk _4，12 Child node u _4，12 Personal key k of _4，12 Calling encryption authentication function CE-Enc () to generate individual key k _4，12 C of _4，12 And a commitment value T _4，12 And the personal key k is combined _4，12 Cipher text C of _4，12 And a commitment value T _4，12 Sent to child node u _4，12 ，u _3，5 →u _4，12 ：C _4，12 ||T _4，12 ＝CE-Enc(sk _4，12 ，k _4，12 ). Node u _3，5 Perform the same operation towards child node u _4，13 Distributing personal key k _4，13 ，u _3，5 →u _4，13 ：C _4，13 ||T _4，13 ＝CE-Enc(sk _4，13 ，k _4，13 )。

12. Node u _4，12 、u _4，13 For individual key k _4，12 、k _4，13 Integrity and authenticity verification is performed.

With node u _4，12 For individual key k _4，12 For integrity and authenticity verification, node u _4，12 From the session key sk _4，12 And the personal key k received in step 11 _4，12 Cipher text C of _4，12 And a commitment value T _4，12 Calling encryption authentication function CE-Dec () to generate individual key k _4，12 Clear text M of _4，12 ，u _4，12 ：M _4，12 ＝CE-Dec(sk _4，12 ，C _4，12 ，T _4，12 ) (ii) a According to the session key sk _4，12 Personal key k _4，12 Clear text M of _4，12 A commitment value T _4，12 Calling encryption authentication function CE-Ver () to personal key k _4，12 An integrity and authenticity verification is performed and,u _4，12 ：CE-Ver(sk _4，12 ，M _4，12 ，T _4，12 ). If the verification passes, u _4，12 Personal key k _4，12 Saving, if the verification fails, u _4，12 Generating a key error message and sending the key error message to u _3，5 . Node u _4，13 The same operations are performed:

u _4，13 ：M _4，13 ＝CE-Dec(sk _4，13 ，C _4，13 ，T _4，13 )；

u _4，13 ：CE-Ver(sk _4，13 ，M _4，13 ，T _4，13 )。

13. node u _3，5 Computing group keys

Node u _3，5 According to the seed key s _3，5 Child node u _4，12 、u _4，13 Personal key k of _4，12 、k _4，13 Invoking KDF function to generate group key

14. Node u _3，5 To child node u _4，12 、u _4，13 The group key GK is distributed.

To node u _4，12 Distributing group keys, e.g., node u _3，5 According to child node u _4，12 Personal key k of _4，12 、u _3，5 To u _1，1 Of all intermediate nodes

Calling encryption authentication function CE-Enc () to generate group key

Cipher text C of _4，12 And a commitment value T _4，12 And combining the group key

Cipher text C of _4，12 And a commitment value T _4，12 Sent to child node u _4，12 ，u _3，5 →u _4，12 ：

Node u _3，5 To node u _4，13 Perform the same operation u _3，5 →u _4，13 ：

15. Node u _4，12 、u _4，13 Based on a personal key k _4，12 、k _4，13 For u is paired _3，5 To u _1，1 The group key GK of all intermediate nodes of (1) performs integrity and authenticity verification.

By node u _4，12 As an example, u _4，12 According to the personal key k _4，12 And the group key received in step 14

Cipher text C of _4，12 And a commitment value T _4，12 Generating group key by calling encryption authentication function CE-Dec ()

Clear text M of _4，12 Based on the individual key k _4，12 Group key

Clear text M of _4，12 A commitment value T _4，12 Calling the encryption authentication function CE-Ver () to u _3，5 To u _1，1 Of all intermediate nodes

Carrying out integrity and authenticity verification, if the verification is passed, u _4，12 Preservation of u _3，5 To u _1，1 Of all intermediate nodes

If the verification fails, u _4，12 Generating a key error message and sending the key error message to u _3，5 . Node u _4，13 The same operations are performed:

u _4，12 ：M _4，12 ＝CE-Dec(k _4，12 ，C _4，12 ，T _4，12 )；

u _4，12 ：CE-Ver(k _4，12 ，M _4，12 ，T _4，12 )；

u _4，13 ：M _4，13 ＝CE-Dec(k _4，13 ，C _4，13 ，T _4，13 )；

u _4，13 ：CE-Ver(k _4，13 ，M _4，13 ，T _4，13 )。

in a specific embodiment, according to the key management method provided by the present invention, the distribution of the individual key and the group key both use an authenticatable encryption scheme.

In the present embodiment, the individual keys and the group keys generated in the tree structure use a verifiable encryption authentication scheme CE in the distribution process.

The key management method provided by the invention further uses the encryption authentication scheme for the distribution of the individual key and the group key generated in the public tree structure, thereby avoiding man-in-the-middle attack in the key distribution process and ensuring the confidentiality, the integrity and the non-repudiation of the encryption key and the message.

It should be noted that, in the key updating process in the above-listed embodiment, the key updating flag t participates in the generation of the new group key. Alternatively, the key update flag t may not participate in the generation of the new group key,

the generation of the new group key is similar in other embodiments. The invention is not limited thereto explicitly.

In addition, it should be particularly emphasized that only the group key associated with the newly joining node is updated in some of the above-listed embodiments, for example, the group key of the node whose group relationship has not changed during the subgroup joining is not updated. Alternatively, the group key of the node whose group relationship has not changed may refer to updating the group key, which is not explicitly limited in the present invention. The nodes with unchanged group relation can update the group key by themselves; or generating a new group key by a non-leaf node, and distributing the new group key to leaf nodes of the tree structure by parent nodes of the leaf nodes; or generating a new group key by a non-leaf node and distributing the new group key to leaf nodes of a tree structure layer by layer; the group key may also be updated by combining the above manners, and the present invention is not limited thereto.

The key management device provided by the present invention is described below, and the key management device described below and the key management method described above may be referred to in correspondence with each other.

Fig. 5 is a schematic diagram of a key management device provided by the present invention, as shown in fig. 5, the key management device provided by the present invention is applied to group communication, and connections between group members adopt a tree structure, and the device includes:

a group key updating module 510, configured to generate a new group key according to a preset trigger item, a group key when the trigger item occurs, and a random number or an identity of a node newly added to the tree structure, and complete updating of the group key when the trigger item occurs;

The key management device provided by the invention is characterized in that a group key updating module is arranged, and based on a preset trigger item, non-leaf nodes in a tree structure complete the updating of respective group keys according to the respective group keys when the trigger item occurs; the invention independently completes the update of each group key by each node, avoids man-in-the-middle attack in key distribution, and simultaneously improves the freshness, confidentiality, integrity and non-repudiation of the group key.

In another aspect, the present invention further provides an electronic device, fig. 6 illustrates a schematic structural diagram of an electronic device, and as shown in fig. 6, the electronic device may include a processor 610, a communication bus 620, a memory 630, a communication interface 640, and a computer program stored on the memory 630 and operable on the processor 610, where the processor 610, the communication interface 610, and the memory 630 complete communication with each other through the communication bus 640, and the processor 610 may call a logic instruction in the memory 630 to execute a key management method, where the method includes:

Finally, the present invention also provides a non-transitory computer-readable storage medium having stored thereon a computer program which, when executed by a processor, can implement a key management method comprising:

The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.

Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.

Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, and not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims

1. A key management method applied to group communication, wherein connections between group members adopt a tree structure, the method comprising:

2. The key management method according to claim 1, wherein before the generating a new group key based on the preset trigger according to the group key when the trigger occurs and the random number or the identity of the newly added node in the tree structure, and completing the updating of the group key when the trigger occurs, the method further comprises:

3. The key management method of claim 2, wherein generating respective seed keys and respective individual keys of child nodes from non-leaf nodes in the tree structure and distributing the individual keys of the respective child nodes to the respective child nodes comprises:

calling a key derivation function by the non-leaf node to generate individual keys of the respective child nodes based on the identities of the child nodes of the non-leaf node and the seed keys of the non-leaf node;

4. The key management method of claim 3, wherein after the sending, by the non-leaf node, the individual key of the respective child node to the respective child node based on the session key, the method further comprises:

5. The key management method according to claim 2, wherein the generating respective group keys from the non-leaf nodes based on the respective seed keys generated by the non-leaf nodes and the individual keys of the respective child nodes, and distributing the respective group keys to the leaf nodes of the tree structure layer by layer comprises:

distributing group keys and initial random number values of all nodes from the node to the root node to the child nodes of the nodes except for the leaf node and the parent node of the leaf node in the tree structure and including the root node;

6. The key management method according to claim 5, wherein after said distributing the group key and the initial random number value of all nodes from the self node to the root node, the method further comprises:

7. The key management method of claim 5, wherein after said distributing the group keys of all nodes from the self node to the root node, the method further comprises:

8. The key management method according to claim 1, wherein the preset trigger item is a node join, and correspondingly, the generating of the new group key according to the group key when the trigger item occurs, and the random number or the identity of the node newly joined in the tree structure, and the completing of the updating of the group key when the trigger item occurs specifically includes:

9. The key management method according to claim 8, wherein the generating, by the parent node of the newly joining node, the individual key of the newly joining node, and sending the individual key of the newly joining node to the newly joining node, specifically comprises:

10. The key management method according to claim 9, wherein after the generated individual key of the newly joining node is transmitted to the newly joining node by the parent node of the newly joining node, the method further comprises:

verifying the personal key of the new joining node based on the session key;

11. The key management method of claim 8, wherein after the updated group keys of all nodes from the self node to the root node are distributed layer by layer to the leaf nodes by the non-leaf nodes, the method further comprises:

12. The key management method according to claim 1, wherein the preset trigger is a node leaving, and correspondingly, the generating of a new group key according to the group key when the trigger occurs and the random number or the identity of a node newly added to the tree structure and the completing of updating the group key when the trigger occurs specifically includes:

13. The key management method of claim 12, wherein after the layer-by-layer distribution of the updated group keys from the self node to all nodes of the root node to the leaf node by the non-leaf node, the method further comprises:

14. The method according to claim 1, wherein when the preset trigger item is a preset time period, correspondingly, the generating a new group key according to the group key when the trigger item occurs, and the random number or the identity of the node newly added to the tree structure, and completing the updating of the group key when the trigger item occurs specifically includes:

15. The key management method of claim 14, wherein after the layer-by-layer distribution of the updated group keys from the self node to all nodes of the root node to the leaf node by the non-leaf node, the method further comprises:

16. The key management method according to claim 1, wherein the preset trigger item is a subgroup departure, and correspondingly, the generating a new group key according to the group key when the trigger item occurs and the random number or the identity of the newly added node in the tree structure, and completing the updating of the group key when the trigger item occurs specifically includes:

calling a random number generating function by a root node of the tree structure to generate a new random number, and distributing the new random number to respective child nodes by all nodes including the root node except leaf child nodes and father nodes of the leaf nodes in the tree structure;

17. The key management method of claim 16, wherein after said distributing the new random number, the method further comprises:

18. The key management method of claim 16, wherein after the layer-by-layer distribution of the updated group keys from the self node to all nodes of the root node to the leaf node by the non-leaf node, the method further comprises:

19. The key management method according to claim 1, wherein the preset trigger item is a subgroup join, and correspondingly, the generating a new group key according to the group key when the trigger item occurs, and the random number or the identity of the node newly added in the tree structure, and completing the updating of the group key when the trigger item occurs specifically includes:

based on the respective group key when the subgroups join and the identity of the highest management node of the newly added subgroups, calling a key derivation function by a non-leaf node in the tree structure, updating the respective group key by self, and distributing the updated group keys of all nodes from the node of the non-leaf node to the root node layer by layer to the leaf nodes of the tree structure;

20. The key management method according to claim 19, wherein the generating, by the parent node of the newly-added subgroup highest management node, the individual key of the newly-added subgroup highest management node, and sending the generated individual key of the newly-added subgroup highest management node to the newly-added subgroup highest management node, specifically comprises:

21. The key management method of claim 20, wherein after the generated individual key of the newly-added subgroup highest management node is transmitted to the newly-added subgroup highest management node by the parent node of the newly-added subgroup highest management node, the method further comprises:

22. The key management method of claim 19, wherein after said layer-by-layer distribution by the non-leaf nodes of the updated group keys from the self node to all nodes of the root node to the leaf nodes of the tree structure, the method further comprises:

23. The key management method according to claim 19, wherein the initializing of the individual key and the group key of the newly added subgroup by the highest management node of the newly added subgroup specifically comprises:

24. The key management method of any one of claims 1-23, wherein the distribution of the individual key and the group key both use an authenticatable encryption scheme.

25. A key management apparatus, for use in group communications, wherein connections between group members are in a tree structure, the apparatus comprising:

26. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements all or part of the steps of the key management method according to any one of claims 1 to 23 when executing the program.

27. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program, when executed by a processor, implements all or part of the steps of the key management method according to any one of claims 1 to 23.