CN116232589A - Key management method and device, computer readable storage medium and electronic equipment - Google Patents
Key management method and device, computer readable storage medium and electronic equipment Download PDFInfo
- Publication number
- CN116232589A CN116232589A CN202310266555.XA CN202310266555A CN116232589A CN 116232589 A CN116232589 A CN 116232589A CN 202310266555 A CN202310266555 A CN 202310266555A CN 116232589 A CN116232589 A CN 116232589A
- Authority
- CN
- China
- Prior art keywords
- key
- key management
- data
- request
- management system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
- Lock And Its Accessories (AREA)
Abstract
The disclosure relates to a key management method and device, a computer readable storage medium and an electronic device, and relates to the technical field of computers, wherein the method comprises the following steps: the key management system client receives a key management request, performs first key management according to the key management request, and obtains a first result or sends the key management request to the key management system server; and the key management system server performs authority verification on the key management request, and performs second key management when verification passes, so as to obtain a second result. The security of the key management system is improved, and the risk of leakage of the key management system is reduced.
Description
Technical Field
The embodiment of the disclosure relates to the technical field of computers, in particular to a key management method, a key management device, a computer readable storage medium and electronic equipment.
Background
The existing key management system centrally stores and manages keys and provides the keys to users through a network. When the user needs to encrypt or decrypt, the key management system is requested, and returns the key plaintext to the user for encryption or decryption. In addition, the existing key management system can also directly receive the data plaintext of the user, encrypt the data ciphertext by using the key in the key management system and return the data ciphertext to the user, and the process of using the key in the middle is transparent to the user.
However, the key management method of the existing key management system has insufficient security, and when the key management system leaks, an attacker can try one by using all keys to crack the data of the user.
Accordingly, there is a need to provide a new key management method.
It should be noted that the information of the present invention in the above background section is only for enhancing the understanding of the background of the present invention and thus may include information that does not form the prior art that is already known to those of ordinary skill in the art.
Disclosure of Invention
An object of the present disclosure is to provide a key management method, a key management apparatus, a computer-readable storage medium, and an electronic device, which further overcome, at least to some extent, the problem of insufficient key management security in the related art due to limitations and drawbacks of the related art.
According to one aspect of the present disclosure, there is provided a key management method including:
the key management system client receives a key management request, performs first key management according to the key management request, and obtains a first result or sends the key management request to the key management system server;
and the key management system server performs authority verification on the key management request, and performs second key management when verification passes, so as to obtain a second result.
According to an aspect of the present disclosure, there is provided a key management apparatus including:
the key request receiving module is used for receiving a key management request by the key management system client, carrying out first key management according to the key management request, and obtaining a first result or sending the key management request to the key management system server;
and the key request processing module is used for carrying out authority verification on the key management request by the key management system server side, and carrying out second key management when verification passes, so as to obtain a second result.
According to an aspect of the present disclosure, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processing unit, implements the key management method according to any of the above-described exemplary embodiments.
According to one aspect of the present disclosure, there is provided an electronic device including:
a processing unit; and
a storage unit configured to store executable instructions of the processing unit;
wherein the processing unit is configured to perform the key management method according to any of the above-described exemplary embodiments via execution of the executable instructions.
According to the key management method provided by the embodiment of the disclosure, the key management system client receives a key management request, performs first key management according to the key management request, and obtains a first result or sends the key management request to the key management system server; and the key management system server performs authority verification on the key management request, and performs second key management when verification passes, so as to obtain a second result. On one hand, the key management system is divided into a key management system client and a key management system server, and different ends are respectively responsible for different functions, but in the related art, the traditional key management system can logically or physically concentrate the key management in one module, so that the problem of leakage of a master key and a data key once the key management system is attacked in the related art is solved, and the security of the key management is improved; on the other hand, when the key management system client cannot perform first key management on the key management request, the key management request is sent to the key management system server, the key management system server performs authority verification, and when the verification passes, second key management is performed, so that the security of the key management system is further ensured through the authority verification.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention as claimed.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention. It is evident that the drawings in the following description are only some embodiments of the present invention and that other drawings may be obtained from these drawings without inventive effort for a person of ordinary skill in the art.
Fig. 1 schematically illustrates a flow chart of a key management method according to an example embodiment of the present disclosure.
Fig. 2 schematically illustrates a block diagram of a key management system according to an example embodiment of the present disclosure.
Fig. 3 schematically illustrates a flow chart of a method for performing a first key management according to a key management request when the key management request is encrypted, resulting in a first result, according to an example embodiment of the present disclosure.
Fig. 4 schematically illustrates a flow chart of a key management method after encrypting a user data plaintext by a data key plaintext, resulting in a user data ciphertext, according to an example embodiment of the present disclosure.
Fig. 5 schematically illustrates a flowchart of a method for performing a first key management according to a key management request to obtain a first result when the key management request is decryption, according to an exemplary embodiment of the present disclosure.
Fig. 6 schematically illustrates a flow chart of a key management method prior to a key management system authenticating a key management request, according to an example embodiment of the present disclosure.
Fig. 7 schematically illustrates a flowchart of a method for performing a second key management when a server of a key management system performs authority verification on a key management request and the verification passes according to an exemplary embodiment of the present disclosure.
Fig. 8 schematically illustrates a flow chart of a key management method after sending a key management request to a data key management module when the key management request is encrypted, according to an example embodiment of the present disclosure.
Fig. 9 schematically illustrates a flow chart of a key management method after sending a key management request to a data key management module when the key management request is decryption, according to an example embodiment of the present disclosure.
Fig. 10 schematically illustrates a flow chart of a key management method after sending a key management request to a data key management module when the key management request is a create key, according to an example embodiment of the present disclosure.
Fig. 11 schematically illustrates a flow chart of a key management method according to an example embodiment of the present disclosure.
Fig. 12 schematically illustrates a block diagram of a key management apparatus according to an example embodiment of the present disclosure.
Fig. 13 schematically illustrates an electronic device for implementing the above-described key management method according to an exemplary embodiment of the present disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. However, the exemplary embodiments may be embodied in many forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the invention. One skilled in the relevant art will recognize, however, that the invention may be practiced without one or more of the specific details, or with other methods, components, devices, steps, etc. In other instances, well-known aspects have not been shown or described in detail to avoid obscuring aspects of the invention.
Furthermore, the drawings are merely schematic illustrations of the present invention and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus a repetitive description thereof will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in software or in one or more hardware modules or integrated circuits or in different networks and/or processor devices and/or microcontroller devices.
In the key management system of the related art, there are the following problems: firstly, the security is insufficient, when the secret key managed by the secret key management system is leaked, an attacker can try one by utilizing the leaked secret key, and the data of the user can be cracked; secondly, the key management is chaotic, and the existing key management system can return the same key to a plurality of users, so that data among the users are unsafe; or the user expects to use the same secret key to process the data for multiple times, and the system returns different secret keys each time, so that the use cost of the user is increased; thirdly, the user authority is single: after authentication, the user can perform all operations by using all keys, but the user desires to perform some fine authority settings, for example, the user a can only use the key B and the key C, can encrypt and decrypt by using the key B but cannot generate the data key of the key B, and can generate the data key of the key C but cannot encrypt and decrypt by using the key C. Fourth, root key storage is expensive and unsafe: the storage of the root key typically uses a separate physical HSM (Hardware Security Module ) device, or an HSM service of the cloud facilitator. The price of the individual physical HSM devices is high, and the security risk of submitting the key to a third party exists for the HSM service of the cloud service provider.
In view of one or more of the above problems, the present exemplary embodiment first provides a key management method, as shown with reference to fig. 1, which may include the steps of:
s110, the key management system client receives a key management request, and performs first key management according to the key management request to obtain a first result or sends the key management request to the key management system server;
and S120, the key management system server performs authority verification on the key management request, and performs second key management when verification passes, so as to obtain a second result.
According to the key management method, the key management system client receives the key management request, performs first key management according to the key management request, and obtains a first result or sends the key management request to the key management system server; and the key management system server performs authority verification on the key management request, and performs second key management when verification passes, so as to obtain a second result. On one hand, the key management system is divided into a key management system client and a key management system server, and different ends are respectively responsible for different functions, but in the related art, the traditional key management system can logically or physically concentrate the key management in one module, so that the problem of leakage of a master key and a data key once the key management system is attacked in the related art is solved, and the security of the key management is improved; on the other hand, when the key management system client cannot perform first key management on the key management request, the key management request is sent to the key management system server, the key management system server performs authority verification, and when the verification passes, second key management is performed, so that the security of the key management system is further ensured through the authority verification.
Each step involved in the key management method of the exemplary embodiment of the present disclosure is explained and explained in detail below.
In step S110, the key management system client receives a key management request, performs first key management according to the key management request, and obtains a first result or sends the key management request to the key management system server.
In the present exemplary embodiment, referring to fig. 2, the key management system may include a key management system client 210, a key management system server 220, and a storage system 230; the key management system server 220 includes a rights management module 221, a data key management module 222, a master key management module 223, and a root key management module 224, where the data key management module 222 and the master key management module 223 are respectively disposed on different rooms, networks, clusters, and devices, and the disposition of each other will not depend on each other; the key management system client 210 is configured to receive a key management request of a user, and send the key management request of the user to the key management system server 220; the storage system 230 is used to store encrypted information of a user.
In this example embodiment, the key management system client receives a key management request sent by the user, where the key management request may be one of encryption, decryption, reading a key, writing a key, and creating a key, and in this example embodiment, the key management request is not specifically limited; the general information may be carried in the key management request of the user, where the general information may include a master key, user identification information, a product to which the key belongs, and a namespace to which the key belongs, and in this example embodiment, the general information in the key management request is not specifically limited. Referring to fig. 3, when the key management request is encrypted, performing first key management according to the key management request to obtain a first result may include:
S310, acquiring user identification information and user data plaintext which are included in an encryption request, and taking the user identification information and the user data plaintext as keys of a key value pair;
s320, returning user data ciphertext and data key ciphertext in a value corresponding to the key of the key value pair in the cache when the key of the key value pair hits the cache;
and S330, when the key in the key value pair does not hit the cache, sending the encryption request to the key management system server, receiving a data key plaintext sent by the key management system server, and encrypting the user data plaintext through the data key plaintext to obtain a user data ciphertext.
Hereinafter, step S310 to step S330 will be further explained and explained. Specifically, after receiving an encryption request of a user, a key management system client firstly obtains user identification information and user data plaintext which is required to be encrypted by the user and, after obtaining the user data plaintext, can use the user identification information and the user data plaintext as keys of a key value pair and can also use hash values of the user identification information and the user data plaintext as keys of the key value pair; judging whether a key management request of a user hits a cache or not through keys of the key value pair, wherein the cache can be a multi-level hierarchical cache, and comprises a memory cache, a Redis cache and a database cache, and in the cache, when hash values of user identification information and user data plaintext are used as keys of the cache, user data ciphertext and data key ciphertext can be used as values of the key value pair. When the key of the key value pair hits the cache, returning the user data ciphertext and the data key ciphertext in the value corresponding to the key of the key value pair in the cache; when the key of the key value pair is not cached, the key management system client sends an encryption request of a user to the key management system server and receives a data key plaintext sent by the key management system server, and after the key management system client receives the data key plaintext, the data key plaintext is used for encrypting the user data plaintext to obtain a user data ciphertext; in encrypting the plain text of the user data, AES (Advanced Encryption Standard ) may be used for encryption, or RSA encryption algorithm may be used, which is not particularly limited in the present exemplary embodiment; the data key is a key for encrypting user data; the key plaintext is a key that can be used directly to encrypt or decrypt other data or other keys; the key ciphertext needs to be decrypted into the key plaintext before other data or other keys can be encrypted or decrypted.
Referring to fig. 4, after encrypting the user data plaintext by the data key plaintext to obtain a user data ciphertext, the key management method further includes:
s410, acquiring a master key included in the encryption request, and encrypting the data key plaintext through the master key to obtain a data key ciphertext;
and S420, storing the data key ciphertext and the user data ciphertext serving as values of key value pairs in the cache.
Hereinafter, step S410 and step S420 will be further explained and explained. Specifically, after receiving the data key plaintext, the key management system client may acquire a master key included in the encryption request, and encrypt the acquired data key plaintext by using the master key to obtain a data key ciphertext; after the data key ciphertext is obtained, the key value pair of (user identification information+user data plaintext) - (user data ciphertext+data key ciphertext) can be stored in a cache, and the obtained user data ciphertext and the obtained data key ciphertext are sent to the user. The master key is a key for encrypting or decrypting the data key.
Referring to fig. 5, when the key management request is decryption, performing first key management according to the key management request to obtain a first result, including:
s510, acquiring user identification information and a data key ciphertext which are included in a decryption request, and taking the user identification information and the data key ciphertext as keys of a key value pair;
s520, when the key of the key value pair hits the cache, returning a data key plaintext in a value corresponding to the key of the key value pair in the cache, and decrypting the user data ciphertext through the data key plaintext to obtain the user data plaintext;
and S530, when the cache is not hit, sending the decryption request to the key management system server, receiving a data key plaintext sent by the key management system server, and decrypting the user data ciphertext by using the data key plaintext to obtain a user data plaintext.
Hereinafter, step S510 to step S530 will be further explained and explained. Specifically, after receiving a decryption request of a user, a key management system client first obtains user identification information and a data key ciphertext included in the decryption request, and uses the user identification information and the data key ciphertext as keys of a key value pair, or uses hash values of the user identification information and the data key ciphertext as keys of the key value pair, which is not specifically limited in this example embodiment; judging whether a decryption request of a user hits a cache or not through keys of the key value pair, wherein the cache can be a multi-level hierarchical cache, and comprises a memory cache, a Redis cache and a database cache, and in the cache, hash values of user identification information and data key ciphertext can be used as keys of the cache, and data key plaintext can be used as a value of the key value pair. When the key of the key value pair hits the cache, returning a data key plaintext in a value corresponding to the key of the key value pair in the cache, and decrypting the user data ciphertext by utilizing the data key plaintext to obtain the user data plaintext; when the key of the key value pair is not cached, the key management system client sends a decryption request of a user to the key management system server and receives a data key plaintext sent by the key management system server, and after the key management system client receives the data key plaintext, the data key plaintext is used for decrypting the user data ciphertext to obtain the user data plaintext. Further, after the key management system client receives the data key plaintext, the key value pair of (user identification information+hash value of the data key ciphertext) - (data key plaintext) may be stored in the local cache.
Further, when the key management request of the user is a read key or a write key or a create key, the key management system client directly sends the key management request of the user to the key management system server, and the authority management module of the key management system server performs authority verification first.
In step S120, the key management system server performs authority verification on the key management request, and performs a second key management when the verification passes, to obtain a second result.
In this example embodiment, after the key management system client sends the key management request of the user to the key management system server, the key management system server first performs authority verification on the received key management request of the user. After the authority verification is passed, obtaining the product and the name space included in the key management request, and the key management system server side routes the key management request to an encryption or decryption engine corresponding to the product and the name space included in the key management request through a router, and the engine performs second key management to obtain a second result. Different key management requests are routed to corresponding engines through the routing of the key management system server, and the engines are used for management, so that isolation and uniqueness of key management are realized.
Referring to fig. 6, before the key management system performs authority verification on the key management request, the key management method further includes:
s610, generating an association relationship among a product associated with the key, a master key and a naming space;
s620, performing authority binding on the association relationship, wherein the bound authority can be one or more of a read key, a write key, encryption, decryption and a create key;
and S630, generating a permission policy based on the bound permission associated user, and storing the permission policy in a database.
Hereinafter, step S610 to step S630 will be further explained and explained. Specifically, before the rights management module performs rights verification on the key management request of the user, the rights policy of the rights management module may be generated first. That is, the association relation of the product, the master key and the naming space is firstly generated, and then the authority is bound to the association relation, wherein the authority which can be bound is one or more of a read key, a write key, encryption, decryption and a creation key; and finally, associating the users or the user groups based on the bound rights, generating a rights policy, and storing the generated rights policy. After storing the authority policies in the database, a unique index can be set for the authority policies, so that the uniqueness of the authority policies is ensured.
Referring to fig. 7, the performing, by the key management system server, authority verification on the key management request, and performing second key management when verification passes, may include:
step S710, acquiring and determining whether the product, the master key and the naming space contained in the key management request hit the database;
s720, when the user hits, acquiring all hit right strategies from the database, and acquiring user identification information included in all hit right strategies;
and S730, when the user identification information included in the key management request is determined to be included in the user identification information included in the hit all authority policies, the key management request is sent to a data key management module of the key management system server.
Hereinafter, step S710 to step S730 will be further explained and explained. Specifically, when the key management system server performs authority verification on a key management request of a user, firstly, acquiring a product, a master key and a namespace included in the key management request of the user, and judging whether the acquired product, master key and namespace hit an association relationship of an authority policy in a database; when hit, acquiring all hit authority policies in the database, and acquiring user identification information in all hit authority policies; then, when the user identification information of the user is included in the user identification information of all the hit authority policies, the key management request is transmitted to the data key management module of the key management system server. And when the user does not hit, returning a message of failure of the key management request to the key management system client and prompting the user of insufficient authority. The data key management module is used for storing, managing and pre-generating batch data key ciphertext.
In this example embodiment, referring to fig. 8, when the key management request is encrypted, after the key management request is sent to the data key management module of the key management system server, the key management method may further include:
s810, acquiring a plurality of data key ciphertexts generated in advance and a user data plaintext included in an encryption request, and mapping the user data plaintext to a first data key ciphertext in the plurality of data key ciphertexts;
s820, sending the total quantity of the pre-generated data key ciphertext to a master key management module of the key management system server, and obtaining the mapping between the total quantity of the data key ciphertext and the total quantity of the data key plaintext through the master key management module;
step S830, obtaining a first data key plaintext corresponding to the first data key ciphertext based on the mapping of the full data key ciphertext and the full data key plaintext;
and step S840, returning the first data key ciphertext and the first data key plaintext to a key management system client so that the key management system client encrypts the user data plaintext according to the first data key plaintext.
Hereinafter, step S810 to step S840 will be further explained and explained. Specifically, when the rights management module of the key management system server receives a user's key management request as an encryption request, the rights management module sends the user's encryption request to the data key management module of the key management system server, and after the data key management module receives the encryption request, firstly, a plurality of data key ciphertexts generated in advance and user data plaintext included in the user encryption request are obtained, and the obtained user data plaintext is mapped to a first data key ciphertext in the plurality of data key ciphertexts, wherein the first data key ciphertext can be any one of the plurality of data key ciphertexts; then, the data key management module sends the pre-generated data key ciphertext or the hash value total of the data key ciphertext to a master key management module of the key management system, the master key management module obtains the mapping between the total data key ciphertext and the total data key plaintext, and a first data key plaintext corresponding to the first data key ciphertext is obtained based on the mapping; and finally, returning the first data key ciphertext and the first data key plaintext to the right management module, and returning the first data key ciphertext and the first data key plaintext to the key management system client by the right management module so that the key management system client encrypts the user data according to the received first data key plaintext to obtain the user data ciphertext. The master key management module is used for storing and managing the master key, decrypting the data key ciphertext and obtaining the data ciphertext plaintext.
Further, after the pre-generated data key ciphertext is sent to the master key management module of the key management system server, the data key management method further includes:
and decrypting the full data key ciphertext by using the master key to obtain a full data key plaintext corresponding to the full data key ciphertext.
Specifically, after the master key management module of the key management system server receives the hash value of the full data key ciphertext sent by the data key management module, the master key management module restores the hash value of the received full data key ciphertext to obtain the full data key ciphertext, decrypts the full data key ciphertext by using the stored master key to obtain the full data key plaintext corresponding to the full data key ciphertext, and sends the full data key plaintext to the data key management module.
In this example embodiment, referring to fig. 9, when the key management request is decryption, after the key management request is sent to the data key management module of the key management system server, the key management method may further include:
S910, acquiring a plurality of data key ciphertexts which are generated in advance and a second data key ciphertext which is included in a decryption request;
s920, sending the total quantity of the pre-generated data key ciphertext to a master key management module of the key management system server, and obtaining the mapping of the total quantity of the data key ciphertext and the data key plaintext through the master key management module;
s930, obtaining a second data key plaintext corresponding to the second data key ciphertext based on the mapping of the full data key ciphertext and the data key plaintext;
and S940, returning the second data key plaintext to a key management system client so that the key management system client decrypts the user data ciphertext according to the second data key plaintext to obtain the user data plaintext.
Hereinafter, step S910 to step S940 will be further explained and explained. Specifically, when the rights management module of the key management system server receives a user's key management request as a decryption request, the rights management module sends the user's decryption request to the data key management module of the key management system server, and after the data key management module receives the decryption request, firstly, a plurality of data key ciphertexts generated in advance and a second data key ciphertexts included in the user's decryption request are obtained; then, the data key management module sends the pre-generated data key ciphertext or the hash value total of the data key ciphertext to a master key management module of the key management system, the master key management module obtains the mapping between the total data key ciphertext and the total data key plaintext, and a second data key plaintext corresponding to the second data key ciphertext is obtained based on the mapping; and finally, returning the second data key plaintext to the right management module, and returning the second data key plaintext to the key management system client by the right management module so that the key management system client decrypts the user data ciphertext according to the received second data key plaintext to obtain the user data plaintext.
Further, after the pre-generated data key ciphertext is sent to the master key management module of the key management system server, the key management method further includes:
and decrypting the full data key ciphertext by using the master key to obtain a full data key plaintext corresponding to the full data key ciphertext.
Specifically, after the master key management module of the key management system server receives the hash value of the full data key ciphertext sent by the data key management module, the master key management module restores the hash value of the received full data key ciphertext to obtain the full data key ciphertext, decrypts the full data key ciphertext by using the stored master key to obtain the full data key plaintext corresponding to the full data key ciphertext, and sends the full data key plaintext to the data key management module.
In this example embodiment, referring to fig. 10, when the key management request is a create key, after the key management request is sent to the data key management module of the key management system server, the key management method may further include:
S1010, sending a data key creation request to a master key management module of a key management system server, and receiving a target data key ciphertext and a target data key plaintext data pair returned by the master key management module;
s1020, adding the target data key ciphertext into a plurality of data key ciphertext generated in advance, and sending the target data key ciphertext and the target data key plaintext data pair to the key management system client.
Step S1010 and step S1020 will be further explained and explained below. Specifically, when the data key management module receives a key management request of a user as a creation key, the data key management module sends the creation key request to the master key management module and receives a target data key ciphertext and a target data key plaintext data pair returned by the master key management module; and then, the data key management module adds the target data key ciphertext into a plurality of data key ciphers which are generated in advance, and sends the target data key ciphertext and the target data key plaintext data pair to the authority management module, and the authority management module sends the target data key ciphertext and the target data key plaintext data pair to the key management system client.
Further, after sending the request for creating the data key to the master key management module of the key management system server, the key management method further includes:
and generating the target data key ciphertext and the target data key plaintext data pair by using a master key.
Specifically, after the data key management module sends the key creation request to the master key management module, the master key management module generates a new data key ciphertext and a data pair of the data key plaintext by using the stored master key, that is, generates a target data key ciphertext and a target data key plaintext data pair, and returns the target data key ciphertext and the target data key plaintext data pair to the key data management module.
In this example embodiment, when the key management request is a read key or a write key, the key management request is sent to a master key management module of the key management system.
Specifically, when the key management request of the user is a read key or a write key, the data key management module directly sends the read key or the write key request to the master key management module, and the master key management module processes the read key or the write key request.
When the key management request is a read key, after the key management request is sent to a master key management module of the key management system, the key management method further includes:
and acquiring master key information, and returning the master key information to the key management system client.
Specifically, after the master key management module receives a key reading request sent by the data key management module, the master key management module acquires stored master key information and returns the master key information to the data key management module, the data key management module returns the received master key information to the authority management module, and the authority management module returns the master key information to the key management system client. The master key information may include a key name, a remark, and an enable state, and is not particularly limited in this example embodiment.
When the key management request is a write key, after the key management request is sent to a master key management module of the key management system, the key management method further includes:
acquiring writing information included in a writing key request, and modifying master key information according to the writing information to obtain updated master key information;
And returning the updated master key information to the key management system client.
Specifically, after the master key management module receives a write key request sent by the data key management module, the master key management module obtains write information included in the write key request, updates master key information according to the write information to obtain updated master key information, returns the updated master key information to the data key management module, returns the received updated master key information to the authority management module, and returns the updated master key information to the key management system client. The write information included in the write key request may be a key name, a remark, an enabling state, or the like, and is not particularly limited in this example embodiment.
In the present disclosure, a master key management module and a data key management module are respectively deployed on different rooms, networks, clusters, and devices, and are not mutually dependent on each other, and are respectively responsible for different functions, storing different data, and when any one of the two modules is attacked, the whole key management system is not revealed. For the master key management module, on one hand, because the user data plaintext and the user data ciphertext cannot be stored in the master key management module, when the master key management module is attacked, the user data plaintext and the user data ciphertext cannot be leaked; on the other hand, the data key plaintext and the data key ciphertext cannot be stored in the master key module, so that the data key plaintext and the data key ciphertext cannot be revealed when the master key management module is attacked; on the other hand, since different data plaintext is encrypted by using different data keys, even if partial data key leakage occurs, an attacker can only decrypt partial user data ciphertext at most, and partial user data plaintext is obtained.
For the data key management module, on one hand, the data key management module does not store the user data plaintext and the user data ciphertext, so that the user data plaintext and the user data ciphertext are not leaked when the data key management module is attacked; on the other hand, when the data key management module is attacked, the data key management module cannot decrypt the data key ciphertext due to the lack of the master key stored by the master key management module, cannot obtain the mapping between the data key ciphertext and the data key plaintext, and further cannot obtain the data key plaintext, and when the data key plaintext is absent, the attacker cannot decrypt the user data ciphertext.
In the present exemplary embodiment, referring to fig. 11, the key management method may further include:
s1110, dividing a root key stored in a key management system server into a plurality of fragments, and storing the fragments on different machines of different clusters;
and S1120, acquiring a preset fragmentation threshold, and when the fragmentation number of the owned root key is not smaller than the fragmentation threshold, analyzing the root key according to the fragments of the owned root key.
Hereinafter, step S1110 and step S1120 will be further explained and described. Specifically, a root key can be stored in a root key management module of a key management system server, wherein the root key is a key for encrypting or decrypting a master key and is a key at the bottom layer of the key management system; when the root key is stored in the root key management module, the root key is divided into a plurality of fragments, the number of fragments is not particularly limited in this example embodiment, and the plurality of fragments obtained by division are stored on different machines of different clusters, for example, fragment A, B is stored on machine 1, and fragment C, D is stored on machine 2; and then, acquiring a preset fragmentation threshold, and when the number of fragments of the owned heel key is not smaller than the fragmentation threshold, analyzing the root key according to the owned fragments. In the present example embodiment, even if a single cluster or single machine is attacked, the fragments cannot be fragmented, and the root key cannot be parsed.
Furthermore, a plurality of cluster copies can be created for storing the root key according to the actual cost and the requirement, and in any cluster, when the number of owned fragments is larger than a preset fragment threshold value, the root key can be resolved. In addition, the machines under the cluster belong to different machine rooms of different network segments, so that the cost of an attacker is increased; other software or services are not additionally installed on the machine, so that the way that an attacker invades the machine is reduced; the machine only provides encryption or decryption services; the firewall of the machine needs to be strictly limited, and only an SSH (Secure Shell) connection port is opened; for a key fragment file, only the root user may be allowed to read; the key fragments on the machine can be updated periodically, so that the safety is further improved.
The key management method provided by the exemplary embodiments of the present disclosure has at least the following advantages: on one hand, the main key management module and the data key management module are respectively deployed on different machine rooms, networks, clusters and devices, deployment of the main key management module and the data key management module is not mutually dependent and is respectively responsible for different functions, different data are stored, and when any one of the two modules is attacked, the whole key management system is not leaked, so that the safety of the key management system is improved; on the other hand, different keys can be distributed to different users, so that uniqueness is ensured, a unified user can also have a plurality of keys, and the use flexibility of the user is improved; on the other hand, the security of privatization deployment is ensured by storing the root key, and high HSM physical equipment cost is not needed; on the other hand, in the scene that the large-batch key needs to be decrypted instantaneously, better supporting capability is provided.
The exemplary embodiment of the present disclosure also provides a key management apparatus, which may include, with reference to fig. 12: key request receiving module 1210 and key request processing module 1220. Wherein:
the key request receiving module 1210 is configured to receive a key management request from the key management system client, perform first key management according to the key management request, and obtain a first result or send the key management request to the key management system server;
The key request processing module 1220 is configured to perform authority verification on the key management request by the key management system server, and perform a second key management when the verification passes, to obtain a second result.
The specific details of each module in the above-mentioned key management device are already described in detail in the corresponding key management method, so that they will not be described in detail here.
In an exemplary embodiment of the present disclosure, when the key management request is encrypted, performing, according to the key management request, first key management to obtain a first result, including:
acquiring user identification information and user data plaintext included in an encryption request, and taking the user identification information and the user data plaintext as keys of a key value pair;
when the key of the key value pair hits the cache, returning the user data ciphertext and the data key ciphertext in the value corresponding to the key of the key value pair in the cache;
and when the key in the key value pair does not hit the cache, sending the encryption request to the key management system server, receiving a data key plaintext sent by the key management system server, and encrypting the user data plaintext through the data key plaintext to obtain a user data ciphertext.
In an exemplary embodiment of the present disclosure, after encrypting the user data plaintext by the data key plaintext to obtain a user data ciphertext, the key management method further includes:
acquiring a master key included in the encryption request, and encrypting the data key plaintext through the master key to obtain a data key ciphertext;
and storing the data key ciphertext and the user data ciphertext as values of key value pairs in the cache.
In an exemplary embodiment of the present disclosure, when the key management request is decryption, performing first key management according to the key management request, to obtain a first result, including:
acquiring user identification information and a data key ciphertext which are included in a decryption request, and taking the user identification information and the data key ciphertext as keys of a key value pair;
when the key of the key value pair hits the cache, returning a data key plaintext in a value corresponding to the key of the key value pair in the cache, and decrypting the user data ciphertext through the data key plaintext to obtain the user data plaintext;
and when the cache is not in command, sending the decryption request to the key management system server, receiving a data key plaintext sent by the key management system server, and decrypting the user data ciphertext by using the data key plaintext to obtain a user data plaintext.
In an exemplary embodiment of the present disclosure, when the key management request is a read key or a write key or a create key, the key management request is sent to a rights management module of the key management system server.
In an exemplary embodiment of the present disclosure, before the key management system performs authority verification on the key management request, the key management method further includes:
generating an association relationship among a product associated with the key, the master key and the namespace;
performing authority binding on the association relationship, wherein the bound authority can be one or more of a read key, a write key, encryption, decryption and a create key;
and generating a permission policy based on the bound permission associated user, and storing the permission policy in a database.
In an exemplary embodiment of the present disclosure, the key management system server performs authority verification on the key management request, and performs second key management when verification passes, including:
acquiring and determining whether a product, a master key and a namespace included in the key management request hit the database;
When hit, all hit authority policies are obtained from the database, and user identification information included in all hit authority policies is obtained;
and when the user identification information included in the key management request is determined to be included in the user identification information included in the hit all authority policies, sending the key management request to a data key management module of the key management system server.
In an exemplary embodiment of the present disclosure, when the key management request is encrypted, after the key management request is sent to the data key management module of the key management system server, the key management method further includes:
acquiring a plurality of data key ciphertexts generated in advance and a user data plaintext included in an encryption request, and mapping the user data plaintext to a first data key ciphertext in the plurality of data key ciphertexts;
the pre-generated data key ciphertext is transmitted to a master key management module of the key management system server, and mapping of the total data key ciphertext and the total data key plaintext is obtained through the master key management module;
Obtaining a first data key plaintext corresponding to the first data key ciphertext based on the mapping of the full data key ciphertext and the full data key plaintext;
and returning the first data key ciphertext and the first data key plaintext to a key management system client so that the key management system client encrypts the user data plaintext according to the first data key plaintext.
In an exemplary embodiment of the present disclosure, after the pre-generated data key ciphertext is sent to the master key management module of the key management system server, the data key management method further includes:
and decrypting the full data key ciphertext by using the master key to obtain a full data key plaintext corresponding to the full data key ciphertext.
In an exemplary embodiment of the present disclosure, when the key management request is decryption, after the key management request is sent to the data key management module of the key management system server, the key management method further includes:
acquiring a plurality of data key ciphertexts which are generated in advance and a second data key ciphertext which is included in a decryption request;
The pre-generated data key ciphertext is transmitted to a master key management module of the key management system server, and the mapping of the total data key ciphertext and the data key plaintext is obtained through the master key management module;
obtaining a second data key plaintext corresponding to the second data key ciphertext based on the mapping of the full data key ciphertext and the data key plaintext;
and returning the second data key plaintext to a key management system client so that the key management system client decrypts the user data ciphertext according to the second data key plaintext to obtain the user data plaintext.
In an exemplary embodiment of the present disclosure, after the pre-generated data key ciphertext is sent to the master key management module of the key management system server, the key management method further includes:
and decrypting the full data key ciphertext by using the master key to obtain a full data key plaintext corresponding to the full data key ciphertext.
In an exemplary embodiment of the present disclosure, when the key management request is a create key, after the key management request is sent to the data key management module of the key management system server, the key management method further includes:
Sending a data key creation request to a master key management module of a key management system server, and receiving a target data key ciphertext and a target data key plaintext data pair returned by the master key management module;
and adding the target data key ciphertext into a plurality of data key ciphers which are generated in advance, and sending the target data key ciphertext and the target data key plaintext data pair to the key management system client.
In an exemplary embodiment of the present disclosure, after sending the create data key request to the master key management module of the key management system server, the key management method further includes:
and generating the target data key ciphertext and the target data key plaintext data pair by using a master key.
In one exemplary embodiment of the present disclosure, when the key management request is a read key or a write key, the key management request is sent to a master key management module of the key management system.
In an exemplary embodiment of the present disclosure, when the key management request is a read key, after the key management request is sent to a master key management module of the key management system, the key management method further includes:
And acquiring master key information, and returning the master key information to the key management system client.
In an exemplary embodiment of the present disclosure, when the key management request is a write key, after the key management request is sent to a master key management module of the key management system, the key management method further includes:
acquiring writing information included in a writing key request, and modifying master key information according to the writing information to obtain updated master key information;
and returning the updated master key information to the key management system client.
In an exemplary embodiment of the present disclosure, the key management method further includes:
dividing a root key stored in a key management system server into a plurality of fragments, and storing the fragments on different machines of different clusters;
and acquiring a preset fragmentation threshold, and when the fragmentation number of the owned root key is not smaller than the fragmentation threshold, analyzing the root key according to the fragments of the owned root key.
It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functions of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the invention. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
Furthermore, although the steps of the methods of the present invention are depicted in the accompanying drawings in a particular order, this is not required to either imply that the steps must be performed in that particular order, or that all of the illustrated steps be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform, etc.
In an exemplary embodiment of the present invention, an electronic device capable of implementing the above method is also provided.
Those skilled in the art will appreciate that the various aspects of the invention may be implemented as a system, method, or program product. Accordingly, aspects of the invention may be embodied in the following forms, namely: an entirely hardware embodiment, an entirely software embodiment (including firmware, micro-code, etc.) or an embodiment combining hardware and software aspects may be referred to herein as a "circuit," module "or" system.
An electronic device 1300 according to this embodiment of the invention is described below with reference to fig. 13. The electronic device 1300 shown in fig. 13 is merely an example and should not be construed as limiting the functionality and scope of use of embodiments of the present invention.
As shown in fig. 13, the electronic device 1300 is embodied in the form of a general purpose computing device. The components of the electronic device 1300 may include, but are not limited to: the at least one processing unit 1310, the at least one memory unit 1320, a bus 1330 connecting the different system components (including the memory unit 1320 and the processing unit 1310), and a display unit 1340.
Wherein the storage unit stores program code that is executable by the processing unit 1310 such that the processing unit 1310 performs steps according to various exemplary embodiments of the present invention described in the above section of the "exemplary method" of the present specification. For example, the processing unit 1310 may perform step S110 as shown in fig. 1: the key management system client receives a key management request, performs first key management according to the key management request, and obtains a first result or sends the key management request to the key management system server; s120: and the key management system server performs authority verification on the key management request, and performs second key management when verification passes, so as to obtain a second result.
The storage unit 1320 may include readable media in the form of volatile storage units, such as Random Access Memory (RAM) 13201 and/or cache memory 13202, and may further include Read Only Memory (ROM) 13203.
The storage unit 1320 may also include a program/utility 13204 having a set (at least one) of program modules 13205, such program modules 13205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
The electronic device 1300 may also communicate with one or more external devices 1400 (e.g., keyboard, pointing device, bluetooth device, etc.), one or more devices that enable a user to interact with the electronic device 1300, and/or any device (e.g., router, modem, etc.) that enables the electronic device 1300 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 1350. Also, the electronic device 1300 may communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN) and/or a public network, for example, the Internet, through a network adapter 1360. As shown, the network adapter 1360 communicates with other modules of the electronic device 1300 over the bus 1330. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with electronic device 1300, including, but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present invention may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, and includes several instructions to cause a computing device (may be a personal computer, a server, a terminal device, or a network device, etc.) to perform the method according to the embodiments of the present invention.
In an exemplary embodiment of the present invention, a computer-readable storage medium having stored thereon a program product capable of implementing the method described above in the present specification is also provided. In some possible embodiments, the various aspects of the invention may also be implemented in the form of a program product comprising program code for causing a terminal device to carry out the steps according to the various exemplary embodiments of the invention as described in the "exemplary methods" section of this specification, when said program product is run on the terminal device.
A program product for implementing the above-described method according to an embodiment of the present invention may employ a portable compact disc read-only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable signal medium may include a data signal propagated in baseband or as part of a carrier wave with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
Furthermore, the above-described drawings are only schematic illustrations of processes included in the method according to the exemplary embodiment of the present invention, and are not intended to be limiting. It will be readily appreciated that the processes shown in the above figures do not indicate or limit the temporal order of these processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, for example, among a plurality of modules.
Other embodiments of the invention will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the invention and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the invention being indicated by the following claims.
Claims (20)
1. The key management method is characterized by being applied to a key management system, wherein the key management system comprises a key management system client and a key management system server, and the method comprises the following steps:
the key management system client receives a key management request, performs first key management according to the key management request, and obtains a first result or sends the key management request to the key management system server;
And the key management system server performs authority verification on the key management request, and performs second key management when verification passes, so as to obtain a second result.
2. The key management method according to claim 1, wherein when the key management request is encrypted, performing a first key management according to the key management request to obtain a first result, comprising:
acquiring user identification information and user data plaintext included in an encryption request, and taking the user identification information and the user data plaintext as keys of a key value pair;
when the key of the key value pair hits the cache, returning the user data ciphertext and the data key ciphertext in the value corresponding to the key of the key value pair in the cache;
and when the key in the key value pair does not hit the cache, sending the encryption request to the key management system server, receiving a data key plaintext sent by the key management system server, and encrypting the user data plaintext through the data key plaintext to obtain a user data ciphertext.
3. The key management method according to claim 2, wherein after encrypting the user data plaintext by the data key plaintext to obtain a user data ciphertext, the key management method further comprises:
Acquiring a master key included in the encryption request, and encrypting the data key plaintext through the master key to obtain a data key ciphertext;
and storing the data key ciphertext and the user data ciphertext as values of key value pairs in the cache.
4. The key management method according to claim 1, wherein when the key management request is decryption, performing first key management according to the key management request to obtain a first result, comprising:
acquiring user identification information and a data key ciphertext which are included in a decryption request, and taking the user identification information and the data key ciphertext as keys of a key value pair;
when the key of the key value pair hits the cache, returning a data key plaintext in a value corresponding to the key of the key value pair in the cache, and decrypting the user data ciphertext through the data key plaintext to obtain the user data plaintext;
and when the cache is not in command, sending the decryption request to the key management system server, receiving a data key plaintext sent by the key management system server, and decrypting the user data ciphertext by using the data key plaintext to obtain a user data plaintext.
5. The key management method according to claim 1, wherein when the key management request is a read key or a write key or a create key, the key management request is sent to a rights management module of the key management system server.
6. The key management method of claim 1, wherein prior to the key management system performing rights verification on the key management request, the key management method further comprises:
generating an association relationship among a product associated with the key, the master key and the namespace;
performing authority binding on the association relationship, wherein the bound authority can be one or more of a read key, a write key, encryption, decryption and a create key;
and generating a permission policy based on the bound permission associated user, and storing the permission policy in a database.
7. The key management method according to claim 6, wherein the key management system server performs authority verification on the key management request, and performs second key management when the verification passes, including:
acquiring and determining whether a product, a master key and a namespace included in the key management request hit the database;
When hit, all hit authority policies are obtained from the database, and user identification information included in all hit authority policies is obtained;
and when the user identification information included in the key management request is determined to be included in the user identification information included in the hit all authority policies, sending the key management request to a data key management module of the key management system server.
8. The key management method according to claim 7, wherein when the key management request is encrypted, after the key management request is sent to the data key management module of the key management system server, the key management method further comprises:
acquiring a plurality of data key ciphertexts generated in advance and a user data plaintext included in an encryption request, and mapping the user data plaintext to a first data key ciphertext in the plurality of data key ciphertexts;
the pre-generated data key ciphertext is transmitted to a master key management module of the key management system server, and mapping of the total data key ciphertext and the total data key plaintext is obtained through the master key management module;
Obtaining a first data key plaintext corresponding to the first data key ciphertext based on the mapping of the full data key ciphertext and the full data key plaintext;
and returning the first data key ciphertext and the first data key plaintext to a key management system client so that the key management system client encrypts the user data plaintext according to the first data key plaintext.
9. The key management method according to claim 8, wherein after transmitting the pre-generated data key ciphertext aggregate to a master key management module of the key management system server, the data key management method further comprises:
and decrypting the full data key ciphertext by using the master key to obtain a full data key plaintext corresponding to the full data key ciphertext.
10. The key management method according to claim 7, wherein when the key management request is decryption, after the key management request is sent to the data key management module of the key management system server, the key management method further comprises:
acquiring a plurality of data key ciphertexts which are generated in advance and a second data key ciphertext which is included in a decryption request;
The pre-generated data key ciphertext is transmitted to a master key management module of the key management system server, and the mapping of the total data key ciphertext and the data key plaintext is obtained through the master key management module;
obtaining a second data key plaintext corresponding to the second data key ciphertext based on the mapping of the full data key ciphertext and the data key plaintext;
and returning the second data key plaintext to a key management system client so that the key management system client decrypts the user data ciphertext according to the second data key plaintext to obtain the user data plaintext.
11. The key management method according to claim 10, wherein after transmitting the pre-generated data key ciphertext aggregate to a master key management module of the key management system server, the key management method further comprises:
and decrypting the full data key ciphertext by using the master key to obtain a full data key plaintext corresponding to the full data key ciphertext.
12. The key management method of claim 7, wherein when the key management request is a create key, after the key management request is sent to the data key management module of the key management system server, the key management method further comprises:
Sending a data key creation request to a master key management module of a key management system server, and receiving a target data key ciphertext and a target data key plaintext data pair returned by the master key management module;
and adding the target data key ciphertext into a plurality of data key ciphers which are generated in advance, and sending the target data key ciphertext and the target data key plaintext data pair to the key management system client.
13. The key management method according to claim 12, wherein after transmitting a create data key request to a master key management module of the key management system server, the key management method further comprises:
and generating the target data key ciphertext and the target data key plaintext data pair by using a master key.
14. The key management method of claim 7, wherein the key management request is sent to a master key management module of the key management system when the key management request is a read key or a write key.
15. The key management method of claim 14, wherein when the key management request is a read key, after sending the key management request to a master key management module of the key management system, the key management method further comprises:
And acquiring master key information, and returning the master key information to the key management system client.
16. The key management method of claim 14, wherein when the key management request is a write key, after sending the key management request to a master key management module of the key management system, the key management method further comprises:
acquiring writing information included in a writing key request, and modifying master key information according to the writing information to obtain updated master key information;
and returning the updated master key information to the key management system client.
17. The key management method according to claim 1, wherein the key management method further comprises:
dividing a root key stored in a key management system server into a plurality of fragments, and storing the fragments on different machines of different clusters;
and acquiring a preset fragmentation threshold, and when the fragmentation number of the owned root key is not smaller than the fragmentation threshold, analyzing the root key according to the fragments of the owned root key.
18. A key management device, which is applied to a key management system, wherein the key management system comprises a key management system client and a key management system server, and the device comprises:
The key request receiving module is used for receiving a key management request by the key management system client, carrying out first key management according to the key management request, and obtaining a first result or sending the key management request to the key management system server;
and the key request processing module is used for carrying out authority verification on the key management request by the key management system server side, and carrying out second key management when verification passes, so as to obtain a second result.
19. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processing unit, implements the key management method of any of claims 1-17.
20. An electronic device, comprising:
a processing unit; and
a storage unit configured to store executable instructions of the processing unit;
wherein the processing unit is configured to perform the key management method of any one of claims 1-17 via execution of the executable instructions.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310266555.XA CN116232589A (en) | 2023-03-13 | 2023-03-13 | Key management method and device, computer readable storage medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310266555.XA CN116232589A (en) | 2023-03-13 | 2023-03-13 | Key management method and device, computer readable storage medium and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116232589A true CN116232589A (en) | 2023-06-06 |
Family
ID=86589114
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310266555.XA Pending CN116232589A (en) | 2023-03-13 | 2023-03-13 | Key management method and device, computer readable storage medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116232589A (en) |
-
2023
- 2023-03-13 CN CN202310266555.XA patent/CN116232589A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10402578B2 (en) | Management of encrypted data storage | |
| US9135464B2 (en) | Secure storage system for distributed data | |
| CN111737366B (en) | Private data processing method, device, equipment and storage medium of block chain | |
| WO2017020452A1 (en) | Authentication method and authentication system | |
| US9020149B1 (en) | Protected storage for cryptographic materials | |
| JP2019522412A (en) | Registration / authorization method, apparatus and system | |
| US20120254622A1 (en) | Secure Access to Electronic Devices | |
| CN109450633B (en) | Information encryption transmission method and device, electronic equipment and storage medium | |
| JP2016513840A (en) | Method, server, host, and system for protecting data security | |
| CN110177099B (en) | Data exchange method, transmitting terminal and medium based on asymmetric encryption technology | |
| CN110611657A (en) | File stream processing method, device and system based on block chain | |
| KR101648364B1 (en) | Method for improving encryption/decryption speed by complexly applying for symmetric key encryption and asymmetric key double encryption | |
| CN110445840B (en) | File storage and reading method based on block chain technology | |
| CN110708291B (en) | Data authorization access method, device, medium and electronic equipment in distributed network | |
| CN109379345B (en) | Sensitive information transmission method and system | |
| CN111193755B (en) | Data access method, data encryption method and data encryption and access system | |
| US11888997B1 (en) | Certificate manager | |
| KR101836211B1 (en) | Electronic device authentication manager device | |
| CN113886793A (en) | Device login method, device, electronic device, system and storage medium | |
| US20100005311A1 (en) | Electronic-data authentication method, Elctronic-data authentication program, and electronic-data, authentication system | |
| JP2006279269A (en) | Information management device, information management system, network system, user terminal, and their programs | |
| US10621319B2 (en) | Digital certificate containing multimedia content | |
| WO2023005704A1 (en) | Sensitive data encryption | |
| CN110602075A (en) | File stream processing method, device and system for encryption access control | |
| CN111831978A (en) | Method and device for protecting configuration file |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |