CN115664662A - Key processing method and device - Google Patents

Key processing method and device Download PDF

Info

Publication number
CN115664662A
CN115664662A CN202211381898.2A CN202211381898A CN115664662A CN 115664662 A CN115664662 A CN 115664662A CN 202211381898 A CN202211381898 A CN 202211381898A CN 115664662 A CN115664662 A CN 115664662A
Authority
CN
China
Prior art keywords
key
server
spare
target
database
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211381898.2A
Other languages
Chinese (zh)
Other versions
CN115664662B (en
Inventor
朱云
李元骅
可为
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Shudun Information Technology Co ltd
Original Assignee
Beijing Shudun Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Shudun Information Technology Co ltd filed Critical Beijing Shudun Information Technology Co ltd
Priority to CN202211381898.2A priority Critical patent/CN115664662B/en
Publication of CN115664662A publication Critical patent/CN115664662A/en
Application granted granted Critical
Publication of CN115664662B publication Critical patent/CN115664662B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention provides a method and a device for processing a secret key, wherein the method comprises the following steps: receiving a key application request sent by a key service application through a load balancer; obtaining a target key from a standby key table of a key database server according to the key application request; transferring the target key to an in-use key table, and binding the target key with the key service application; receiving a key query request sent by the key service application through the load balancer; and acquiring the target key from the key table according to the key query request, and sending the target key to the key service application through the load balancer. The scheme of the invention can keep the stability of the system under the high concurrency scene.

Description

Key processing method and device
Technical Field
The present invention relates to the field of computer information processing technologies, and in particular, to a method and an apparatus for processing a key.
Background
With the continuous development of information technology, network security is more and more important, and cryptographic technology is the core and the foundation of network security. In the use process of the cryptographic technology, the support of a key server is required. Standard key management systems have matured according to relevant standards promulgated by the national crypto authority.
However, as the security requirements grow, the conventional key management system exposes the following problems: a higher number of concurrencies cannot be supported; the number of the key banks is limited by tens of millions; and the safe distributed deployment of multiple areas of the main center and the sub-center cannot be supported.
Disclosure of Invention
The technical problem to be solved by the invention is how to provide a key processing method and device. The stability of the system can be maintained in a high concurrency scene.
In order to solve the technical problems, the technical scheme of the invention is as follows:
a key processing method is applied to a key server, and comprises the following steps:
receiving a key application request sent by a key service application through a load balancer;
obtaining a target key from a standby key table of a key database server according to the key application request;
transferring the target key to an in-use key table, and binding the target key with the key service application;
receiving a key query request sent by the key service application through the load balancer;
and acquiring the target key from the key table according to the key query request, and sending the target key to the key service application through the load balancer.
Optionally, the key database server includes: at least one spare key table and at least one active key table;
wherein the at least one spare key table has spare keys stored therein.
Optionally, the process of storing the spare key in the spare key table includes:
generating a spare secret key;
calculating a spare key identifier;
calculating the hash value of the spare key identification;
using the hash value to modulo the number of the at least one spare key table to obtain a first value;
the spare key is stored in a target spare key table indexed to a first value.
Optionally, obtaining the target key from the in-use key table according to the key query request includes:
acquiring a key identification to be inquired;
calculating a hash value of the key identifier;
using the hash value to perform modulo on the number of the at least one key table in use to obtain a second value;
the target key is read from the in-use key table indexed to a second value.
Optionally, the key database server includes: at least one key database, said key database comprising a spare key table and a working key table; wherein, the spare key table stores spare keys.
Optionally, the process of storing the spare key in the key database includes:
generating a spare key;
calculating a spare secret key identifier;
calculating the hash value of the spare key identification;
obtaining a third value by using the hash value to modulo the number of the key database;
and storing the spare key into a target key database with the index as a third value.
Optionally, obtaining the target key from the in-use key table according to the key query request includes:
acquiring a key identification to be inquired;
calculating a hash value of the key identifier;
using the hash value to modulo the number of the at least one key database to obtain a fourth value;
the target key is read from an active key table in a key database indexed to a fourth value.
Optionally, the key processing method further includes:
receiving a secure channel establishment request sent by a sub-center key server, wherein the secure channel establishment request carries:
encrypting the generated first random number by using an encryption public key certificate of the key server, and signing the first random number by using a signature private key of the sub-center key server to obtain first signature data;
the key server decrypts the first signature data by using a private key of the key server, checks the signature of the first signature data by using a public key of the sub-center key server, and sends a secure channel establishment response to the sub-center key server after the signature is checked, wherein the secure channel response carries a second random number generated by the key server;
the key server and the sub-center key server respectively obtain a session key according to the XOR of a first random number and a second random number;
and the key server and the sub-center key server transmit data based on the session key.
An embodiment of the present invention further provides a key processing apparatus, including:
the receiving and sending module is used for receiving a key application request sent by the key service application through the load balancer;
the processing module is used for obtaining a target key from a standby key table of a key database server according to the key application request; transferring the target key to an in-use key table, and binding the target key with the key service application;
the receiving and sending module is also used for receiving a key inquiry request sent by the key service application through the load balancer; and acquiring the target key from the key table according to the key query request, and sending the target key to the key service application through the load balancer.
Embodiments of the present invention also provide a computer-readable storage medium storing instructions that, when executed on a computer, cause the computer to perform the method as described above.
The scheme of the invention at least comprises the following beneficial effects:
the scheme of the invention receives the key application request sent by the key service application through the load balancer; obtaining a target key from a standby key table of a key database server according to the key application request; transferring the target key to an in-use key table, and binding the target key with the key service application; receiving a key query request sent by the key service application through the load balancer; according to the key query request, obtaining the target key from the key table in use, and sending the target key to the key service application through the load balancer; the method can support high-concurrency key service requests, and can keep the stability of the system under the high-concurrency scene.
Drawings
FIG. 1 is a flow chart illustrating a key processing method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a Nginx deployment architecture oriented to high concurrency scenarios according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating a sub-table structure of a key database according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a flow chart of a spare key generation storage location table according to an embodiment of the present invention;
FIG. 5 is a flow chart illustrating a process of reading a location table using a key table according to an embodiment of the present invention;
FIG. 6 is a diagram illustrating a key database sub-library structure according to an embodiment of the present invention;
FIG. 7 is a schematic diagram of a backup key generation storage location key database process according to an embodiment of the present invention;
FIG. 8 is a flow chart illustrating a process of reading a locator database using a key table according to an embodiment of the present invention;
FIG. 9 is a schematic diagram of a key hierarchy management structure of an embodiment of the present invention;
FIG. 10 is a schematic diagram of a key management system overall center and sub-center secure channel establishment process according to an embodiment of the present invention;
fig. 11 is a software architecture diagram of a key server according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
As shown in fig. 1, an embodiment of the present invention provides a key processing method, applied to a key server, where the method includes:
step 11, receiving a key application request sent by a key service application through a load balancer;
step 12, obtaining a target key from a standby key table of a key database server according to the key application request;
step 13, transferring the target key to a key table for use, and binding the target key with the key service application;
step 14, receiving a key query request sent by the key service application through the load balancer;
and step 15, obtaining the target key from the key table according to the key query request, and sending the target key to the key service application through the load balancer.
The embodiment transmits a key application request sent by a key service application to a key database server through a load balancer; obtaining a target key from a standby key table of a key database server according to the key application request; here, the key database server is in communication connection with the key server; transferring the target key to an in-use key table, and binding the target key with the key service application; receiving a key query request sent by the key service application through the load balancer; according to the key query request, obtaining the target key from the key table in use, and sending the target key to the key service application through the load balancer; the method can support high-concurrency key service requests, and can keep the stability of the system under the high-concurrency scene.
As shown in fig. 2, the system architecture between the key service application, the load balancer, and the key server adopts a key management system cluster to improve the instantaneous high-concurrency data request.
The key handling mechanism for the high concurrency scenario may select nginnx software as a load balancer of the front end: the function of the Nginx load balancer 203 is to offload highly concurrent requests to a key management system of an agent of the Nginx load balancer according to a certain policy, so that the processing pressure of request data of a key server is relieved.
In a high concurrency scenario, the key service application 201 and the key service application 202 send key data request messages to the terminal Nginx load balancer 203;
the Nginx load balancer 203 proxies the whole key management system server cluster 204, and starts to process the request message after receiving the key application request message sent by the key service application 201 and the key service application 202;
the Nginx load balancer 203 inquires a load balancing strategy of the Nginx load balancer, and selects a key server from the key management system server cluster 204 according to the load balancing strategy, wherein the key server may be any one of the three key servers 205-207;
after the key server is selected, the Nginx load balancer 203 forwards the data message sent by the key service application end to the selected key server;
after receiving the data message forwarded by the Nginx load balancer 203, the key server starts to analyze the message;
if the message information format is correct, the key server starts to process the service logic. Otherwise, returning the specified error information to the key service application;
under the condition that the message information format is correct, the key server starts to process the received data message.
And inquiring information in the spare key library according to the data analyzed by the data message, taking out a specified number of keys meeting the conditions from the spare library of the key server, transferring the keys to the in-use library of the key server, and binding the keys with the key service application identifier sending the request.
And after the service logic processing is finished, performing data format message encapsulation on the key of the mobile library, and directly returning the encapsulated message to the key service application. To this end, the complete request-response logic in a high concurrency scenario. The key processing mechanism of the high concurrency scene can select hardware as a load balancer of the front end.
In an alternative embodiment of the present invention, as shown in fig. 3, the key database server includes: at least one spare key table and at least one active key table; wherein the at least one spare key table has spare keys stored therein.
In this embodiment, a plurality of tables having the same table structure are stored, and key data are horizontally distributed in different tables, so that the storage amount of the key data is increased, and the performance of a single table is not affected.
In a database, a table can be split horizontally into N tables of the same table structure. When N is 1024, the data capacity of each table is calculated by 1000 ten thousand, the storable data of the table structure of the type can reach more than 100 hundred million, and the key capacity is greatly expanded; in this embodiment, the spare key table and the active key table are the same in number.
In this embodiment, the process of storing the spare key in the spare key table includes:
step 41, generating a spare key;
step 42, calculating a spare key identifier;
step 43, calculating a hash value of the spare key identifier;
step 44, obtaining a first value n1 by using the hash value to modulo the number of the at least one spare key table;
step 45, the spare key is stored in the target spare key table with the index as the first value n 1.
In this embodiment, the key server may obtain the key data of the key database by connecting to the key database server. Due to the multiple identical table structures, the key server stores the generated key in the key database, and locates the key in a specific table of the N tables. And when the key server reads the key data from the key database, the specific table from which the data is read in the N tables is positioned.
As shown in fig. 4, in this embodiment, taking a process of generating a standby key and then storing the standby key in a database to locate a specific table as an example, the specific steps are as follows:
step 401, the key server generates a standby key;
step 402, calculating a spare key identifier UUID;
step 403, calculating a hashCode value of the UUID;
step 404, obtaining n1 by using the calculated hashCode value to modulo the number of the horizontal sub-tables;
step 405, the obtained n1 is the specifically positioned table.
After locating to a specific table, data operation can be performed on the table n1, and spare key data can be stored in the table.
In an alternative embodiment of the present invention, step 15 may include:
step 151, obtaining a key identifier to be queried;
step 152, calculating a hash value of the key identifier;
step 153, modulo the number of the at least one key table in use by using the hash value to obtain a second value n2;
step 154, the target key is read from the key table in use with the index of the second value n 2.
Specifically, as shown in fig. 5, taking a process of reading a specific table of a library key in use to locate a database as an example, the specific steps are as follows:
step 501, a key server receives a key query request from a key service application, and request information carries a key identifier UUID to be queried;
step 502, calculating a hashCode value of the UUID;
step 503, obtaining n2 by using the calculated hashCode value to sensitively modulus the horizontal sub-table number;
and step 504, obtaining n2 which is a table of specific positioning.
After positioning to a specific table, the key server may operate the table n2, and read corresponding key data according to the key identifier UUID.
As shown in fig. 6, the key database server includes: at least one key database, said key database comprising a spare key table and a working key table; wherein, the spare key table stores spare keys.
In the embodiment, the key database is horizontally split into a plurality of key databases with the same structure, so that the key data are horizontally dispersed in different key databases, the storage capacity of the key data is increased, and the influence of the performance of a single database is avoided.
In terms of the key data database, one key data database can be horizontally split into N databases of the same structure. When N is 1024, the data storable by the type table structure can reach more than 100 hundred million calculated by 1000 ten thousand data capacity of each library, and the key capacity is greatly expanded.
In this embodiment, the process of storing the spare key in the key database includes:
step 71, generating a spare key;
step 72, calculating a spare key identifier;
step 73, calculating the hash value of the spare key identifier;
step 74, obtaining a third value n3 by using the hash value to modulo the number of the key database;
step 75, the spare key is stored in the target key database with the index as the third value n3.
Specifically, as shown in fig. 7, the key server may acquire the key data of the key database by connecting to the key database server. Because of the plurality of databases with the same structure, the key server stores the generated key into the key database, and the generated key is positioned in a specific database stored in the N databases. And when the key server reads the key data from the key database, the key server can specifically read the data from a specific database in the N databases.
As shown in fig. 7, taking a process of generating a spare key and then storing the spare key in a database to locate a specific database as an example, the specific steps are as follows:
step 701, a key server generates a standby key;
step 702, calculating a spare key identifier UUID;
step 703, calculating a hashCode value of the UUID;
step 704, obtaining a third value n3 by using the calculated hashCode value to modulo the number of the horizontal sub-libraries;
step 705, n3 is obtained, that is, the specifically located key database n3.
After locating the specific table, data operation may be performed on the database n3, and the spare key data may be stored in the database. If the table division is carried out in the library, the table division positioning technology is continuously adopted to relocate to a specific table.
In an alternative embodiment of the present invention, step 15 may include:
step 155, obtaining the key identification to be queried;
step 156, calculating the hash value of the key identifier;
step 157, modulo the number of the at least one key database by using the hash value to obtain a fourth value n4;
at step 158, the target key is read from the in-use key table in the key database indexed by the fourth value n 4.
Specifically, as shown in fig. 8, taking a process of reading a database key in use to locate a specific database as an example, the specific steps are as follows:
step 801, a key server receives a key inquiry request from a key service application, wherein request information carries a UUID (user identifier) of a key to be inquired;
step 802, calculating a hashCode value of the UUID;
step 803, using the calculated hashCode value to modulo the number of horizontal sub-libraries to obtain n4;
and step 804, the obtained n4 is the specific positioning key database. After locating a particular key database, the key management system server may operate on the key database n 4.
If the table division is carried out in the database, the table division positioning technology is continuously adopted to position the specific table. And then reading corresponding key data according to the key identification UUID.
The database connected to each key server may adopt a database structure of the horizontal sub-table shown in fig. 3, or may adopt a database structure of the horizontal sub-table shown in fig. 6, and if it is necessary to support a larger key capacity, a mode of using the two structures of the sub-table and the sub-table in combination may be adopted.
In an optional embodiment of the present invention, the key processing method further includes:
step 16, receiving a secure channel establishment request sent by the sub-center key server, where the secure channel establishment request carries: encrypting the random number randomas by using an encryption public key certificate of the key server for the generated random number randomas, and signing the randomas by using a signature private key of the sub-center key server to obtain first signature data;
step 17, the key server decrypts the first signature data by using a private key of the key server, checks the signature of the first signature data by using a public key of the sub-center key server, and sends a secure channel establishment response to the sub-center key server after the signature passes, wherein the secure channel response carries a random number randomB generated by the key server;
step 18, the key server and the sub-center key server obtain a session key K according to the XOR of randOMA and randOMB respectively;
and 19, the key server and the sub-center key server transmit data based on the session key K.
Specifically, as shown in fig. 9, a key hierarchical management and multi-security domain control method, a key management system may support key hierarchical management of a main center and a sub-center, so as to achieve respective control of multiple security domains, and improve security.
The key hierarchical management adopts a deployment mode that a main center and a branch center are physically isolated, and each center adopts a respective security policy. The centers are connected through a safety channel.
The key server can be initialized to a total center or a sub center. The process of initializing to the master central key server includes:
(1) Filling basic information of the master center key server, including the name, the physical position, the affiliated area and the like of the master center key server;
(2) Uploading an encrypted public key certificate and a signed public key certificate of a master center key server;
(3) Configuring a security policy, wherein the security policy comprises whether the sub-center key server is allowed to be connected or not;
the sub-center key server initialization process comprises the following steps:
(1) Filling basic information of the sub-center key server, including the name, physical benefits, the area to which the sub-center key server belongs and the like;
(2) Selecting a master central key server to which the sub-central key server belongs;
(3) Uploading an encrypted public key certificate and a signature public key certificate of a sub-center key server;
(4) Configuring a security policy;
after the master center key server and the sub-center key servers are configured respectively, the master center key server and the sub-center key servers can communicate with each other. The communication data between them is transmitted through the secure channel.
Fig. 10 shows a process of establishing a secure channel between the sub-center key server and the master center key server:
(1) The sub-center key server A generates a first random number randomA;
(2) The sub-center key server A encrypts randOMA by using the encrypted public key certificate of the main center key server B, and signs randOMA by using the own private signature key.
(3) The sub-center key server A splices the encrypted data and the signed data and then sends the spliced data to the main center key server B;
(4) And after receiving the data, the master center key server B decrypts the data by using the private key of the master center key server B, and verifies the signature of the signature data by using the public key of the sub-center key server A.
If the signature passes the verification, continuing, otherwise, returning error information;
(5) The master center key server B generates a second random number randomB, and XOR is carried out on randOMA and randomB to obtain a session key K;
(6) The master center key server B encrypts randomB by using the encryption public key certificate of the sub-center key server A, and signs the randomB by using a signature private key of the master center key server B;
(7) The master center key server B splices the encrypted data and the signed data and then sends the spliced data to the sub-center key server A;
(8) And after receiving the data, the sub-center key server A decrypts the data by using the private key of the sub-center key server A, and verifies the signature of the signature data by using the public key of the main center key server B. If the signature passes the verification, continuing, otherwise, returning error information;
(9) The sub-center key server A generates randOMA by itself and decrypts the randOMA to obtain randOMB exclusive OR to obtain a session key K.
(10) And the sub-center key server A and the main center key server B generate the same session key K, and the establishment of the secure channel is completed.
After the sub-center key server and the main center key server are established, the safe communication can be carried out. The secure channel is time-limited and will fail when the security policy settings are reached. When communication is performed again, the secure channel needs to be established again before communication, and then normal communication can be performed.
As shown in fig. 11: the above-mentioned key server 11 also has at least one of the following functional modules,
a user management module: maintenance and management of all administrative user information in a key system is provided. Including managing the user's role and the role's rights management and maintenance. Users can log in to access the key management system only after the related roles are given, and only resources which are authorized to be accessed can be accessed, and the safety of data and services is guaranteed by the separation of the authority. The authorization and authentication of the user role authority during login are provided by the identity authentication module.
An identity authentication module: the identity authentication module provides authority management for access application, including application authorization and authentication, provides authorization and authentication when the whole key management system manages user login, and ensures that only legal management user can access own authorized key management system resource. The identity authentication module is one of the core modules in the whole key management system, and plays a role in protecting the resource safety of the whole key management system.
The key application management module: the key application management module provides maintenance and management of the information of the key service application accessed in the whole key server. The operation comprises application addition, application deletion, application freezing and application authorization. The key server can access a plurality of key service applications and provide key generation service for the plurality of key service applications.
A key management module: the key management module is used for operation and maintenance of the symmetric key and the asymmetric key information. The operation comprises key generation, key revocation, key destruction, key import, key export, key backup, key restart, key archiving and key recovery. The security of the use and storage of the keys is crucial. The generation of the key is generated by the hardware password card, so that the randomness of the generation of the key is ensured.
In the key server, a hardware password card generates a master key, and a key pair in the hardware password card is used for encryption, and a user key pair in the password card cannot derive a storage position outside the password card, so that the security of the system master key in the key management system is ensured.
The symmetric key and the asymmetric key private key generated in the key server are encrypted through the main key of the key server and then stored in the database of the key server, the security of the keys is guaranteed through the encryption and storage of the keys, and meanwhile, MAC value verification is carried out on each key in the key database, so that the phenomenon of unauthorized key data modification can be prevented, and the problem keys can be found out in time.
A log audit module: the log auditing module is also an important function in the key management system, and the operation of the log auditing module comprises service log auditing and operation log auditing. And an authorized operator can find abnormal safe operation possibly existing in the key management system in time through auditing the log, and perform corresponding safe processing.
A database module: the database submodule provides storage operation of all data in the whole key management system, and the storage operation comprises system master key information, application key information, key service application information, user information, system configuration information and security audit logs. Wherein the key information is securely stored in encrypted form in a key database.
In the above embodiments of the present invention, the key full-life-cycle management includes:
initialization: when the key is generated, the key metadata only includes general attributes such as a key ID, a generation time, a key device identifier, a generation apparatus device identifier, and the like.
Starting: when the user selects a protection type task (encryption), the system automatically distributes a key in a synchronous state for the user without the key, and supplements user information, task information, the validity period of an initiator, the validity period of a receiver, a related algorithm and the like into key metadata. When the key reaches this state, the key starts to calculate the originator validity period.
And (3) stopping use: when the validity period of the receiver of the key is ended, the key enters the state correspondingly. The key in this state is no longer open for use by the user.
Hoisting pins: it is possible for a key management system administrator to revoke keys for security events, and keys in this state cannot be called. By means of special procedures, the administrator can re-enable this key in a short time according to the needs of the user.
Filing: the system will export the key data in the inactive state and compress and store the key data at intervals, and only retain basic information, such as key ID, owner, archive time, etc. By means of special procedures, the administrator can re-enable this key in a short time according to the needs of the user.
And (3) deleting: when the user executes the operation of destroying the key, the key enters the state. The key in this state is not visible to the user, but the system does not perform any operation on the key. The user may retrieve this key through a key management system administrator.
Destroying: and after the key is in a deletion state for N days, the system destroys the key, and the destroyed key cannot be retrieved. See the specific configuration.
(1) And key generation, wherein the key generation is divided into two modes of manually generating a key and automatically generating the key. The manual generation of the key requires selecting the type of the key to be used and the number of the generated keys; the automatic key generation is divided into threshold generation and timing trigger generation, the threshold generation means that a system triggers automatic key generation when detecting that the number of keys in a database standby table is lower than a threshold, the timing trigger generation means that the automatic key generation is triggered according to timer time set by the system, and the two automatic key generation modes all need to set related strategies including parameters such as key number threshold and the like. The generated key stores the ciphertext in a local backup database.
(2) And (4) key enabling, wherein the key enabling is started after the key in the standby library (which is enough to be specified from production) is moved to the active library and is bound with the user request information.
(3) The compromise process is lost and when the key has been compromised, the secure use of the key will be immediately stopped. The functions of encryption, decryption, signature verification and the like are included; at this point the system moves the key from the active keystore to the historical keystore and marks the key as revoked, and appends the revocation reason.
(4) And key inquiry, which provides inquiry function for the key, and the parameters comprise generation time, key type and the like.
When the key of the history library is inquired, the key attribute keyword inquiry key can be input in the system, the inquiry of the key supports the key application recovery operation, the use duration of the key which is used for restarting the overdue can provide the key decryption and signature verification operation according to the use duration of the history key restart in the cluster strategy, and the key cannot be used after being overdue.
(5) The system can complete the backup and recovery of the key by adopting a database operation mode.
(6) And (4) destroying/deleting the key, wherein the destroying mode is different according to different types of the key. Before the key is destroyed, the identity authentication must be performed again on the key administrator who initiates the key operation, so as to ensure that the operation is executed correctly and prevent illegal and misoperation. After confirmation, the key management system will require the service administrator to input the destruction reason for recording the audit log. The operated-on key data state will first be converted into a "pre-destruction" state. In addition, the key management system also provides key data which can be in a pre-destruction state for the administrator user, and provides timely recovery processing for misoperation of the administrator user. When the pre-destruction state of the key is finished, the key management system destroys the ciphertext value of the key and moves the ciphertext value into the historical key library.
(7) Key filing, wherein the key filing is mainly used for exporting and filing the keys which are in the historical key bank and meet the screening condition, and the exported keys are transferred to the local for storage by files; the key filing attributes include: key start-stop time, key archive time, etc.
In the embodiment of the invention, the key server completes the management of the whole life cycle of the key. Through the load balancing architecture mode, the performance guarantee of stability and high availability under the high concurrency scene is realized.
The accurate positioning of data is realized through a horizontal database partitioning technology of a database and a database searching and table searching technology of a key server for the database, a used key management system can support the storage of billions or even billions of key capacity, and the use requirements of larger and larger keys can be met in the scene that information security keys are used more and more.
The key server main center and the sub-center are respectively deployed and physically isolated, so that the hierarchical management of the key is realized. The key management main center and the sub-center carry out data communication through the safety channel, each upper center forms a plurality of safety domains, the safety domains are mutually isolated and do not influence each other, and the safety of the whole key management system is improved.
An embodiment of the present invention further provides a key processing apparatus, including:
the receiving and sending module is used for receiving a key application request sent by the key service application through the load balancer;
the processing module is used for obtaining a target key from a standby key table of a key database server according to the key application request; transferring the target key to an in-use key table, and binding the target key with the key service application;
the receiving and sending module is also used for receiving a key inquiry request sent by the key service application through the load balancer; and acquiring the target key from the key table according to the key query request, and sending the target key to the key service application through the load balancer.
Optionally, the key database server includes: at least one spare key table and at least one active key table;
wherein the at least one spare key table has spare keys stored therein.
Optionally, the process of storing the spare key in the spare key table includes:
generating a spare key;
calculating a spare key identifier;
calculating the hash value of the spare key identification;
using the hash value to modulo the number of the at least one spare key table to obtain n1;
the spare key is stored in the target spare key table n 1.
Optionally, obtaining the target key from the in-use key table according to the key query request includes:
acquiring a key identification to be inquired;
calculating a hash value of the key identifier;
using the hash value to modulo the number of the at least one key table to obtain n2;
the target key is read from the in-use key table n 2.
Optionally, the key database server includes: at least one key database, said key database comprising a spare key table and a working key table; wherein, the spare key table stores spare keys.
Optionally, the process of storing the spare key in the key database includes:
generating a spare key;
calculating a spare key identifier;
calculating the hash value of the spare key identification;
using the hash value to modulo the number of the key database to obtain n3;
the spare key is stored in the target key database n3.
Optionally, obtaining the target key from the in-use key table according to the key query request includes:
acquiring a key identification to be inquired;
calculating a hash value of the key identifier;
using the hash value to modulo the number of the at least one key database to obtain n4;
the target key is read from the active key table in the key database n 4.
Optionally, the transceiver module is further configured to receive a secure channel establishment request sent by the key server sub-center, where the secure channel establishment request carries: encrypting the random number randomas by using an encryption public key certificate of the key server for the generated random number randomas, and signing the randomas by using a signature private key of the sub-center key server to obtain first signature data;
the key server decrypts the first signature data by using a private key of the key server, checks the signature of the first signature data by using a public key of the sub-center key server, and sends a secure channel establishment response to the sub-center key server after the signature is checked, wherein the secure channel response carries a random number randomB generated by the key server;
the key server and the sub-center key server respectively obtain a session key K according to the exclusive OR of randOMA and randOMB;
and the key server and the sub-center key server transmit data based on the session key K.
It should be noted that this apparatus is an apparatus corresponding to the method on the key server side, and all the implementation manners in the above method embodiments are applicable to this embodiment, and the same technical effects can be achieved.
Embodiments of the present invention also provide a computing device, comprising: a processor, a memory and a program or instructions stored on the memory and executable on the processor, which when executed by the processor, implement the steps of the method as described above. The computing device may be the key server described above. In the embodiment of the invention, the sub-center key server and the main center key server are the same key server and can be both the key servers.
Embodiments of the present invention also provide a computer-readable storage medium storing instructions that, when executed on a computer, cause the computer to perform the method as described above. All the implementation manners in the above method embodiments are applicable to the embodiment, and the same technical effect can be achieved.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one position, or may be distributed on multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention or a part thereof which substantially contributes to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.
Furthermore, it should be noted that in the apparatus and method of the present invention, it is obvious that each component or each step may be decomposed and/or recombined. These decompositions and/or recombinations are to be regarded as equivalents of the present invention. Also, the steps of performing the series of processes described above may naturally be performed chronologically in the order described, but need not necessarily be performed chronologically, and some steps may be performed in parallel or independently of each other. It will be understood by those skilled in the art that all or any of the steps or elements of the method and apparatus of the present invention may be implemented in any computing device (including processors, storage media, etc.) or network of computing devices, in hardware, firmware, software, or any combination thereof, which can be implemented by those skilled in the art using their basic programming skills after reading the description of the present invention.
Thus, the objects of the invention may also be achieved by running a program or a set of programs on any computing device. The computing device may be a general purpose device as is well known. The object of the invention is thus also achieved solely by providing a program product comprising program code for implementing the method or device. That is, such a program product also constitutes the present invention, and a storage medium storing such a program product also constitutes the present invention. It is to be understood that the storage medium may be any known storage medium or any storage medium developed in the future. It is further noted that in the apparatus and method of the present invention, it is apparent that each component or step can be decomposed and/or recombined. These decompositions and/or recombinations are to be regarded as equivalents of the present invention. Also, the steps of executing the series of processes described above may naturally be executed chronologically in the order described, but need not necessarily be executed chronologically. Some steps may be performed in parallel or independently of each other.
While the foregoing is directed to the preferred embodiment of the present invention, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention as defined in the appended claims.

Claims (10)

1. A key processing method is applied to a key server, and the method comprises the following steps:
receiving a key application request sent by a key service application through a load balancer;
obtaining a target key from a standby key table of a key database server according to the key application request;
transferring the target key to an in-use key table, and binding the target key with the key service application;
receiving a key query request sent by the key service application through the load balancer;
and acquiring the target key from the key table according to the key query request, and sending the target key to the key service application through the load balancer.
2. The key processing method according to claim 1, wherein the key database server comprises: at least one spare key table and at least one active key table;
wherein the at least one spare key table has spare keys stored therein.
3. The key processing method of claim 2, wherein storing the spare key in a spare key table comprises:
generating a spare key;
calculating a spare key identifier;
calculating the hash value of the spare key identification;
using the hash value to modulo the number of the at least one spare key table to obtain a first value;
the spare key is stored in a target spare key table indexed to a first value.
4. The key processing method of claim 2, wherein obtaining the target key from the in-use key table according to the key lookup request comprises:
acquiring a key identification to be inquired;
calculating a hash value of the key identifier;
using the hash value to perform modulo on the number of the at least one key table in use to obtain a second value;
the target key is read from the in-use key table indexed to a second value.
5. The key processing method according to claim 2, wherein the key database server comprises: at least one key database, said key database comprising a spare key table and a working key table; wherein, the spare key table stores spare keys.
6. The key processing method of claim 2, wherein the storing of the spare key in the key database comprises:
generating a spare key;
calculating a spare key identifier;
calculating the hash value of the spare key identification;
using the hash value to modulo the number of the key database to obtain a third value;
and storing the spare key into a target key database with the index as a third value.
7. The key processing method of claim 5, wherein obtaining the target key from the in-use key table according to the key lookup request comprises:
acquiring a key identification to be inquired;
calculating a hash value of the key identifier;
using the hash value to modulo the number of the at least one key database to obtain a fourth value;
the target key is read from an active key table in a key database indexed to a fourth value.
8. The key processing method according to claim 1, further comprising:
receiving a secure channel establishment request sent by a sub-center key server, wherein the secure channel establishment request carries: encrypting the generated first random number by using an encryption public key certificate of the key server, and signing the first random number by using a signature private key of the sub-center key server to obtain first signature data;
the key server decrypts the first signature data by using a private key of the key server, checks the signature of the first signature data by using a public key of the sub-center key server, and sends a secure channel establishment response to the sub-center key server after the signature is checked, wherein the secure channel response carries a second random number generated by the key server;
the key server and the sub-center key server respectively obtain a session key according to the XOR of a first random number and a second random number;
and the key server and the sub-center key server transmit data based on the session key.
9. A key processing apparatus, comprising:
the receiving and sending module is used for receiving a key application request sent by the key service application through the load balancer;
the processing module is used for obtaining a target key from a standby key table of a key database server according to the key application request; transferring the target key to an in-use key table, and binding the target key with the key service application;
the receiving and sending module is also used for receiving a key inquiry request sent by the key service application through the load balancer; and acquiring the target key from the key table according to the key query request, and sending the target key to the key service application through the load balancer.
10. A computer-readable storage medium storing instructions that, when executed on a computer, cause the computer to perform the method of any one of claims 1 to 8.
CN202211381898.2A 2022-11-07 2022-11-07 Key processing method and device Active CN115664662B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211381898.2A CN115664662B (en) 2022-11-07 2022-11-07 Key processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211381898.2A CN115664662B (en) 2022-11-07 2022-11-07 Key processing method and device

Publications (2)

Publication Number Publication Date
CN115664662A true CN115664662A (en) 2023-01-31
CN115664662B CN115664662B (en) 2023-06-02

Family

ID=85015273

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211381898.2A Active CN115664662B (en) 2022-11-07 2022-11-07 Key processing method and device

Country Status (1)

Country Link
CN (1) CN115664662B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9838482B1 (en) * 2014-12-18 2017-12-05 Amazon Technologies, Inc. Maintaining client/server session affinity through load balancers
CN107508686A (en) * 2017-10-18 2017-12-22 克洛斯比尔有限公司 Identity identifying method and system and computing device and storage medium
CN113765654A (en) * 2020-06-03 2021-12-07 科大国盾量子技术股份有限公司 Load balancing quantum key management device
CN114584307A (en) * 2022-05-07 2022-06-03 腾讯科技(深圳)有限公司 Trusted key management method and device, electronic equipment and storage medium
CN114900338A (en) * 2022-04-20 2022-08-12 岚图汽车科技有限公司 Encryption and decryption method, device, equipment and medium
CN115277709A (en) * 2022-07-29 2022-11-01 河北素数信息安全有限公司 Load balancing method of server cipher machine

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9838482B1 (en) * 2014-12-18 2017-12-05 Amazon Technologies, Inc. Maintaining client/server session affinity through load balancers
CN107508686A (en) * 2017-10-18 2017-12-22 克洛斯比尔有限公司 Identity identifying method and system and computing device and storage medium
CN113765654A (en) * 2020-06-03 2021-12-07 科大国盾量子技术股份有限公司 Load balancing quantum key management device
CN114900338A (en) * 2022-04-20 2022-08-12 岚图汽车科技有限公司 Encryption and decryption method, device, equipment and medium
CN114584307A (en) * 2022-05-07 2022-06-03 腾讯科技(深圳)有限公司 Trusted key management method and device, electronic equipment and storage medium
CN115277709A (en) * 2022-07-29 2022-11-01 河北素数信息安全有限公司 Load balancing method of server cipher machine

Also Published As

Publication number Publication date
CN115664662B (en) 2023-06-02

Similar Documents

Publication Publication Date Title
US11647007B2 (en) Systems and methods for smartkey information management
JP4993733B2 (en) Cryptographic client device, cryptographic package distribution system, cryptographic container distribution system, and cryptographic management server device
CN110489996B (en) Database data security management method and system
US20140112470A1 (en) Method and system for key generation, backup, and migration based on trusted computing
US20090290715A1 (en) Security architecture for peer-to-peer storage system
CN108270739B (en) Method and device for managing encryption information
CN110635906B (en) Key management method and device for distributed block storage system
KR101817152B1 (en) Method for providing trusted right information, method for issuing user credential including trusted right information, and method for obtaining user credential
KR20170047717A (en) Server and method for managing smart home environment thereby, method for joining smart home environment and method for connecting communication session with smart device
CN110225017B (en) Identity authentication method, equipment and storage medium based on alliance block chain
CN112291071B (en) Password management method and system suitable for zero trust network
CN115473655B (en) Terminal authentication method, device and storage medium for access network
JP2013020313A (en) Data decentralization and storage system
JP2024501326A (en) Access control methods, devices, network equipment, terminals and blockchain nodes
CN112039910B (en) Method, system, equipment and medium for unified management of authentication and authority
CN100476841C (en) Method and system for centrally managing code to hard disk of enterprise
CN115664662B (en) Key processing method and device
US20220020010A1 (en) Decentralized electronic contract attestation platform
KR20010045157A (en) Method for managing information needed to recovery crytographic key
CN114389878A (en) Block chain fragmentation method and block chain network system
CN110868397B (en) Method and system for exchanging multipoint data of enterprise in different places
CN112769560B (en) Key management method and related device
CN112491787B (en) Method and equipment for safety management of user data
JP5483754B2 (en) Software module management apparatus and software module management program
CN116366889A (en) Electric power thing networking video acquisition terminal safety protection management system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP02 Change in the address of a patent holder
CP02 Change in the address of a patent holder

Address after: 100000 901, Floor 9, Building 7, Yard 8, Auto Museum East Road, Fengtai District, Beijing

Patentee after: BEIJING SHUDUN INFORMATION TECHNOLOGY CO.,LTD.

Address before: 100094 room 101-502, 5th floor, building 10, yard 3, fengxiu Middle Road, Haidian District, Beijing

Patentee before: BEIJING SHUDUN INFORMATION TECHNOLOGY CO.,LTD.