CN115459909A - Key data processing method and device - Google Patents
Key data processing method and device Download PDFInfo
- Publication number
- CN115459909A CN115459909A CN202211070591.0A CN202211070591A CN115459909A CN 115459909 A CN115459909 A CN 115459909A CN 202211070591 A CN202211070591 A CN 202211070591A CN 115459909 A CN115459909 A CN 115459909A
- Authority
- CN
- China
- Prior art keywords
- key
- data
- primary
- ciphertext
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/008—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the application provides a method and a device for processing key data, which relate to the field of information security, and the method comprises the following steps: receiving a data plaintext sent by a user, calling a pre-stored key to encrypt the data plaintext into a data ciphertext and returning the data ciphertext to the user, wherein the key is divided into a plurality of lower-level key components by a secret sharing or homomorphic encryption method during storage and then is held by different key holders; receiving a data ciphertext sent by the user, loading a corresponding key, decrypting the data ciphertext into a data plaintext, and returning the data plaintext to the user, wherein the key is formed by combining a plurality of lower-level key components by different key holders through a secret sharing or homomorphic encryption method during loading; the method and the device can effectively share the risk of key protection, and improve the security of key storage and loading.
Description
Technical Field
The present application relates to the field of information security, and in particular, to a method and an apparatus for processing key data.
Background
In the existing key storage and loading, a protection key is generally used to encrypt a working key plaintext into a ciphertext, then the key ciphertext is stored, and decryption is generally carried out into a plaintext through the protection key during loading. The security of cryptographic techniques depends on the security of the key that is important for key management.
Key management currently mainly uses a key to encrypt a key plaintext, so that the management of the key for key management may have a security problem of key storage. One key management is too centralized, i.e. key risk centralized. And the protection key can also break the working key once being broken.
Disclosure of Invention
Aiming at the problems in the prior art, the application provides a key data processing method and device, which can effectively share the risk of key protection and improve the security of key storage and loading.
In order to solve at least one of the above problems, the present application provides the following technical solutions:
in a first aspect, the present application provides a key data processing method, including:
receiving a data plaintext sent by a user, calling a pre-stored key to encrypt the data plaintext into a data ciphertext and returning the data ciphertext to the user, wherein the key is divided into a plurality of lower-level key components by a secret sharing or homomorphic encryption method during storage and then is held by different key holders;
and receiving a data ciphertext sent by the user, loading a corresponding key, decrypting the data ciphertext into a data plaintext, and returning the data plaintext to the user, wherein the key is formed by combining a plurality of lower-level key components by different key holders through a secret sharing or homomorphic encryption method during loading.
Further, after the data sent by the receiving user is plaintext, the method includes:
taking the data plaintext as a primary key main body and splitting the data plaintext into a plurality of primary key components through homomorphic encryption;
and taking the primary key component as a secondary key main body and splitting the primary key component into a plurality of secondary key components through secret sharing, wherein the primary key component and the secondary key components are respectively held by different key holders.
Further, after the receiving of the data ciphertext sent by the user, the method includes:
combining the secondary key components into a secondary key main body through secret sharing, and taking the obtained secondary key main body as a primary key component;
and combining the primary key components into a primary key main body through homomorphic encryption, and loading to obtain a corresponding key.
Further, the splitting the data plaintext as a primary key main body into a plurality of primary key components through homomorphic encryption further includes:
encrypting the primary key component according to a preset public key to obtain a primary key component ciphertext;
and signing the primary key component ciphertext according to a preset private key to obtain a signed primary key component ciphertext.
Further, the splitting the primary key component into a plurality of secondary key components by taking the primary key component as a secondary key main body and secret sharing further includes:
constructing a primary key component encryption function according to the random coefficient, the natural number sequence index and a preset public key;
and encrypting the identifier of each secondary key component holder according to the primary key component encryption function, and distributing the encrypted ciphertext to each secondary key component holder.
Further, the combining the secondary key components into a secondary key body through secret sharing, and using the obtained secondary key body as a primary key component, further includes:
decrypting the ciphertext stored by each secondary key component holder according to the primary key component encryption function and the secondary key component holder identification;
and carrying out signature verification on the first-level key component obtained after decryption.
Further, the combining the primary key components into a primary key body through homomorphic encryption, and loading to obtain a corresponding key includes:
receiving primary key component ciphertexts stored by each primary key component holder;
and combining the primary key component ciphertexts into a primary key main body cipher text through homomorphic encryption and decrypting to obtain a corresponding key.
In a second aspect, the present application provides a key data processing apparatus comprising:
the key storage module is used for receiving a data plaintext sent by a user, calling a pre-stored key to encrypt the data plaintext into a data ciphertext and returning the data ciphertext to the user, wherein the key is divided into a plurality of lower-level key components by a secret sharing or homomorphic encryption method during storage and then is held by different key holders;
and the key loading module is used for receiving the data ciphertext sent by the user, loading a corresponding key, decrypting the data ciphertext into a data plaintext and returning the data plaintext to the user, wherein the key is formed by combining a plurality of lower-level key components by different key holders through a secret sharing or homomorphic encryption method during loading.
In a third aspect, the present application provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the steps of the key data processing method when executing the program.
In a fourth aspect, the present application provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the key data processing method described.
In a fifth aspect, the present application provides a computer program product comprising computer programs/instructions which, when executed by a processor, implement the steps of the key data processing method.
According to the technical scheme, the data plaintext sent by a user is received, a pre-stored key is called to encrypt the data plaintext into a data ciphertext and the data ciphertext is returned to the user, wherein the key is divided into a plurality of lower-level key components by a secret sharing or homomorphic encryption method during storage and then held by different key holders; and receiving a data ciphertext sent by the user, loading a corresponding key, decrypting the data ciphertext into a data plaintext, and returning the data plaintext to the user, wherein the key is formed by combining a plurality of lower-level key components by different key holders through a secret sharing or homomorphic encryption method during loading, so that the risk of key protection can be effectively shared, and the security of key storage and loading is improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic flow chart of a key data processing method in an embodiment of the present application;
FIG. 2 is a second flowchart illustrating a key data processing method according to an embodiment of the present application;
fig. 3 is a third schematic flowchart of a key data processing method in an embodiment of the present application;
FIG. 4 is a fourth flowchart illustrating a key data processing method according to an embodiment of the present application;
FIG. 5 is a fifth flowchart illustrating a key data processing method according to an embodiment of the present application;
FIG. 6 is a sixth flowchart illustrating a key data processing method according to an embodiment of the present application;
fig. 7 is a seventh schematic flowchart of a key data processing method in the embodiment of the present application;
fig. 8 is a configuration diagram of a key data processing apparatus in the embodiment of the present application;
fig. 9 is a schematic structural diagram of an electronic device in an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
According to the technical scheme, the data acquisition, storage, use, processing and the like meet the relevant regulations of national laws and regulations.
In view of the problems in the prior art, the present application provides a method and an apparatus for processing key data, where a data plaintext sent by a user is received, a pre-stored key is invoked to encrypt the data plaintext into a data ciphertext and the data ciphertext is returned to the user, where the key is split into multiple lower-level key components by a secret sharing or homomorphic encryption method during storage and then held by different key holders; and receiving a data ciphertext sent by the user, loading a corresponding key, decrypting the data ciphertext into a data plaintext, and returning the data plaintext to the user, wherein the key is formed by combining a plurality of lower-level key components by different key holders through a secret sharing or homomorphic encryption method during loading, so that the risk of key protection can be effectively shared, and the security of key storage and loading is improved.
In order to effectively share the risk of key protection and improve the security of key storage and loading, the present application provides an embodiment of a key data processing method, and referring to fig. 1, the key data processing method specifically includes the following contents:
step S101: receiving a data plaintext sent by a user, calling a pre-stored key to encrypt the data plaintext into a data ciphertext and returning the data ciphertext to the user, wherein the key is divided into a plurality of lower-level key components by a secret sharing or homomorphic encryption method during storage and then is held by different key holders.
Step S102: and receiving a data ciphertext sent by the user, loading a corresponding key, decrypting the data ciphertext into a data plaintext, and returning the data plaintext to the user, wherein the key is formed by combining a plurality of lower-level key components by different key holders through a secret sharing or homomorphic encryption method during loading.
Optionally, when the key service of the application is called, a data plaintext is sent, the key management module generates a key, the data plaintext is encrypted into a ciphertext by using the key, and the ciphertext is returned to the service caller. The storage and loading of the key are participated by multi-stage keys, each stage of key can be divided into a plurality of key components, each key component is held by a key holder, and the multi-stage keys correspond to the multi-stage key components.
Optionally, in the key storage process, the superior key splits the key into the inferior key components of the inferior key by secret sharing or a homomorphic encryption reverse method.
Optionally, in the key loading process, the lower-level key components are combined into the upper-level key of the upper-level main body by the lower-level key components through an inverse method of secret sharing or a homomorphic encryption method. The storage and loading safety of the key is ensured by the key hierarchical splitting and combination.
Optionally, after the key is loaded, the key service caller sends the data ciphertext, the key management module decrypts the data ciphertext by using the key to obtain the data plaintext, and the data plaintext returns to the service caller.
The key hierarchical storage of the application takes two levels as an example, the key hierarchical storage is divided into a first-level key and a second-level key, the first-level key can be divided into a plurality of first-level key components, and each first-level key component is held by a corresponding first-level key holder. Each primary key component, as a primary key body, may be divided into a plurality of secondary key components, each secondary key component being held by a corresponding secondary key holder.
It can be understood that, the key holder of the present application holds the key component, and the key holder may be a human, or may be a storage medium such as a usb disk, a database, or hardware that can store the key.
For example, each level of key splitting and combining can adopt secret sharing or homomorphic encryption technology, in the application, the homomorphic encryption is adopted as the first level key, and the secret sharing is adopted as the second level key.
In the primary key storage process, a key plaintext is used as a primary key main body and is split into a plurality of primary key components through homomorphic encryption. In the process of storing the secondary key, each primary key component is used as a primary key body of the secondary key, and the primary key components are divided into a plurality of secondary key components through a secret sharing technology. Based on the secret sharing technology, a certain number of secondary key components are needed, the secondary keys can be calculated through combination calculation, and all secondary main bodies are used as primary key components to form a complete key through homomorphic encryption.
In the process of loading the primary key, a certain number of secondary key components are combined to calculate the secondary key through a secret sharing technology. In the process of loading the secondary key, all secondary keys are used as primary key components, the identity of the key loader is verified by a signature verification technology, the key is calculated by homomorphic encryption, and the key is loaded.
As can be seen from the above description, the key data processing method provided in the embodiment of the present application can encrypt the data plaintext into the data ciphertext by receiving the data plaintext sent by the user and invoking a pre-stored key, and return the data ciphertext to the user, where the key is split into multiple lower-level key components by a secret sharing or homomorphic encryption method during storage and then held by different key holders; and receiving a data ciphertext sent by the user, loading a corresponding key, decrypting the data ciphertext into a data plaintext, and returning the data plaintext to the user, wherein the key is formed by combining a plurality of subordinate key components by different key holders through a secret sharing or homomorphic encryption method during loading, so that the risk of key protection can be effectively shared, and the security of key storage and loading is improved.
In an embodiment of the key data processing method of the present application, referring to fig. 2, the following may be further included:
step S201: and taking the data plaintext as a primary key main body and splitting the data plaintext into a plurality of primary key components through homomorphic encryption.
Step S202: and taking the primary key component as a secondary key main body and splitting the primary key component into a plurality of secondary key components through secret sharing, wherein the primary key component and the secondary key components are respectively held by different key holders.
Referring to fig. 4, the step S201 may further specifically include the following contents:
step S401: and encrypting the primary key component according to a preset public key to obtain a primary key component ciphertext.
Step S402: and signing the first-stage key component ciphertext according to a preset private key to obtain the signed first-stage key component ciphertext.
Referring to fig. 5, the step S202 may further specifically include the following steps:
step S501: and constructing a first-level key component encryption function according to the random coefficient, the natural number sequence index and a preset public key.
Step S502: and encrypting the identifier of each secondary key component holder according to the primary key component encryption function, and distributing the encrypted ciphertext to each secondary key component holder.
Optionally, the present application may receive a plaintext of the key, and process the key. The key storage submodule is used for splitting the primary key main body into N primary key components p aiming at N primary key holders, and each primary key holder corresponds to one primary key component pn. The splitting method can use the inverse method of the encryption algorithm of multiplication, addition, exclusive or and the like, and then the key can be synthesized back by using the corresponding method.
In the application N, 3 is taken as an example, splitting is performed by an inverse method of addition, and 23 is split into 3 primary key components of 8, 6 and 9. I.e. p1=8, p2=6, p3=9.
And a key storage submodule of the key management module generates a pair of public and private keys, namely a public key Puk0 and a private key Pri0. The public key Puk0 is sent to the primary key storage submodule 201 of the primary key management module of each primary key holder, and the private key Pri0 is stored in the key storage submodule.
The public key pair generated by each primary key holder is exemplified by the first primary key holder. The primary key storage submodule of the primary key management module generates a pair of public and private keys, a public key Puk1 and a private key Pri1, the public key Puk1 is sent to the key storage submodule of the key management module, and the private key Pri1 is stored in the primary key storage submodule.
And the key storage submodule of the key management module processes each key component. Take the first primary key component p1 as an example. The key storage submodule encrypts the primary key component p1 into a primary key component ciphertext E (Puk 1, p 1) by using the public key Puk1, and sends the primary key component ciphertext E (Puk 1, p 1) to the primary key storage submodule corresponding to the primary key holder. The primary key storage submodule of the primary key holder firstly uses the private key Pri1 to decrypt E (Puk 1, p 1) to obtain a primary key component p1, uses the private key Pri1 to Sign p1, and reserves a signature value Sign1 to be stored in the primary key storage submodule.
Optionally, the primary key storage submodule of the present application is configured to perform secondary key component storage processing on the primary key component p 1.
The primary key storage submodule is used for decomposing the primary key component p1 into a plurality of secondary key components aiming at each secondary key component holder. And (3) setting a safety threshold value as m by taking the primary key component p1 and assuming that the number of holders of the secondary key component is w, wherein m is less than w.
1) The primary key storage submodule randomly generates m random numbers as coefficients, i.e. c 1 ,c 2 ,...,c i ...c m 。
2) The primary key storage submodule constructs a natural number sequence as an exponent, such as 1, 3.
3) The primary key storage submodule encrypts the primary key component p1 into a ciphertext b using the public key Puk1, that is, b = E (Puk 1, p 1).
And constructing a function belonging to the key component through the coefficient, the exponent and the ciphertext b of the first-level key component:
wherein:
c 1 ,c 2 ,...,c i ...c m is generated randomly.
u 1 ,u 2 ,...,u i ...u m Is a natural number sequence.
b is the ciphertext E (Puk 1, p 1) of the primary key component.
And the primary key storage submodule substitutes a function f (x) into the numerical value dm corresponding to the identifier of the secondary key component holder for each secondary key component holder to calculate a numerical value z, namely z = f (dm), and delivers the identification numerical value dm of the secondary key component holder and the corresponding ciphertext z to the secondary key storage submodule of the secondary key management module of each secondary key holder for storage.
In an embodiment of the key data processing method of the present application, referring to fig. 3, the following may be further included:
step S301: and combining the secondary key components into a secondary key main body through secret sharing, and taking the obtained secondary key main body as a primary key component.
Step S302: and combining the primary key components into a primary key main body through homomorphic encryption, and loading to obtain a corresponding key.
Referring to fig. 6, the step S301 may further specifically include the following steps:
step S601: and decrypting the ciphertext stored by each secondary key component holder according to the primary key component encryption function and the secondary key component holder identification.
Step S602: and carrying out signature verification on the first-level key component obtained after decryption.
Referring to fig. 7, the step S302 may further specifically include the following contents:
step S701: and receiving the primary key component ciphertext stored by each primary key component holder.
Step S702: and combining the primary key component ciphertexts into a primary key main body cipher text through homomorphic encryption and decrypting to obtain a corresponding key.
Optionally, according to the security threshold m, at least any m secondary key holders among w secondary key holders may be provided for w secondary key holders. And the secondary key storage submodule of the secondary key management module of each secondary key holder acquires the identification value dm and the ciphertext z of the stored secondary key and sends the identification value dm and the ciphertext z to the primary key storage submodule of the primary key management module.
And the primary key storage submodule of the primary key management module constructs a function for the received identification value dm and the ciphertext z.
Constructing a function for the identification value d1 of the 1 st secondary key and the ciphertext z1= f (d 1):
constructing a function for the identification value d2 of the 2 nd secondary key and the ciphertext z2= f (d 2):
by analogy, for the identification value dm and the ciphertext zm = f (dm) of the mth secondary key, the constructor:
and (4) forming a function group by each function, and solving a primary key ciphertext b according to the function group to obtain E (Puk 1, p 1).
The primary key storage sub-module decrypts the b by using a private key Pri1 to obtain a primary key component p1, and signs the p1 by using the private key, and the signature value is checked to be consistent with the stored signature value Sign 1. And if the verification is inconsistent, an error is reported. And if the verification is consistent, encrypting the E (Puk 0, p 1) by using a public key Puk0 of the key management system, and sending the E to a key loading submodule of the key management module.
And the key loading submodule of the key management module is used for receiving the ciphertext E (Puk 0, pn) of the corresponding primary key component of each primary key holder. Homomorphic encryption is adopted, and a cryptograph c of a key main body is homomorphically synthesized for cryptographs E (Puk 0, pn) of primary key components of all primary keys, wherein the synthesis method is an inverse method of a splitting method, namely homomorphic encryption algorithms such as multiplication, addition, exclusive or and the like can be used, paillier is taken as an example, homomorphic synthesis results are decrypted by using a private key Pri0, and D (Pri 0, c) is used for obtaining a key plaintext. The clear text of the key is sent to the key service submodule.
In order to effectively share the risk of key protection and improve the security of key storage and loading, the present application provides an embodiment of a key data processing apparatus for implementing all or part of the content of the key data processing method, and referring to fig. 8, the key data processing apparatus specifically includes the following content:
the key storage module 10 is configured to receive a data plaintext sent by a user, call a pre-stored key to encrypt the data plaintext into a data ciphertext and return the data ciphertext to the user, where the key is split into a plurality of lower-level key components by a secret sharing or homomorphic encryption method during storage and then is held by different key holders.
And a key loading module 20, configured to receive a data ciphertext sent by the user, load a corresponding key, decrypt the data ciphertext into a data plaintext, and return the data plaintext to the user, where the key is formed by combining a plurality of lower-level key components by different key holders through a secret sharing or homomorphic encryption method during loading.
As can be seen from the above description, the key data processing apparatus provided in the embodiment of the present application can encrypt a data plaintext into a data ciphertext by receiving the data plaintext sent by a user, invoking a pre-stored key, and returning the data ciphertext back to the user, where the key is split into a plurality of lower-level key components by a secret sharing or homomorphic encryption method during storage and then is held by different key holders; and receiving a data ciphertext sent by the user, loading a corresponding key, decrypting the data ciphertext into a data plaintext, and returning the data plaintext to the user, wherein the key is formed by combining a plurality of subordinate key components by different key holders through a secret sharing or homomorphic encryption method during loading, so that the risk of key protection can be effectively shared, and the security of key storage and loading is improved.
In order to effectively share the risk of key protection and improve the security of key storage and loading on a hardware level, the present application provides an embodiment of an electronic device for implementing all or part of the contents in the key data processing method, where the electronic device specifically includes the following contents:
a processor (processor), a memory (memory), a communication Interface (Communications Interface), and a bus; the processor, the memory and the communication interface complete mutual communication through the bus; the communication interface is used for realizing information transmission between the key data processing device and relevant equipment such as a core service system, a user terminal, a relevant database and the like; the logic controller may be a desktop computer, a tablet computer, a mobile terminal, and the like, but the embodiment is not limited thereto. In this embodiment, the logic controller may refer to the embodiment of the key data processing method and the embodiment of the key data processing apparatus in the embodiments for implementation, and the contents thereof are incorporated herein, and repeated descriptions are omitted.
It is understood that the user terminal may include a smart phone, a tablet electronic device, a network set-top box, a portable computer, a desktop computer, a Personal Digital Assistant (PDA), a vehicle-mounted device, a smart wearable device, and the like. Wherein, intelligence wearing equipment can include intelligent glasses, intelligent wrist-watch, intelligent bracelet etc..
In practical applications, part of the key data processing method may be executed on the electronic device side as described above, or all operations may be completed in the client device. The selection may be specifically performed according to the processing capability of the client device, the limitation of the user usage scenario, and the like. This is not a limitation of the present application. The client device may further include a processor if all operations are performed in the client device.
The client device may have a communication module (i.e., a communication unit), and may be communicatively connected to a remote server to implement data transmission with the server. The server may include a server on the task scheduling center side, and in other implementation scenarios, the server may also include a server on an intermediate platform, for example, a server on a third-party server platform that is communicatively linked to the task scheduling center server. The server may include a single computer device, or may include a server cluster formed by a plurality of servers, or a server structure of a distributed apparatus.
Fig. 9 is a schematic block diagram of a system configuration of an electronic device 9600 according to an embodiment of the present application. As shown in fig. 9, the electronic device 9600 can include a central processor 9100 and a memory 9140; the memory 9140 is coupled to the central processor 9100. It is noted that this fig. 9 is exemplary; other types of structures may also be used in addition to or in place of the structure to implement telecommunications or other functions.
In one embodiment, the key data processing method functions may be integrated into the central processor 9100. The central processor 9100 may be configured to control as follows:
step S101: receiving data plaintext sent by a user, calling a pre-stored key to encrypt the data plaintext into a data ciphertext and returning the data ciphertext to the user, wherein the key is divided into a plurality of lower-level key components by a secret sharing or homomorphic encryption method during storage and then held by different key holders.
Step S102: and receiving a data ciphertext sent by the user, loading a corresponding key, decrypting the data ciphertext into a data plaintext, and returning the data plaintext to the user, wherein the key is formed by combining a plurality of lower-level key components by different key holders through a secret sharing or homomorphic encryption method during loading.
As can be seen from the above description, in the electronic device provided in the embodiment of the present application, a data plaintext sent by a user is received, a pre-stored key is called to encrypt the data plaintext into a data ciphertext and the data ciphertext is returned to the user, where the key is split into a plurality of lower-level key components by a secret sharing or homomorphic encryption method during storage and then is held by different key holders; and receiving a data ciphertext sent by the user, loading a corresponding key, decrypting the data ciphertext into a data plaintext, and returning the data plaintext to the user, wherein the key is formed by combining a plurality of lower-level key components by different key holders through a secret sharing or homomorphic encryption method during loading, so that the risk of key protection can be effectively shared, and the security of key storage and loading is improved.
In another embodiment, the key data processing apparatus may be configured separately from the central processor 9100, and for example, the key data processing apparatus may be configured as a chip connected to the central processor 9100, and the key data processing method function may be implemented by the control of the central processor.
As shown in fig. 9, the electronic device 9600 may further include: a communication module 9110, an input unit 9120, an audio processor 9130, a display 9160, and a power supply 9170. It is noted that the electronic device 9600 also does not necessarily include all of the components shown in fig. 9; in addition, the electronic device 9600 may further include components not shown in fig. 9, which may be referred to in the prior art.
As shown in fig. 9, a central processor 9100, sometimes referred to as a controller or operational control, can include a microprocessor or other processor device and/or logic device, which central processor 9100 receives input and controls the operation of the various components of the electronic device 9600.
The memory 9140 can be, for example, one or more of a buffer, a flash memory, a hard drive, a removable media, a volatile memory, a non-volatile memory, or other suitable device. The information relating to the failure may be stored, and a program for executing the information may be stored. And the central processing unit 9100 can execute the program stored in the memory 9140 to realize information storage or processing, or the like.
The input unit 9120 provides input to the central processor 9100. The input unit 9120 is, for example, a key or a touch input device. Power supply 9170 is used to provide power to electronic device 9600. The display 9160 is used for displaying display objects such as images and characters. The display may be, for example, an LCD display, but is not limited thereto.
The memory 9140 may be a solid-state memory, e.g., read Only Memory (ROM), random Access Memory (RAM), a SIM card, or the like. There may also be a memory that holds information even when power is off, can be selectively erased, and is provided with more data, an example of which is sometimes referred to as an EPROM or the like. The memory 9140 could also be some other type of device. The memory 9140 includes a buffer memory 9141 (sometimes referred to as a buffer). The memory 9140 may include an application/function storage portion 9142, the application/function storage portion 9142 being used for storing application programs and function programs or for executing a flow of operations of the electronic device 9600 by the central processor 9100.
The memory 9140 can also include a data store 9143, the data store 9143 being used to store data, such as contacts, digital data, pictures, sounds, and/or any other data used by an electronic device. The driver storage portion 9144 of the memory 9140 may include various drivers of the electronic device for communication functions and/or for performing other functions of the electronic device (e.g., messaging applications, contact book applications, etc.).
The communication module 9110 is a transmitter/receiver 9110 that transmits and receives signals via an antenna 9111. The communication module (transmitter/receiver) 9110 is coupled to the central processor 9100 to provide input signals and receive output signals, which may be the same as in the case of a conventional mobile communication terminal.
Based on different communication technologies, a plurality of communication modules 9110, such as a cellular network module, a bluetooth module, and/or a wireless local area network module, may be provided in the same electronic device. The communication module (transmitter/receiver) 9110 is also coupled to a speaker 9131 and a microphone 9132 via an audio processor 9130 to provide audio output via the speaker 9131 and receive audio input from the microphone 9132 to implement general telecommunications functions. The audio processor 9130 may include any suitable buffers, decoders, amplifiers and so forth. In addition, the audio processor 9130 is also coupled to the central processor 9100, thereby enabling recording locally through the microphone 9132 and enabling locally stored sounds to be played through the speaker 9131.
The embodiment of the present application further provides a computer-readable storage medium capable of implementing all the steps of the key data processing method whose main execution body is a server or a client in the above embodiments, where the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the computer program implements all the steps of the key data processing method whose main execution body is a server or a client in the above embodiments, for example, when the processor executes the computer program, the processor implements the following steps:
step S101: receiving a data plaintext sent by a user, calling a pre-stored key to encrypt the data plaintext into a data ciphertext and returning the data ciphertext to the user, wherein the key is divided into a plurality of lower-level key components by a secret sharing or homomorphic encryption method during storage and then is held by different key holders.
Step S102: and receiving a data ciphertext sent by the user, loading a corresponding key, decrypting the data ciphertext into a data plaintext, and returning the data plaintext to the user, wherein the key is formed by combining a plurality of lower-level key components by different key holders through a secret sharing or homomorphic encryption method during loading.
As can be seen from the above description, in the computer-readable storage medium provided in this embodiment of the present application, a data plaintext sent by a user is received, a pre-stored key is called to encrypt the data plaintext into a data ciphertext and the data ciphertext is returned to the user, where the key is split into a plurality of lower-level key components by a secret sharing or homomorphic encryption method during storage and then is held by different key holders; and receiving a data ciphertext sent by the user, loading a corresponding key, decrypting the data ciphertext into a data plaintext, and returning the data plaintext to the user, wherein the key is formed by combining a plurality of lower-level key components by different key holders through a secret sharing or homomorphic encryption method during loading, so that the risk of key protection can be effectively shared, and the security of key storage and loading is improved.
Embodiments of the present application further provide a computer program product capable of implementing all steps of the key data processing method in which the execution subject in the above embodiments is a server or a client, and when executed by a processor, the computer program/instruction implements the steps of the key data processing method, for example, the computer program/instruction implements the following steps:
step S101: receiving a data plaintext sent by a user, calling a pre-stored key to encrypt the data plaintext into a data ciphertext and returning the data ciphertext to the user, wherein the key is divided into a plurality of lower-level key components by a secret sharing or homomorphic encryption method during storage and then is held by different key holders.
Step S102: and receiving a data ciphertext sent by the user, loading a corresponding key, decrypting the data ciphertext into a data plaintext, and returning the data plaintext to the user, wherein the key is formed by combining a plurality of lower-level key components by different key holders through a secret sharing or homomorphic encryption method during loading.
As can be seen from the above description, in the computer program product provided in the embodiment of the present application, a data plaintext sent by a user is received, a pre-stored key is called to encrypt the data plaintext into a data ciphertext and the data ciphertext is returned to the user, where the key is split into a plurality of lower-level key components by a secret sharing or homomorphic encryption method during storage and then is held by different key holders; and receiving a data ciphertext sent by the user, loading a corresponding key, decrypting the data ciphertext into a data plaintext, and returning the data plaintext to the user, wherein the key is formed by combining a plurality of lower-level key components by different key holders through a secret sharing or homomorphic encryption method during loading, so that the risk of key protection can be effectively shared, and the security of key storage and loading is improved.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (devices), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The principle and the implementation mode of the invention are explained by applying specific embodiments in the invention, and the description of the embodiments is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (11)
1. A method of key data processing, the method comprising:
receiving a data plaintext sent by a user, calling a pre-stored key to encrypt the data plaintext into a data ciphertext and returning the data ciphertext to the user, wherein the key is divided into a plurality of lower-level key components by a secret sharing or homomorphic encryption method during storage and then is held by different key holders;
and receiving a data ciphertext sent by the user, loading a corresponding key, decrypting the data ciphertext into a data plaintext, and returning the data plaintext to the user, wherein the key is formed by combining a plurality of lower-level key components by different key holders through a secret sharing or homomorphic encryption method during loading.
2. The key data processing method according to claim 1, comprising, after plaintext of data transmitted by the receiving user:
taking the data plaintext as a primary key main body and splitting the data plaintext into a plurality of primary key components through homomorphic encryption;
and taking the primary key component as a secondary key main body and splitting the primary key component into a plurality of secondary key components through secret sharing, wherein the primary key component and the secondary key components are respectively held by different key holders.
3. The key data processing method according to claim 1, comprising, after the receiving of the data cipher text transmitted by the user:
combining the secondary key components into a secondary key main body through secret sharing, and taking the obtained secondary key main body as a primary key component;
and combining the primary key components into a primary key main body through homomorphic encryption, and loading to obtain a corresponding key.
4. The key data processing method according to claim 2, wherein the splitting of the data plaintext as a primary key body into a plurality of primary key components by homomorphic encryption further comprises:
encrypting the primary key component according to a preset public key to obtain a primary key component ciphertext;
and signing the primary key component ciphertext according to a preset private key to obtain a signed primary key component ciphertext.
5. The key data processing method according to claim 2, wherein the splitting of the primary key component into a plurality of secondary key components by secret sharing as a secondary key master further comprises:
constructing a primary key component encryption function according to the random coefficient, the natural number sequence index and a preset public key;
and encrypting the identifier of each secondary key component holder according to the primary key component encryption function, and distributing the encrypted ciphertext to each secondary key component holder.
6. The method according to claim 3, wherein the combining the secondary key components into a secondary key body through secret sharing, and using the obtained secondary key body as the primary key component, further comprises:
decrypting the ciphertext stored by each secondary key component holder according to the primary key component encryption function and the secondary key component holder identification;
and carrying out signature verification on the first-level key component obtained after decryption.
7. The method according to claim 3, wherein the combining the primary key components into a primary key body through homomorphic encryption, and loading to obtain a corresponding key comprises:
receiving primary key component ciphertexts stored by each primary key component holder;
and combining the primary key component ciphertexts into a primary key main body cipher text through homomorphic encryption and decrypting to obtain a corresponding key.
8. A key data processing apparatus, characterized by comprising:
the key storage module is used for receiving a data plaintext sent by a user, calling a pre-stored key to encrypt the data plaintext into a data ciphertext and returning the data ciphertext to the user, wherein the key is divided into a plurality of lower-level key components by a secret sharing or homomorphic encryption method during storage and then is held by different key holders;
and the key loading module is used for receiving the data ciphertext sent by the user, loading a corresponding key, decrypting the data ciphertext into a data plaintext and returning the data plaintext to the user, wherein the key is formed by combining a plurality of lower-level key components by different key holders through a secret sharing or homomorphic encryption method during loading.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the key data processing method of any one of claims 1 to 7 when executing the program.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the key data processing method of any one of claims 1 to 7.
11. A computer program product comprising computer programs/instructions, characterized in that the computer programs/instructions, when executed by a processor, implement the steps of the key data processing method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211070591.0A CN115459909A (en) | 2022-09-02 | 2022-09-02 | Key data processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211070591.0A CN115459909A (en) | 2022-09-02 | 2022-09-02 | Key data processing method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115459909A true CN115459909A (en) | 2022-12-09 |
Family
ID=84301909
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211070591.0A Pending CN115459909A (en) | 2022-09-02 | 2022-09-02 | Key data processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115459909A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116800419A (en) * | 2023-08-14 | 2023-09-22 | 深圳竹云科技股份有限公司 | Key generation method, device, computer equipment and storage medium |
-
2022
- 2022-09-02 CN CN202211070591.0A patent/CN115459909A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116800419A (en) * | 2023-08-14 | 2023-09-22 | 深圳竹云科技股份有限公司 | Key generation method, device, computer equipment and storage medium |
| CN116800419B (en) * | 2023-08-14 | 2023-11-21 | 深圳竹云科技股份有限公司 | Key generation method, device, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109309569B (en) | SM2 algorithm-based collaborative signature method and device and storage medium | |
| CN102546181B (en) | Cloud storage encrypting and deciphering method based on secret key pool | |
| CN111130803B (en) | Method, system and device for digital signature | |
| CN110100422B (en) | Data writing method and device based on block chain intelligent contract and storage medium | |
| CN111404943B (en) | Data processing method and device, electronic equipment and computer readable storage medium | |
| CN112003696B (en) | SM9 key generation method, system, electronic equipment, device and storage medium | |
| CN108199847B (en) | Digital security processing method, computer device, and storage medium | |
| CN113987583A (en) | Method and system for hiding query | |
| CN113987584A (en) | Method and system for hiding query | |
| CN105208028A (en) | Data transmission method and related device and equipment | |
| CN112118098B (en) | Post quantum security enhanced digital envelope method, device and system | |
| US20190065759A1 (en) | Method for protecting data | |
| CN111931209A (en) | Contract information verification method and device based on zero knowledge certification | |
| CN115001733B (en) | Data determination method and device, storage medium and terminal | |
| CN112839013B (en) | Key transmission method, device and computer readable storage medium | |
| CN111740815A (en) | Ciphertext-based two-party secret sharing method, device, equipment and storage medium | |
| CN115459909A (en) | Key data processing method and device | |
| CN111431922A (en) | Internet of things data encryption transmission method and system | |
| CN113055184B (en) | Data encryption and decryption method and device | |
| CN114117406A (en) | Data processing method, device, equipment and storage medium | |
| CN116455572B (en) | Data encryption method, device and equipment | |
| CN115378592A (en) | Password service calling method and system | |
| CN117171202A (en) | Data query method and device | |
| EP4125236A1 (en) | Secret code verification protocol | |
| CN110598427A (en) | Data processing method, system and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |