CN116015637A - Network key management method, system and computer readable storage medium - Google Patents
Network key management method, system and computer readable storage medium Download PDFInfo
- Publication number
- CN116015637A CN116015637A CN202211611709.6A CN202211611709A CN116015637A CN 116015637 A CN116015637 A CN 116015637A CN 202211611709 A CN202211611709 A CN 202211611709A CN 116015637 A CN116015637 A CN 116015637A
- Authority
- CN
- China
- Prior art keywords
- encryption
- network
- key
- module
- sample
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The application provides a network key management method, a system and a computer readable storage medium, and relates to the technical field of network security. The method is applied to any network node in the network; the method comprises the following steps: after receiving the key generation instruction, generating an encryption key according to the encryption configuration information through an encryption module; encrypting the sample data by using an encryption key to obtain an encrypted sample; judging whether the decryption module successfully decrypts the encrypted sample; if the decryption module fails to decrypt the encrypted sample, the encryption key is distributed to other network nodes in the network, so that when any network node equipment is attacked, the other network nodes can generate keys to update the keys in the network segment, and the network security is improved; in addition, the decryption module is used for carrying out trial decryption on the generated key in advance, and the key is distributed to other network nodes under the condition that the decryption module fails, so that the security of the key is further improved.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a network key management method, system, and computer readable storage medium.
Background
In the existing encryption network technical scheme, a central server or a main node generates a key required by encryption and decryption in an encryption mode, and then the key is sent to other network nodes.
However, in the existing network encryption mode, if the central server or the host computer point is attacked, the key of the whole encrypted network cannot be updated normally, so that the network security is low.
Disclosure of Invention
An object of the embodiments of the present application is to provide a network key management method, system and computer readable storage medium, which are used for solving the problem of low network security caused by the fact that a central server or a master node is adopted to generate an encryption and decryption key in the traditional encryption mode at present.
In a first aspect, the present invention provides a network key management method adapted for use in a network comprising a plurality of network nodes; each network node of the plurality of network nodes is provided with an encryption module and a decryption module, the plurality of network nodes are in communication connection, and the method is applied to any network node; the method comprises the following steps: after receiving a key generation instruction, acquiring encryption configuration information and sample data; generating an encryption key according to the encryption configuration information through an encryption module; encrypting the sample data by using an encryption key to obtain an encrypted sample; judging whether the decryption module successfully decrypts the encrypted sample; and if the decryption module fails to decrypt the encrypted sample, distributing the encryption key to other network nodes in the network.
According to the network key management method, the network node which receives the key instruction in the network segment generates the encryption key according to the encryption configuration information by using the configured encryption module, encrypts the sample data based on the encryption key to obtain an encryption sample, decrypts the encryption sample by using the configured decryption module, and distributes the generated encryption key to other network nodes under the condition that the decryption of the encryption sample by the decryption module fails, so that each network node in the network has the capability of generating the key by configuring the encryption module and the decryption module for each network node in the network, and when the key generation or the key update is carried out, the network node which receives the key instruction in the network segment generates the key, namely any network node in the network is not fixed network equipment, so that when any network node equipment is attacked, other network nodes can generate the key to update the key in the network segment, and the network security is improved; in addition, each network node device also performs trial decryption on the generated key in advance through the own decryption module, and distributes the key to other network nodes under the condition that the decryption of the decryption module fails, so that the security of the key is further improved.
In an optional implementation manner of the first aspect, after determining whether the decryption module successfully decrypts the encrypted sample, the method further includes: if the decryption module is judged to successfully decrypt the encrypted sample, the encryption configuration information is changed; generating an encryption modification key according to the modified encryption configuration information through an encryption module; encrypting the sample data by using the encryption changing key to obtain an encryption changing sample; judging whether the decryption module successfully decrypts the encryption change sample; and if the decryption module successfully decrypts the encryption change sample, returning to execute the step of changing the encryption configuration information until the encryption module fails to decrypt the encryption change sample, and distributing the encryption change key corresponding to the decryption failure to other network nodes in the network. According to the scheme, on the basis that the decryption module successfully decrypts the encryption key, the encryption configuration information is changed, the encryption change key is regenerated according to the changed encryption configuration information, the encryption change key is used for encrypting sample data to obtain an encryption change sample, then the encryption change sample is decrypted through the decryption module, the encryption change key is distributed to other network nodes under the condition that decryption is failed, the encryption configuration information is continuously changed under the condition that decryption is successful until the encryption module fails to decrypt the encryption change sample, and therefore the fact that the secret key generated and distributed by the network node cannot be simply decrypted through a general decryption algorithm is guaranteed, and the security of the secret key in a network is improved.
In an optional implementation manner of the first aspect, after the decryption module decrypts the encrypted sample, the method further includes: and setting a mark for the encryption configuration information and the encryption key corresponding to the successful decryption. The embodiment sets the identifier for the encryption configuration information and the encryption key corresponding to successful decryption, so that the marked encryption configuration information and encryption key are not adopted in the process of generating the encryption key, and the problem of resource waste caused by repeated adoption of the encryption configuration information and the encryption key which can be decrypted by the decryption module is avoided.
In an optional implementation manner of the first aspect, the encryption configuration information includes geographic coordinate information and various network transmission data with different weights; generating, by the encryption module, an encryption key according to the encryption configuration information, including: and generating an encryption key by an encryption module through a target encryption algorithm according to the geographic coordinate information and various network transmission data with different weights.
In an optional implementation manner of the first aspect, the geographical coordinate information includes any one of a current geographical coordinate of itself, a current geographical coordinate of any network node in the network, and a current geographical coordinate of all network nodes in the network.
In an alternative implementation of the first aspect, wherein the plurality of network nodes form a blockchain; distributing the encryption key to other network nodes in the network, comprising: the encryption key is broadcast into the blockchain for distribution through the blockchain to other network nodes in the network.
In an optional implementation manner of the first aspect, after distributing the encryption key to other network nodes in the network, the method further comprises: randomly determining a target network node in other network nodes in the network; and sending a key generation instruction to the target network node so that the target network node generates an updated key in a key updating period according to the key instruction. In the embodiment, the next network node generating the updated key is randomly determined by the last network node generating the encrypted key, so that the network node generating the encrypted key is more random, the problem of low security caused by a certain rule of the network node generating the encrypted key is avoided, and the security of network communication is further improved.
In a second aspect, the present invention provides a network key management system for managing a network comprising a plurality of network nodes; a plurality of network nodes communicatively coupled; the network key management system comprises an encryption module and a decryption module; an encryption module and a decryption module are configured in each network node; the encryption module in each network node is configured to acquire encryption configuration information and sample data after receiving a key generation instruction; generating an encryption key according to the encryption configuration information; encrypting the sample data by using an encryption key to obtain an encrypted sample, and transmitting the encrypted sample to a decryption module in the same network node; the decryption module is configured to decrypt the encrypted samples; the network node is used for judging whether the decryption module is successful in decryption; if the decryption module fails to decrypt the encrypted sample, the encryption key is distributed to other network nodes in the network.
According to the network key management system, the network node which receives the key instruction in the network segment generates the encryption key according to the encryption configuration information by using the configured encryption module, encrypts the sample data based on the encryption key to obtain an encryption sample, decrypts the encryption sample by using the configured decryption module, and distributes the generated encryption key to other network nodes under the condition that the decryption of the encryption sample by the decryption module fails, so that each network node in the network has the capability of generating the key by configuring the encryption module and the decryption module for each network node in the network, and when the key generation or the key update is carried out, the key is generated by the network node which receives the key instruction in the network segment, namely any network node in the network is not fixed network equipment, so that when any network node equipment is attacked, other network nodes can generate the key to update the key in the network segment, and the network security is improved; in addition, each network node device also performs trial decryption on the generated key in advance through the own decryption module, and distributes the key to other network nodes under the condition that the decryption of the decryption module fails, so that the security of the key is further improved.
In an optional embodiment of the second aspect, the plurality of network nodes form a blockchain, and the system further includes a newly added network node, where the newly added network node is a network node newly added into the blockchain or a network node recovered from a broken network; and the newly added network node is used for sending a target block synchronization request to other network nodes in the blockchain to synchronize a target block, wherein the target block comprises an encryption mode of the network nodes in the blockchain, encryption configuration information with no longer adopted identifiers and an encryption key.
In a third aspect, the present application provides a network key management apparatus for a network comprising a plurality of network nodes; each network node of the plurality of network nodes is provided with an encryption module and a decryption module, the plurality of network nodes are in communication connection, and the device is arranged at any network node; the device comprises: the acquisition module is used for acquiring the encryption configuration information and the sample data after receiving the key generation instruction; the generation encryption module is used for generating an encryption key according to the encryption configuration information through the encryption module, and encrypting the sample data by utilizing the encryption key to obtain an encrypted sample; the judging module is used for judging whether the decryption module successfully decrypts the encrypted sample; and the distribution module is used for distributing the encryption key to other network nodes in the network after the judgment module judges that the decryption module fails to decrypt the encryption sample.
According to the network key management device, the network node which receives the key instruction in the network segment generates the encryption key according to the encryption configuration information by using the configured encryption module, encrypts the sample data based on the encryption key to obtain the encryption sample, decrypts the encryption sample by using the configured decryption module, and distributes the generated encryption key to other network nodes under the condition that the decryption module fails to decrypt the encryption sample, so that each network node in the network is configured with the scheme
The encryption module and the decryption module enable each network node in the network to have the capability of generating a key, and 5 when key generation or key updating is performed, the network is a network which receives a key instruction through a network segment
The node generates a key, namely any one network node in the network is not fixed network equipment, so that when any one network node equipment is attacked, other network nodes can generate the key to update the key in the network segment, and the network security is improved; in addition, each network node device
The generated secret key is decrypted in an attempt mode in advance through the self decryption module, and the secret key is distributed to other network nodes under the condition that decryption of the decryption module fails, so that the security of the secret key is further improved.
In an optional implementation manner of the third aspect, the apparatus further includes a modification module, configured to modify the encryption configuration information after the determination module determines that the decryption module successfully decrypts the encrypted sample; the generation of
The encryption module is also used for generating an encryption change 5 key according to the changed encryption configuration information through the encryption module, and encrypting the sample data by utilizing the encryption change key to obtain an encryption change sample; the judgment is that
The breaking module is also used for judging whether the decryption module successfully decrypts the encryption change sample; and the distribution module is also used for distributing the encryption changing key corresponding to the decryption failure to other network nodes in the network until the encryption module fails to decrypt the encryption changing sample.
0 in an optional embodiment of the third aspect, the apparatus further comprises a marking module for decrypting into
And setting marks for the corresponding encryption configuration information and encryption keys.
In a fourth aspect, the present application provides an electronic device comprising a memory storing a computer program and a processor that when executing the computer program performs the method of any of the alternative implementations of the first aspect.
In a fifth aspect, the present application provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the method of any of the alternative implementations of the first aspect.
In a sixth aspect, the present application provides a computer program product which, when run on a computer, causes the computer to perform the method of any one of the alternative implementations of the first aspect.
The foregoing description is only an overview of the technical solutions of the present application, and may be implemented according to the content of the specification in order to make the technical means of the present application more clearly understood, and in order to make the above-mentioned and other objects, features and advantages of the present application more clearly understood, the following detailed description of the present application will be given.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of a network key management method according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of a network key management system according to an embodiment of the present application;
fig. 3 is a second flow chart of a network key management method according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a network key management device according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Icon: 10-network node; 110-a router; 120-switches; 130-a repeater; 140-a server; 150-a computer; a 20-encryption module; 30-a decryption module; 400-an acquisition module; 410-generating an encryption module; 420-judging module; 430-a distribution module; 440-change module; 450-execution module; 460-a marking module; 5-an electronic device; 501-a processor; 502-memory; 503-communication bus.
Detailed Description
Embodiments of the technical solutions of the present application will be described in detail below with reference to the accompanying drawings. The following examples are only for more clearly illustrating the technical solutions of the present application, and thus are only examples, and are not intended to limit the scope of protection of the present application.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs; the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application; the terms "comprising" and "having" and any variations thereof in the description and claims of the present application and in the description of the figures above are intended to cover non-exclusive inclusions.
In the description of the embodiments of the present application, the technical terms "first," "second," etc. are used merely to distinguish between different objects and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated, a particular order or a primary or secondary relationship. In the description of the embodiments of the present application, the meaning of "plurality" is two or more unless explicitly defined otherwise.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the present application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.
In the description of the embodiments of the present application, the term "and/or" is merely an association relationship describing an association object, which means that three relationships may exist, for example, a and/or B may mean: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
In the description of the embodiments of the present application, the term "plurality" refers to two or more (including two), and similarly, "plural sets" refers to two or more (including two), and "plural sheets" refers to two or more (including two).
With the development of internet technology, network data transmission is more and more convenient, terminal intelligent hardware has certain dependence on gateway nodes and relays in various forms and forms, and thus a lot of potential safety hazards are brought, if someone maliciously intercepts and replicates traffic data of a gateway or a relay, which means that access traffic of intelligent terminal equipment in the network segment is exposed, great threat is caused to security and privacy of collective and personal data, and therefore, the encryption network technology is rapidly developed.
In the current encryption network technical scheme, a common encryption mode is that a central server or a main network node generates a key required by encryption and decryption, and then the key is sent to other network nodes in a network segment.
The inventor discovers that when the central server or the main network node equipment is supplied, the traditional encryption network technical scheme can cause the exposure of the key of the whole encryption network and the key can not be continuously updated, thereby influencing the network security and causing the problem of low network security.
Based on the above problems, the present inventors devised a network key management method, system and computer readable storage medium, by configuring each network node in a network with an encryption module and a decryption module, each network node in the network has a capability of generating a key, and when key generation or key update is performed, since the key is generated by a network node that receives a key instruction in a network segment, that is, any network node in the network is not a fixed network device, so that when any network node device is attacked, other network nodes can also generate a key to update the key in the network segment, thereby improving network security; in addition, each network node device also performs trial decryption on the generated key in advance through the own decryption module, and distributes the key to other network nodes under the condition that the decryption of the decryption module fails, so that the security of the key is further improved.
Based on the above-mentioned idea, the present application provides a network key management method, which is applicable to a network including a plurality of network nodes, where the plurality of network nodes are communicatively connected, and the method is applicable to any network node, as shown in fig. 1, and the method may be implemented by:
Step S100: and after receiving the key generation instruction, acquiring the encryption configuration information and the sample data.
Step S110: and generating an encryption key according to the encryption configuration information through an encryption module.
Step S120: and encrypting the sample data by using the encryption key to obtain an encrypted sample.
Step S130: judging whether the decryption module decrypts the encrypted sample successfully or not, and if the decryption fails, going to step S140.
Step S140: the encryption key is distributed to other network nodes in the network.
In the above embodiment, the network including a plurality of network nodes may be shown in the network key management system shown in fig. 1, and the network including a plurality of network nodes 10 and various communication wires may be specifically connected and constructed, where the plurality of network nodes 10 include, but are not limited to, the router 110, the switch 120, the repeater 130, the server 140, the computer 150, the fax machine 160 and the like shown in fig. 1.
The network key management system further comprises a plurality of encryption modules 20 and decryption modules 30, wherein each network node 10 is configured with one encryption module 20 and one decryption module 30, specifically, the encryption modules 20 and the decryption modules 30 configured in each network node can be programmed into each network node 10 in a firmware manner, and parameters similar to the required parameters can be configured after the plurality of network nodes 10 are connected.
According to the network key management method, data are encrypted by a key in the process of network passing so as to realize encrypted communication, each network node in the network key management method has an encryption module and a decryption module, namely each network node has the capability of generating the key, but each time the generation of the key is required to be executed by the network node which receives the key generation instruction, wherein the network node which receives the key generation instruction can be determined through random assignment of a user.
In step S100, the encryption configuration information and the sample data may be configured into each network node in advance, and the encryption configuration information and the sample data configured by different network nodes may be different.
In particular, as one possible implementation, the sample data may be a sample file, sample message information, or other form of data during network transmission.
The encryption configuration information may include geographic coordinate information and various network transmission data with different weights, where the geographic coordinate information may include current geographic coordinates of the network node itself, or current geographic coordinates of any network node in the network, or any one of current geographic coordinates of all network nodes in the network; the various network transmission data of different weights may include some common network transmission data of different weights, for example, a data rate of 10% for social software, a number of file transmission types of 20% for file transmission, a number of audio and video stream types of 50% for audio and video stream types, a data rate of 20% for web browser access, and so on.
It should be noted that, the above-mentioned geographic coordinate information may be different geographic coordinate information according to the actual application scenario, and is not limited to the specific geographic coordinate information described above; in addition, the above-mentioned various network transmission data with different weights are only a specific example, and the specific network transmission data and the weight of each network transmission data may be adaptively adjusted according to the actual situation.
After the encryption configuration information and the sample data are obtained in the above manner, an encryption key is generated according to the encryption configuration information through the configured encryption module. Specifically, on the basis that the encryption configuration information comprises the geographic coordinate information and various network transmission data with different weights, the encryption key can be generated by the encryption module according to the geographic coordinate information and the various network transmission data with different weights by adopting a target encryption algorithm. For example, the present scheme may use the current geographic coordinates of the network node itself and the data of the social software to perform a target encryption algorithm, where the data of the social software accounts for 10%, the number of file transmission types accounts for 20%, the number of audio and video stream types accounts for 50%, and the data accessed by the web browser accounts for 20%, so as to generate the encryption key. The target encryption algorithm may be a common encryption and decryption algorithm at present, such as DES algorithm, AES algorithm, and the like.
On the basis of generating the encryption key, the scheme can encrypt sample data by adopting the encryption key to obtain an encrypted sample, then the encrypted sample is transmitted to a configured decryption module, and the decryption module is used for carrying out trial decryption on the encrypted sample. The decryption module can be configured with some general decryption algorithms in advance before configuration, so that the decryption module has certain decryption capability.
Based on the above, the network node that receives the key generation instruction may determine whether the decryption module successfully decrypts the encrypted sample. As a specific implementation manner, the scheme can judge whether the data obtained after the decryption module decrypts the encrypted sample is the same as the sample data, so as to judge whether the decryption module is successful in decryption.
If the data obtained after the decryption module decrypts the encrypted sample is different from the sample data, the decryption module is determined to fail to decrypt the encrypted sample, so that the generated key has a certain decryption preventing capability, the decryption module configured in the network node cannot decrypt the encrypted sample easily, and on the basis, the network node distributes the encrypted key to other network nodes in the network, so that a plurality of network nodes in the network can encrypt communication data based on the encrypted key.
According to the network key management method, the network node which receives the key instruction in the network segment generates the encryption key according to the encryption configuration information by using the configured encryption module, encrypts the sample data based on the encryption key to obtain an encryption sample, decrypts the encryption sample by using the configured decryption module, and distributes the generated encryption key to other network nodes under the condition that the decryption of the encryption sample by the decryption module fails, so that each network node in the network has the capability of generating the key by configuring the encryption module and the decryption module for each network node in the network, and when the key generation or the key update is carried out, the network node which receives the key instruction in the network segment generates the key, namely any network node in the network is not fixed network equipment, so that when any network node equipment is attacked, other network nodes can generate the key to update the key in the network segment, and the network security is improved; in addition, each network node device also performs trial decryption on the generated key in advance through the own decryption module, and distributes the key to other network nodes under the condition that the decryption of the decryption module fails, so that the security of the key is further improved.
In an optional implementation manner of this embodiment, after executing step S130 to determine whether the decryption module successfully decrypts the encrypted sample, if the decryption module successfully decrypts the encrypted sample, for example, in a case where the data obtained after decryption described above is the same as the sample data, as shown in fig. 3, the present scheme may further generate the encryption key by the following manner, including:
step S300: and changing the encryption configuration information.
Step S310: and generating an encryption changing key according to the changed encryption configuration information through an encryption module.
Step S320: and encrypting the sample data by using the encryption changing key to obtain an encryption changing sample.
Step S330: judging whether the decryption module decrypts the encryption change sample successfully or not, and if so, turning to step S340; if the decryption is successful, the process returns to step S300.
Step S340: and distributing the encryption changing key corresponding to the decryption failure to other network nodes in the network.
In the above embodiment, when the decryption module decrypts the encrypted sample successfully, the network node may change the encrypted configuration information, for example, the scheme may change the geographical coordinate information in the encrypted configuration information, change various network transmission data with different weights in the encrypted configuration information, change the geographical coordinate information in the encrypted configuration information and various network transmission data with different weights, change the weights of various network transmission data in the encrypted configuration information, and so on. As a specific example, the encryption key is generated by performing a target encryption algorithm based on the current geographic coordinates of the network node and the data proportion of social software of 10%, the number proportion of file transmission types of 20%, the number proportion of audio and video stream types of 50% and the data proportion of web browser access of 20%; then, the encryption configuration information can be changed into the current geographic coordinates of all network nodes in the network and the data proportion of the social software by 10%, the number proportion of file transmission types by 20%, the number proportion of audio and video stream types by 50% and the data proportion accessed by the web browser by 20%, so that the encryption module generates an encryption modification key based on the changed encryption configuration information by performing a target algorithm. In order to further improve the key security, the network node may store a plurality of sample data, and in case of modifying the encryption configuration information, the sample data may be modified as well.
On the basis of generating an encryption changing key, the scheme continues to encrypt sample data by adopting the encryption changing key to obtain an encryption changing sample, then decrypts the encryption changing sample by utilizing a decryption module, judges whether the decryption module is successful, and if the decryption fails, the security of the encryption changing key is enough, so that the encryption changing key is distributed to other network nodes; if the decryption module is successful in decryption, the encryption configuration information is continuously changed until the encryption module fails to decrypt the encryption change sample.
According to the embodiment of the design, the encryption configuration information is changed on the basis that the decryption module successfully decrypts the encryption key, the encryption change key is regenerated according to the changed encryption configuration information, the encryption change key is used for encrypting sample data to obtain an encryption change sample, the encryption change sample is decrypted through the decryption module, the encryption change key is distributed to other network nodes under the condition that decryption is failed, the encryption configuration information is continuously changed under the condition that decryption is successful until the encryption module fails to decrypt the encryption change sample, and therefore the fact that the encryption change sample generated and distributed by the network node cannot be decrypted simply by a general decryption algorithm is guaranteed, and the security of the encryption key in a network is improved.
In an optional implementation manner of this embodiment, after the decryption module decrypts the encrypted sample successfully, the present solution may set a flag for the encryption configuration information and the encryption key corresponding to the decryption success, so that the encryption configuration information and the encryption key after the flag are no longer adopted in the subsequent process of generating the encryption key, and the problem of resource waste caused by multiple times of adopting the encryption configuration information and the encryption key that can be decrypted by the decryption module is avoided.
In an alternative implementation manner of this embodiment, the network node that receives the key generation instruction described above may be determined by random assignment by a user, and as another possible implementation manner, in this embodiment, in an initial stage, the network node that initially receives the key generation instruction may be determined by assignment by a user; in the subsequent key generation or updating process, the network node generating the key next time can be determined by the network node generating the encryption key, on the basis that, after distributing the encryption key to other network nodes in the network, the network node can also randomly determine a target network node in other network nodes in the network, and then send a key generation instruction to the target network node, so that the target network node generates an updated key in a key updating period according to the key instruction. There are various ways to determine the target network node, for example, determining according to a random algorithm, determining according to a nearest distance, and so on.
In addition, the key update period of the present solution may be configured in each network node in advance, for example, the key update period is 12 hours, and then the key in the network needs to be updated every 12 hours. Specifically, the network node may start timing after distributing the encryption key to other network nodes, and the target network node needs to generate the update key within 12 hours, and distribute the update key to other network nodes after starting timing for 12 hours.
It should be noted that, when the target network node completes the generation of the update key within 12 hours, the target network node may temporarily store the update key, and distribute the update key to other network nodes after the timing reaches 12 hours. If the target network node has not issued the updated key for more than 12 hours, an alarm is generated.
In the embodiment of the design, the next network node generating the updated key is randomly determined by the last network node generating the encrypted key, so that the network node generating the encrypted key is more random, the problem of low security caused by a certain rule of the network node generating the encrypted key is avoided, and the security of network communication is further improved.
In an alternative implementation manner of this embodiment, as a possible implementation manner, a manner in which the network node distributes the encryption key to other network nodes may be implemented in a manner of transmitting data through a message or other networks, and a specific manner may be adaptively adjusted according to an actual application scenario.
As yet another possible implementation manner, a plurality of network nodes in the network designed by the scheme may form a blockchain, the blockchain may be written into each network node in advance in a firmware manner, and on the basis of this, the network node generating the encryption key may broadcast the generated encryption key into the blockchain, so as to be distributed to other network nodes in the network through a blockchain consensus mechanism.
In an optional implementation manner of this embodiment, in the case that a plurality of network nodes form a blockchain, if there is a newly added network node, the newly added network node is a network node newly added into the blockchain or a network node recovered from a broken network, and the newly added network node may send a target block synchronization request to other network nodes in the blockchain to synchronize a target block, where the target block includes information such as an encryption manner of the network node in the blockchain, encryption configuration information with an identifier, an encryption key, and so on.
In an optional implementation manner of this embodiment, the scheme may further determine whether the newly added network node is a trusted device, for example, determine whether the newly added network node is a device of a preset model or a preset manufacturer, and if the newly added network node is a device of a preset model or a preset manufacturer, determine that the newly added network node is a trusted device, so as to allow the newly added network node to join the blockchain; if it is an untrusted device, it is denied entry into the blockchain.
Fig. 4 shows a schematic block diagram of a network key management device provided in the present application, and it should be understood that the device corresponds to the embodiment of the method performed in fig. 1-3, and is capable of performing the steps involved in the foregoing method, and specific functions of the device may be referred to in the foregoing description, and detailed descriptions thereof are omitted herein as appropriate to avoid redundancy. The device includes at least one software functional module that can be stored in memory in the form of software or firmware (firmware) or cured in an Operating System (OS) of the device. Specifically, the device comprises: an obtaining module 400, configured to obtain the encryption configuration information and the sample data after receiving the key generation instruction; the generating encryption module 410 is configured to generate an encryption key according to the encryption configuration information through the encryption module, and encrypt the sample data with the encryption key to obtain an encrypted sample; a judging module 420, configured to judge whether the decryption module successfully decrypts the encrypted sample; the distributing module 430 is configured to distribute the encryption key to other network nodes in the network after the judging module 420 judges that the decrypting module fails to decrypt the encrypted sample.
According to the network key management device, the network node which receives the key instruction in the network segment generates the encryption key according to the encryption configuration information by using the configured encryption module, encrypts the sample data based on the encryption key to obtain an encryption sample, decrypts the encryption sample by using the configured decryption module, and distributes the generated encryption key to other network nodes under the condition that the decryption of the encryption sample by the decryption module fails, so that each network node in the network has the capability of generating the key by configuring the encryption module and the decryption module for each network node in the network, and when the key generation or the key update is carried out, the key is generated by the network node which receives the key instruction in the network segment, namely any network node in the network is not fixed network equipment, so that when any network node equipment is attacked, other network nodes can generate the key to update the key in the network segment, and the network security is improved; in addition, each network node device also performs trial decryption on the generated key in advance through the own decryption module, and distributes the key to other network nodes under the condition that the decryption of the decryption module fails, so that the security of the key is further improved.
In an optional implementation manner of this embodiment, the apparatus further includes a modification module 440, configured to modify the encryption configuration information after the determination module determines that the decryption module successfully decrypts the encrypted sample; the generating encryption module 410 is further configured to generate an encryption modification key according to the modified encryption configuration information through the encryption module, and encrypt the sample data by using the encryption modification key to obtain an encryption modification sample; the judging module 420 is further configured to judge whether the decryption module successfully decrypts the encrypted modification sample; the return execution module 450 is configured to return to executing the step of changing the encryption configuration information, and the distribution module 430 is further configured to distribute the encryption changing key corresponding to the decryption failure to other network nodes in the network until the encryption module fails to decrypt the encryption changing sample.
In an optional implementation manner of this embodiment, the apparatus further includes a marking module 460, configured to set a mark for encryption configuration information and an encryption key corresponding to successful decryption.
According to some embodiments of the present application, as shown in fig. 5, the present application provides an electronic device 5, including: the processor 501 and the memory 502, the processor 501 and the memory 502 being interconnected and communicating with each other by a communication bus 503 and/or other form of connection mechanism (not shown), the memory 502 storing a computer program executable by the processor 501, which when executed by the computing device, the processor 501 executes the method performed in the aforementioned implementation, such as step S100 to step S130: after receiving a key generation instruction, acquiring encryption configuration information and sample data; generating an encryption key according to the encryption configuration information through an encryption module; encrypting the sample data by using an encryption key to obtain an encrypted sample; judging whether the decryption module successfully decrypts the encrypted sample; if the decryption fails, the encryption key is distributed to other network nodes in the network.
The present application provides a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the method of the preceding implementation.
The storage medium may be implemented by any type of volatile or nonvolatile Memory device or combination thereof, such as static random access Memory (Static Random Access Memory, SRAM), electrically erasable Programmable Read-Only Memory (Electrically Erasable Programmable Read-Only Memory, EEPROM), erasable Programmable Read-Only Memory (Erasable Programmable Read Only Memory, EPROM), programmable Read-Only Memory (PROM), read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic disk, or optical disk.
The present application provides a computer program product which, when run on a computer, causes the computer to perform the aforementioned method.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the embodiments, and are intended to be included within the scope of the claims and description. In particular, the technical features mentioned in the respective embodiments may be combined in any manner as long as there is no structural conflict. The present application is not limited to the specific embodiments disclosed herein, but encompasses all technical solutions falling within the scope of the claims.
Claims (10)
1. A network key management method, characterized in that the method is adapted to a network comprising a plurality of network nodes; each network node of the plurality of network nodes is configured with an encryption module and a decryption module, the plurality of network nodes are in communication connection, and the method is applied to any network node; the method comprises the following steps:
after receiving a key generation instruction, acquiring encryption configuration information and sample data;
generating an encryption key according to the encryption configuration information through an encryption module;
encrypting the sample data by using the encryption key to obtain an encrypted sample;
judging whether the decryption module successfully decrypts the encrypted sample;
and if the decryption module fails to decrypt the encrypted sample, distributing the encryption key to other network nodes in the network.
2. The method of claim 1, wherein after said determining whether the decryption module successfully decrypts the encrypted sample, the method further comprises:
if the decryption module is judged to successfully decrypt the encrypted sample, the encryption configuration information is changed;
generating an encryption modification key according to the modified encryption configuration information through an encryption module;
Encrypting the sample data by using the encryption changing key to obtain an encryption changing sample;
judging whether the decryption module successfully decrypts the encryption change sample;
and if the decryption module successfully decrypts the encryption change sample, returning to the step of executing the change of the encryption configuration information until the encryption module fails to decrypt the encryption change sample, and distributing an encryption change key corresponding to the decryption failure to other network nodes in the network.
3. The method of claim 2, wherein after the decryption module successfully decrypts the encrypted sample, the method further comprises:
and setting a mark for the encryption configuration information and the encryption key corresponding to the successful decryption.
4. The method of claim 1, wherein the encryption configuration information includes geographic coordinate information and various network transmission data of different weights; the generating, by the encryption module, an encryption key according to the encryption configuration information includes:
and generating the encryption key by the encryption module through a target encryption algorithm according to the geographic coordinate information and various network transmission data with different weights.
5. The method of claim 4, wherein the geographic coordinate information comprises any one of a current geographic coordinate of itself, a current geographic coordinate of any network node in the network, and a current geographic coordinate of all network nodes in the network.
6. The method of claim 1, wherein the plurality of network nodes form a blockchain; the distributing the encryption key to other network nodes in the network includes:
the encryption key is broadcast into the blockchain for distribution through the blockchain to other network nodes in the network.
7. The method of claim 1, wherein after said distributing the encryption key to other network nodes in the network, the method further comprises:
randomly determining a target network node in other network nodes in the network;
and sending a key generation instruction to the target network node so that the target network node generates an updated key in a key updating period according to the key generation instruction.
8. A network key management system for managing a network comprising a plurality of network nodes; the plurality of network nodes are in communication connection;
The network key management system comprises an encryption module and a decryption module; the encryption module and decryption module are configured in each of the network nodes
The encryption module in each network node is configured to acquire encryption configuration information and sample data after receiving a key generation instruction;
generating an encryption key according to the encryption configuration information;
encrypting the sample data by using the encryption key to obtain an encrypted sample, and transmitting the encrypted sample to a decryption module in the same network node;
the decryption module is configured to decrypt the encrypted samples;
the network node is used for judging whether the decryption module is successful in decryption;
and if the decryption module fails to decrypt the encrypted sample, distributing the encryption key to other network nodes in the network.
9. The system of claim 8, wherein the plurality of network nodes form a blockchain, the system further comprising a newly added network node, wherein the newly added network node is a network node newly added to the blockchain or a network node recovered from a network outage;
the newly added network node is configured to send a target block synchronization request to other network nodes in the blockchain to synchronize a target block, where the target block includes an encryption mode of the network nodes in the blockchain, encryption configuration information with no-more-used identifier, and an encryption key.
10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211611709.6A CN116015637A (en) | 2022-12-14 | 2022-12-14 | Network key management method, system and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211611709.6A CN116015637A (en) | 2022-12-14 | 2022-12-14 | Network key management method, system and computer readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116015637A true CN116015637A (en) | 2023-04-25 |
Family
ID=86022172
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211611709.6A Pending CN116015637A (en) | 2022-12-14 | 2022-12-14 | Network key management method, system and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116015637A (en) |
-
2022
- 2022-12-14 CN CN202211611709.6A patent/CN116015637A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3258663B1 (en) | Verification method, apparatus and system for network application access | |
| JP4993733B2 (en) | Cryptographic client device, cryptographic package distribution system, cryptographic container distribution system, and cryptographic management server device | |
| EP3937045B1 (en) | Hash updating methods and apparatuses of blockchain integrated station | |
| CN109496414B (en) | Identifying a network node to which data is to be copied | |
| KR101593864B1 (en) | Content-centric networking | |
| JP2019522412A (en) | Registration / authorization method, apparatus and system | |
| CN101404576B (en) | Network resource query method and system | |
| CN103326850A (en) | Key generating device and key generating method | |
| KR20100120662A (en) | Wireless communication system and method for automatic node and key revocation | |
| CN108270555A (en) | A kind of relaying cipher key transmission methods | |
| KR20180137251A (en) | security and device control method for fog computer using blockchain technology | |
| CN112152778A (en) | Node management method and device and electronic equipment | |
| CN114760056B (en) | Secure communication method and device for dynamically updating key | |
| CN113992427B (en) | Data encryption sending method and device based on adjacent nodes | |
| EP4080818A1 (en) | Communication method and device, ecu, vehicle and storage medium | |
| WO2023226478A1 (en) | Method and apparatus used for data transmission, router and internet of things device | |
| CN110784318B (en) | Group key updating method, device, electronic equipment, storage medium and communication system | |
| KR101690093B1 (en) | Controlled security domains | |
| CN116015637A (en) | Network key management method, system and computer readable storage medium | |
| JP6939313B2 (en) | Distributed authentication system | |
| CN110928564B (en) | Method for safely updating application, service server, cluster and storage medium | |
| CN114785618A (en) | Data communication method and system based on adjacent node secondary authentication | |
| CN110765147A (en) | Content updating method based on block chain encrypted storage, user node and medium | |
| US7669207B2 (en) | Method for detecting, reporting and responding to network node-level events and a system thereof | |
| CN115834581B (en) | Block chain-based networking method and device, block chain node and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |