CN116614236A

CN116614236A - Key management method, device, equipment and storage medium

Info

Publication number: CN116614236A
Application number: CN202310657907.4A
Authority: CN
Inventors: 王立刚
Original assignee: China United Network Communications Group Co Ltd; Unicom Digital Technology Co Ltd
Current assignee: China United Network Communications Group Co Ltd; Unicom Digital Technology Co Ltd
Priority date: 2023-06-05
Filing date: 2023-06-05
Publication date: 2023-08-18

Abstract

In the application, an execution node in a computing node in a multipartite secure computing network splits a key input by a user into a plurality of subkeys in a key generation period, and maps the subkeys into matrix vectors according to a mapping relation; the execution node obtains the position of a matrix element corresponding to the subkey in the key according to the position of the subkey in the user input key, generates a position matrix vector, and obtains a key matrix vector through the position matrix vector and the matrix vector; finally, the execution node converts the position matrix vector into a preset sequence and returns the preset sequence to the user, the key matrix is split into N key fragments through a threshold secret sharing algorithm, the N key fragments are sent to N computing nodes, the N computing nodes store the key fragments in a chain mode, trusted storage is achieved, the key is recovered through T computing nodes in the N computing nodes, a decentralised key management scheme is achieved, and the expandability, reliability, maintainability and privacy of key management are improved.

Description

Key management method, device, equipment and storage medium

Technical Field

The present application relates to the field of communications technologies, and in particular, to a key management method, device, apparatus, and storage medium.

Background

The security of the secret key is the basis for ensuring the security of the cryptographic algorithm. The key management in the information system involves links such as generation, storage, import and export, distribution, use, backup and restoration, archiving, destruction, etc. in the life cycle, in this series of processes, potential safety hazards exist to threaten the key security of the system.

Current key management schemes include a centralized key management scheme and a distributed key management scheme. The centralized key management scheme is to use a "key management center" in the network to uniformly manage keys in the system, and the "key management center" receives a request of a user in the system and provides a service of securely distributing keys for the user. The distributed key management scheme is that the communication party negotiates by itself to complete the sharing process of the session key, and is not limited by any other aspect.

However, the centralized key management scheme is too dependent on a key management center, once the key management center is paralyzed, the whole key management communication is easy to crash, meanwhile, the key is stored in a centralized manner, the risk of password leakage is high, and the reliability of key management is reduced. In the distributed key management scheme, two parties needing to secret communication achieve a process of sharing a key through communication of a public channel, the scheme is easy to be influenced by discrete logarithm attack and man-in-the-middle attack, although the attack can be avoided by adding a digital signature technology, the communication party stores the key by itself so that the key is easy to be lost accidentally or maliciously, and meanwhile, the key is at risk of being stolen.

Disclosure of Invention

The application provides a key management method, a device, equipment and a storage medium, which are used for solving the problems that in the prior art, the key management center is excessively depended, and two parties needing secret communication achieve a shared key through public channel communication, so that the risk of password leakage is large, and the reliability of key management is reduced.

In one aspect, the present application provides a key management method, which is applied to a key management system, where the system includes a CA node, a plurality of computing nodes communicatively connected to the CA node, and a blockchain communicatively connected to the plurality of computing nodes, and the method includes:

the execution node obtains a key input by a user and converts the key into a matrix vector; wherein the executing node is a node of the plurality of computing nodes;

the execution node obtains a position matrix vector according to the corresponding positions of the elements in the matrix vector in the secret key, and obtains the secret key matrix vector according to the position matrix vector and the matrix vector;

the execution node splits the key matrix vector into N different key fragments through a threshold secret sharing algorithm, distributes the N key fragments to N computing nodes so that the N computing nodes can perform trusted storage or store the N key fragments through the blockchain, wherein each computing node distributes one key fragment, the key fragments distributed by different computing nodes are different, and any T key fragments can recover the key matrix vector, and the T is smaller than N;

And the execution node converts the position matrix vector into a preset sequence and returns the preset sequence to the user.

Optionally, after the performing node converts the position matrix vector into a preset sequence and returns the preset sequence to the user, the method further includes:

the executing node selects T computing nodes for decryption from N computing nodes, and the executing node is a node in the T computing nodes;

the execution node acquires T key fragments from the T calculation nodes, and recovers a key matrix vector according to the T key fragments;

the execution node obtains the position matrix vector according to the preset sequence input by the user;

the execution node obtains a new matrix vector according to the position matrix vector and the key matrix vector;

and the execution node obtains the key input by the user according to the new matrix vector.

Optionally, after the executing node obtains the key input by the user according to the new matrix vector, the method includes:

the executing node encrypts the user key through the symmetric key or the asymmetric key and sends the encrypted user key to other key management devices.

the executing node acquires a preset sequence input by a user through a verification login system;

the execution node obtains the position matrix vector according to the preset sequence;

and the execution node obtains a new secret key according to the new matrix vector, verifies the new secret key, and successfully logs in after verification.

Optionally, the performing node converts the key into a matrix vector, including:

the execution node processes the secret key to obtain a plurality of sub secret keys;

the execution node converts the plurality of sub-keys into matrix vectors according to a preset mapping relationship, wherein the preset mapping relationship is used for mapping the sub-keys into elements in the matrix vectors.

Optionally, the executing node obtains a position matrix vector according to the corresponding positions of the elements in the matrix vector in the secret key, including:

The execution node obtains the corresponding position of the element corresponding to each sub-secret key in the secret key according to the position of each sub-secret key in the secret key;

and obtaining a position matrix vector according to the corresponding position.

In a second aspect, the present application provides a key management apparatus, wherein the apparatus is applied to a key management system, the system including a CA node, a plurality of computing nodes communicatively connected to the CA node, and a blockchain communicatively connected to the plurality of computing nodes, the apparatus comprising:

the acquisition module is used for acquiring a secret key input by a user and converting the secret key into a matrix vector; wherein the executing node is a node of the plurality of computing nodes;

the conversion module is used for obtaining a position matrix vector according to the corresponding positions of the elements in the matrix vector in the secret key, and obtaining the secret key matrix vector according to the position matrix vector and the matrix vector;

the splitting module is used for splitting the key matrix vector into N different key fragments through a threshold secret sharing algorithm, distributing the N key fragments to N computing nodes so as to enable the N computing nodes to perform trusted storage or store through the blockchain, wherein each computing node distributes one key fragment, the key fragments distributed by different computing nodes are different, and any T key fragments can restore the key matrix vector, and the T is smaller than N;

And the return module is used for converting the position matrix vector into a preset sequence and returning the preset sequence to the user.

Optionally, the apparatus further includes: a selection module;

the selecting module is used for selecting T computing nodes for decryption from N computing nodes, and the executing node is a node in the T computing nodes;

the obtaining module is further configured to obtain T key segments from the T computing nodes, and recover a key matrix vector according to the T key segments;

the acquisition module is further used for acquiring the position matrix vector according to the preset sequence input by the user;

the conversion module is further configured to obtain a new matrix vector according to the position matrix vector and the key matrix vector;

the conversion module is further configured to obtain a key input by the user according to the new matrix vector.

Optionally, the apparatus further includes: an encryption module;

the encryption module is used for encrypting the user key through the symmetric key or the asymmetric key and sending the encrypted user key to other key management devices.

Optionally, the apparatus further includes: a transmitting module;

the encryption module is further configured to encrypt the user key with a symmetric key or an asymmetric key, and the sending module is configured to send the encrypted user key to other key management devices.

The acquisition module is also used for acquiring a preset sequence input by a user through verification of the login system; acquiring the position matrix vector according to the preset sequence;

the obtaining module is further configured to obtain T key segments from the T computing nodes;

the conversion module is further configured to recover a key matrix vector according to the T key fragments;

the conversion module is further configured to obtain a new secret key according to the new matrix vector;

and the return module is also used for verifying the new secret key, and after the verification is passed, the login is successful.

Optionally, the splitting module is further configured to process the secret key to obtain a plurality of subsecret keys;

the conversion module is further configured to convert the plurality of subkeys into matrix vectors according to a preset mapping relationship, where the preset mapping relationship is used to map the subkeys into elements in the matrix vectors.

Optionally, the obtaining module is further configured to obtain, according to a position of each subkey in the key, a corresponding position of an element corresponding to the subkey in the key; and obtaining a position matrix vector according to the corresponding position.

In a third aspect, the present application provides a key management system, wherein the system includes a CA node, a plurality of computing nodes communicatively coupled to the CA node, and a blockchain communicatively coupled to the plurality of computing nodes, wherein the CA node forms a supervisory network and the computer nodes form a multiparty secure computing network; the blockchain nodes form a blockchain network.

An execution node in a multiparty secure computing network in a system for executing a method according to any of claims 1 to 6; the executing node is a node in the plurality of computing nodes;

the computing node is used for receiving the key fragments distributed by the executing node and storing the key fragments in a trusted way or through the blockchain;

each computing node distributes a key fragment, the key fragments distributed by different computing nodes are different, and any T key fragments can restore the key matrix vector, wherein T is smaller than N.

The CA node provides identity certificates for each node in the multiparty secure computing network and the blockchain network, and the legality of the node is proved. The blockchain network is used for realizing the trusted storage of the secret key, namely, a computing node in the multiparty secure computing network encrypts the secret key fragments stored by the computing node to carry out uplink certification. The multiparty secure computing network is used for executing specific operation of key management, and guaranteeing security and credibility of the whole life cycle of the key. The supervision organization network, the multiparty secure computing network and the blockchain network are interconnected and communicated to cooperatively realize the key management of the key full life cycle.

In a fourth aspect, the present application provides a key management apparatus comprising:

a memory;

a processor;

wherein the memory stores computer-executable instructions;

the processor executes computer-executable instructions stored in the memory to implement the key management method as described in the first aspect and various possible implementations of the first aspect.

In a fifth aspect, the present application provides a computer storage medium having stored thereon computer-executable instructions that are executed by a processor to implement the key management method as described in the first aspect and the various possible implementations of the first aspect.

The key management method provided by the application comprises the steps that an execution node splits a key input by a user into a plurality of sub-keys in a key generation period, and the sub-keys are mapped into matrix vectors according to a mapping relation; then, the execution node obtains the position of the matrix element corresponding to the subkey in the secret key according to the position of the subkey in the secret key input by the user, generates a position matrix vector, and obtains the secret key matrix vector through the position matrix vector and the matrix vector mapped by the subkey; and finally, the execution node converts the position matrix vector into a preset sequence and returns the preset sequence to the user, meanwhile, the key matrix is split into N key fragments through a threshold secret sharing algorithm, the N key fragments are sent to N computing nodes, and the N computing nodes are used for uploading and storing the fragments to realize trusted storage. The method provides a method for converting a user secret key into a position matrix vector and a secret key matrix vector, and stores each secret key fragment into a trusted storage in a multiparty secure computing network in a secret sharing mode by using the secret key matrix vector. The block chain trusted storage only stores the key fragments encrypted by the computing nodes, and other nodes can only see the encryption information, so that the key management method ensures the security and the reliability of the key in the whole life cycle, and the user can clearly determine the ownership of the key by holding the position matrix vector, thereby realizing the integrated management of security, elasticity, flexibility and diversity. The execution computing node sends N secret keys to N computing nodes through a threshold secret sharing algorithm, and the N computing nodes jointly store secret key fragments.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.

Fig. 1 is a schematic diagram of a key life cycle of a key management method according to the present application.

Fig. 2 is a schematic diagram of a scenario of a key management method according to the present application.

Fig. 3 is a flowchart of a key management method according to the present application.

Fig. 4 is a flowchart of a key management method according to the present application.

Fig. 5 is a flowchart III of a key management method according to the present application.

Fig. 6 is a flowchart of a key management method according to the present application.

Fig. 7 is a schematic structural diagram of a key management device according to the present application.

Fig. 8 is a schematic structural diagram of a key management device according to the present application.

Specific embodiments of the present application have been shown by way of the above drawings and will be described in more detail below. The drawings and the written description are not intended to limit the scope of the inventive concepts in any way, but rather to illustrate the inventive concepts to those skilled in the art by reference to the specific embodiments.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.

The terms "first," "second," "third," "fourth" and the like in the description and in the claims and in the above drawings, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented, for example, in sequences other than those illustrated or otherwise described herein.

In embodiments of the application, words such as "exemplary" or "such as" are used to mean examples, illustrations, or descriptions. Any embodiment or design described herein as "exemplary" or "for example" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion.

First, the terms related to the present application will be explained.

Secret key: the key refers to secret information used to complete cryptographic applications such as encryption, decryption, integrity verification, etc. In symmetric cryptography, the same key is used for encryption and decryption, and thus the key needs to be kept secret. In public key cryptography, keys for encryption and decryption are different; typically one is public, known as a public key; the other secret, called the private key.

Symmetric encryption and asymmetric encryption: the symmetric encryption adopts an encryption method of a single-key cryptosystem, and the same key can be used for encryption and decryption of information at the same time. The asymmetric encryption adopts a corresponding unique secret key, namely an encryption method consisting of a public secret key and a private secret key. In public key cryptography, the private key is not disclosed, and the public key is disclosed.

Key management: keys, i.e., keys, generally refer to various encryption techniques applied to production and life, and can effectively manage personal data and enterprise secrets, and key management refers to the act of managing keys. The key management runs through each stage from the key generation to the key destruction, and is mainly expressed in the links of managing the key system, the protocol, the key generation, the distribution, the replacement, the injection and the like.

CA node: the CA node is a certificate issuing node (Certificate Authority) of a fabric network, which is a blockchain network with rights management. The CA node provides the digital certificate-based identity information to the members in the fabric network, and can generate or cancel the member's identity certificate, all operations on the blockchain network require verification of the user's identity.

Blockchain: a blockchain is a chain of blocks. Corresponding information is stored in each block, and the blocks are connected into a chain according to the time sequence generated by each block. The blockchain is stored in all servers, and the entire blockchain is secure as long as there are servers in the overall system that are working properly. Servers in a blockchain are called nodes, and each server node provides storage space and computational power support for the entire blockchain system.

Key security in network applications requires different kinds of keys to play different roles in a security system, for example, a session key is used to encrypt data information of communication, and a key encryption key is used to encrypt and protect the session key.

Symmetric encryption and asymmetric keys can be classified according to key systems. The key actions can be classified into session keys, key encryption keys and master keys. Session keys refer to keys used to encrypt user data during communication or data exchange; the key encryption key refers to a key used for performing an encryption operation on a key (session key), that is, a session key used for encrypting user data; the master key is a secret key that is shared for a long period of time between a pair of users, often as a seed for generating session keys and key encryption keys, enabling distribution and security of these keys. The security of the secret key is the basis for ensuring the security of the cryptographic algorithm.

Key management in an information system throughout the whole life cycle of a key, fig. 1 is a schematic key life cycle diagram of the key management method provided by the present application, and according to GM/T-0054-2018, basic requirements for cryptographic applications of an information system, key management in an information system involves links such as generation, storage, import and export, distribution, use, backup and restoration, archiving, and destruction in the life cycle, where in the series of processes, there is a hidden danger threatening the security of the key of the system.

Current key management schemes include a centralized key management scheme and a distributed key management scheme. The centralized key management scheme manages each communication node through a key management center in the network, and the key management center can also serve as a trusted third party. Centralized key management imparts high frequency, complexity to the task of the key management center. The distributed key management scheme is that the communication party negotiates by itself to complete the sharing process of the session key, and is not limited by any other aspect.

However, paralysis of the key management center in the centralized key management scheme easily causes breakdown of the whole key management communication, reduces the reliability of key management, and increases potential safety hazards; meanwhile, as the network scale is enlarged, the maintenance and updating costs of the key management center become high, and disputes on copyright problems of shared resources are easily caused by the existence of the key management center; while this approach has certain advantages in management and control for small key management networks, it is not suitable for large key management applications in view of its various drawbacks. In the distributed key management scheme, two parties needing to secret communication achieve a process of sharing a key through communication of a public channel, the scheme is easy to be influenced by discrete logarithm attack and man-in-the-middle attack, although the attack can be avoided by adding a digital signature technology, the communication party stores the key by itself so that the key is easy to be lost accidentally or maliciously, and meanwhile, the key is at risk of being stolen.

Aiming at the problems existing in the prior art, the application provides a key management method, which has three basic characteristics: the key is safe and reliable in the whole life cycle, and the user has the capability of autonomously controlling the key and supporting the distributed cooperative management of all parties. According to the scheme, the cooperative management, cooperative generation, cooperative storage and cooperative supervision of each service module are formed according to the criterion of intercommunication cooperation among each communication service module, so that the integrated key management with safety, elasticity, flexibility and diversity is realized.

Fig. 2 is a schematic diagram of a scenario of a key management method according to the present application. As shown in fig. 2, the scenario includes a CA node, a plurality of computing nodes communicatively coupled to the CA node, and a blockchain communicatively coupled to the plurality of computing nodes; the CA nodes form a supervision mechanism network, and the computer nodes form a multiparty safety computing network; the blockchain nodes form a blockchain network. The CA node provides identity certificates for each node in the multiparty secure computing network and the blockchain network, and the legality of the node is proved. The blockchain network is used for realizing the trusted storage of the secret key, namely, a computing node in the multiparty secure computing network encrypts the secret key fragments stored by the computing node to carry out uplink certification. The multiparty secure computing network is used for executing specific operation of key management, and guaranteeing security and credibility of the whole life cycle of the key. The supervision organization network, the multiparty secure computing network and the blockchain network are interconnected and communicated to cooperatively realize the key management of the key full life cycle.

In the application, an execution node in a computing node in a multipartite secure computing network splits a key input by a user into a plurality of subkeys in a key generation period, and maps the subkeys into matrix vectors according to a mapping relation; then, the execution node obtains the position of the matrix element corresponding to the subkey in the secret key according to the position of the subkey in the secret key input by the user, generates a position matrix vector, and obtains the secret key matrix vector through the position matrix vector and the matrix vector; and finally, the execution node converts the position matrix vector into a preset sequence and returns the preset sequence to the user, meanwhile, the key matrix is split into N key fragments through a threshold secret sharing algorithm, the N key fragments are sent to N computing nodes, the N computing nodes upload the key fragments to store the certificate, so that the trusted storage is realized, the key can be recovered through T computing nodes in the N computing nodes, the decentralised key management scheme is realized, and the expandability, the reliability, the maintainability and the privacy of the key management are improved.

The following describes the technical scheme of the present application and how the technical scheme of the present application solves the above technical problems in detail with specific embodiments. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.

Fig. 3 is a flowchart of a key management method according to the present application. The embodiment is applied to a key management system, wherein the system comprises a CA node, a plurality of computing nodes in communication connection with the CA node, and a blockchain in communication connection with the plurality of computing nodes. As shown in fig. 3, the key management method shown in this embodiment includes:

s101: the execution node obtains a key input by a user and converts the key into a matrix vector; wherein the executing node is a node of the plurality of computing nodes.

The key form input by the user is word or Chinese character sequence easy to understand by the user, the computer system converts the word or Chinese character sequence into binary character strings easy to read and write by a machine, namely, the key form of the user obtained by the execution node is the binary character string converted by the computer system. It can be understood that the binary string has many conversion forms in the computer system, for example, the binary string is split according to different bits, the split sub-strings can represent different decimal numbers, the key management system can preset a mapping table according to different mapping modes, and the mapping table stores the sub-string converted forms, i.e. the elements in the matrix vector, and the mapping mode is not limited by the scheme. And after all the substrings in the binary character string are mapped, obtaining the matrix vector.

The executing nodes are nodes in the plurality of computing nodes, and the number of the executing nodes and the total number of the computing nodes can be the same or different; the function of the executing node can be understood as a primary operation node in key management, so as to complete various operations in key management.

S102: the execution node obtains a position matrix vector according to the corresponding positions of the elements in the matrix vector in the secret key, and obtains the secret key matrix vector according to the position matrix vector and the matrix vector.

The execution node can acquire binary substrings corresponding to elements in the matrix vector through the mapping table; it can be understood that, because the substring is obtained by converting the key input by the user into the binary string by splitting the binary string by the execution node, the substring has a corresponding position in the complete string, that is, the matrix element mapped with the substring has a corresponding position in the key, the execution node can obtain a position matrix vector according to the corresponding position, and the position matrix vector needs to satisfy the condition of matrix inversion operation, that is, the position matrix vector should be an invertible matrix vector, so as to satisfy the condition that the key matrix vector is obtained by the position matrix vector and the matrix vector in the subsequent step.

It may be understood that each element in the position matrix vector represents a corresponding position of each element in the matrix vector in the key, where the corresponding position may be, for example, a position number obtained according to a calculation sequence from high to low before splitting a binary substring mapped by each element in the matrix vector, or a position number obtained according to a calculation sequence from low to high, where the obtaining manner of the corresponding position is not limited by this scheme, and the position number is an integer.

The method for obtaining the key matrix vector according to the position matrix vector and the matrix vector may be, for example, obtaining the key matrix vector by multiplying the inverse matrix of the position matrix vector by the matrix vector according to a matrix algorithm; or the key matrix vector can be obtained by right multiplying the inverse matrix of the position matrix vector by the matrix vector, and the method for obtaining the key matrix vector is not limited in the scheme.

S103: the execution node splits the key matrix vector into N different key fragments through a threshold secret sharing algorithm, distributes the N key fragments to N computing nodes so that the N computing nodes can perform trusted storage or store the key fragments through the blockchain, wherein each computing node distributes one key fragment, the key fragments distributed by different computing nodes are different, and any T key fragments can recover the key matrix vector, and T is smaller than N.

The execution node splits the key matrix vector into N different key fragments through a threshold secret sharing algorithm, wherein the number of the key fragments is the same as or different from the total number of computing nodes in the multiparty secure computing network. It can be understood that the execution node sends N key fragments to N computing nodes, and the key fragments distributed by different computing nodes are different. In order to ensure the security of the key, the N computing nodes need to store the key fragments stored in the N computing nodes in a trusted manner or store the key fragments through a blockchain, and the storage process may be, for example, that the computing nodes encrypt the key fragments stored in the computing nodes by using a public key, and store the encrypted key fragments on the blockchain.

S104: and the execution node converts the position matrix vector into a preset sequence and returns the preset sequence to the user.

The preset sequence is a word or Chinese character sequence which corresponds to each element in the position matrix and is easy to understand by a user, and the generation mode of the preset sequence can be, for example, conversion of the elements in the position matrix into ASCII codes or Chinese character codes which are the same as the number of the positions represented by the elements.

It may be appreciated that, in order to further ensure the security of the user key, the executing node may encrypt the preset sequence by using a symmetric encryption or an asymmetric encryption method, that is, the preset sequence returned to the user may be an encrypted ciphertext sequence.

According to the key management method provided by the embodiment, the key input by the user is acquired through the execution node, and the key is converted into the matrix vector according to the preset mapping relation. The elements in the matrix vector have corresponding mapping positions in the secret key, the execution node generates a position matrix vector according to the positions, and the secret key matrix vector is obtained through the position matrix vector and the matrix vector. And finally, the execution node converts the position matrix vector into a preset sequence and returns the preset sequence to the user, the key matrix is split into fragments through a threshold secret sharing algorithm and is sent to the calculation node, and the calculation node links the fragments to the chain for verification. The method realizes the collaborative generation and collaborative storage of the secret keys in the secret key management, ensures the secret key security in the secret key life cycle, and stores the secret keys in a trusted way.

Fig. 4 is a flowchart of a key management method according to an embodiment of the present application. This embodiment is a detailed description of the key management method in the key generation period and the key storage period based on the embodiment of fig. 2. As shown in fig. 4, the key management method shown in this embodiment includes:

S201: the execution node obtains a key input by a user, and processes the key to obtain a plurality of sub-keys.

The key form input by the user is word or Chinese character sequence which is easy to understand by the user, and the word or Chinese character sequence is converted into binary character strings by using binary storage and processing data in the computer system, namely the key form of the user acquired by the execution node is the binary character strings. It will be appreciated that binary strings have many forms of conversion in computer systems, for example, splitting a binary string into different bits, and the split substrings may represent different decimal numbers. The split substring is the substring key.

S202: the execution node converts the plurality of sub-keys into matrix vectors according to a preset mapping relation, wherein the preset mapping relation is used for mapping the sub-keys into elements in the matrix vectors.

The binary character string has a plurality of conversion forms in the computer system, the mapping relation between the binary sub-string and the conversion element thereof, namely the mapping relation between the sub-key and the corresponding element thereof, can be obtained according to different conversion forms, and the set of all the sub-key preset relations forms a preset mapping table. And after all the sub-keys are mapped according to a preset mapping table, obtaining the matrix vector.

S203: and the execution node acquires the corresponding position of the element corresponding to each sub-secret key in the secret key according to the position of each sub-secret key in the secret key, and the execution node acquires a position matrix vector according to the corresponding position.

The execution node can acquire binary substrings corresponding to elements in the matrix vector, namely sub-secret keys, through the mapping table; it can be understood that, since the subkey is obtained by converting the key input by the user into the binary string by splitting the binary string by the execution node, the subkey has a corresponding position in the complete string, that is, the matrix element mapped with the subkey has a corresponding position in the key, and the execution node may obtain the position matrix vector according to the corresponding position, where the position matrix vector needs to satisfy the condition of matrix inversion operation, that is, the position matrix vector should be a reversible matrix vector, so as to satisfy the condition that the key matrix vector is obtained by the position matrix vector and the matrix vector in the subsequent step.

S204: and the execution node obtains a key matrix vector according to the position matrix vector and the matrix vector.

The method for obtaining the key matrix vector according to the position matrix vector and the matrix vector may be, for example, obtaining the key matrix vector by multiplying the inverse matrix of the position matrix vector by the matrix vector according to a matrix algorithm; or the key matrix vector is obtained by right multiplying the inverse matrix of the position matrix vector by the matrix vector, the method for obtaining the key matrix vector is not limited, and the key matrix vector is split into key fragments in the subsequent steps and then stored in a uplink manner.

S205: the execution node splits the key matrix vector into N different key fragments through a threshold secret sharing algorithm, distributes the N key fragments to N computing nodes so that the N computing nodes can perform trusted storage or store the key fragments through the blockchain, wherein each computing node distributes one key fragment, the key fragments distributed by different computing nodes are different, and any T key fragments can recover the key matrix vector, and the T is smaller than the N.

The execution node splits the key matrix vector into N different key fragments through a threshold secret sharing algorithm, wherein the number of the key fragments is the same as or different from the total number of computing nodes in the multiparty secure computing network. The splitting manner may be, for example, to split the key matrix vector into matrices with the same or different rows and columns at random, where the rows and columns of the matrix are smaller than the rows and columns of the key matrix vector, and the splitting manner is not limited in this scheme.

It can be understood that the execution node sends N key fragments to N computing nodes, and the key fragments distributed by different computing nodes are different. In order to ensure the security of the key, the N computing nodes need to store the key fragments stored in the N computing nodes in a trusted manner or store the key fragments through a blockchain, and the storage process may be, for example, that the computing nodes encrypt the key fragments stored in the computing nodes by using a public key, and store the encrypted key fragments on the blockchain.

S206: and the execution node converts the position matrix vector into a preset sequence and returns the preset sequence to the user.

The preset sequence is a word or Chinese character sequence which corresponds to each element in the position matrix and is easy to understand by a user, and in order to further ensure the security of a user key, the execution node can encrypt the preset sequence by using a symmetric encryption or asymmetric encryption method, namely, the preset sequence returned to the user can be an encrypted ciphertext sequence.

According to the key management method provided by the embodiment, the key input by the user is split into a plurality of sub-keys in the key generation period through the execution node, and the sub-keys are mapped into matrix vectors according to the mapping relation; then, the execution node obtains the position of the matrix element corresponding to the subkey in the secret key according to the position of the subkey in the secret key input by the user, generates a position matrix vector, and obtains the secret key matrix vector through the position matrix vector and the matrix vector mapped by the subkey; and finally, the execution node converts the position matrix vector into a preset sequence and returns the preset sequence to the user, meanwhile, the key matrix is split into N key fragments through a threshold secret sharing algorithm, the N key fragments are sent to N computing nodes, and the N computing nodes are used for uploading and storing the fragments to realize trusted storage. The method provides a method for converting a user secret key into a position matrix vector and a secret key matrix vector, and stores each secret key fragment into a trusted storage in a multiparty secure computing network in a secret sharing mode by using the secret key matrix vector. The block chain trusted storage only stores the key fragments encrypted by the computing nodes, and other nodes can only see the encryption information, so that the key management method ensures the security and the reliability of the key in the whole life cycle, and the user can clearly determine the ownership of the key by holding the position matrix vector, thereby realizing the integrated management of security, elasticity, flexibility and diversity. The execution computing node sends N secret keys to N computing nodes through a threshold secret sharing algorithm, and the N computing nodes jointly store secret key fragments.

Fig. 5 is a flowchart III of a key management method according to an embodiment of the present application. This embodiment is a detailed description of the key management method during the key derivation period based on the embodiment of fig. 3 or 4. As shown in fig. 5, the key management method shown in this embodiment includes:

s301: the executing node selects T computing nodes for decryption from N computing nodes, and the executing node is a node in the T computing nodes.

According to the threshold secret sharing algorithm, when the restoration secret key needs to be decrypted, any T computing nodes in the N computing nodes cooperate to restore the secret key, and when the number of the computing nodes for restoring the secret key is smaller than T, restoration is impossible, and the T is smaller than N.

S302: and the execution node acquires T key fragments from the T computing nodes and recovers the key matrix vector according to the T key fragments.

The trusted storage of the T computing nodes stores encrypted key fragments, and the T computing nodes need to decrypt the key fragments stored in the T computing nodes, i.e. the T key fragments obtained by the executing node from the T computing nodes are decrypted key fragments. And the execution node can recover the key matrix vector before splitting from the T key fragments according to the threshold secret sharing algorithm, namely, the execution node recovers the key matrix vector according to the T key fragments.

S303: and the execution node acquires the position matrix vector according to the preset sequence input by the user.

The preset sequence is a word or Chinese character sequence which corresponds to each element in the position matrix and is easy to understand by a user, and the execution node can acquire the position matrix vector through the preset sequence input by the user according to the corresponding relation. And if the execution node encrypts the preset sequence input by the user by using symmetric encryption or asymmetric encryption in the key generation period, decrypting the preset sequence input by the user, and acquiring a position matrix through the decrypted sequence according to the corresponding relation.

S304: and the execution node obtains a new matrix vector according to the position matrix vector and the key matrix vector.

The new matrix vector may be obtained by multiplying the position matrix vector by the key matrix vector, or by multiplying the position matrix vector by the key matrix vector. And the vector multiplication rule is required to be in line with the matrix multiplication logic of the step of obtaining the key matrix vector through the matrix vector and the position matrix vector when the key generation period is met.

S305: and the execution node obtains the key input by the user according to the new matrix vector.

Wherein each element in the new matrix vector corresponds to a binary character substring having a mapping relationship therewith. The binary character sub-string is obtained by splitting a binary character string converted from a key input by a user in a computer system.

It may be appreciated that the step of the executing node obtaining the key input by the user according to the new matrix vector includes: the execution node obtains binary character sub-strings with mapping relation with the elements in the matrix, further obtains binary character strings converted by the key input by the user in the computer system, and finally converts the binary character strings into words or Chinese character sequences, and finally obtains the key input by the user.

Optionally, after the executing node obtains the key input by the user according to the new matrix vector, the key may be shared between different key management devices, that is, the key may be distributed to different key management devices, where the process is a key distribution period in a key management full life cycle, and includes:

the executing node encrypts the user key through the symmetric key or the asymmetric key and sends the encrypted user key to other key management devices. And the key is encrypted and sent in the key distribution period, so that the key security in the key distribution period is ensured.

According to the key management method provided by the embodiment, an executing node obtains T key fragments from the T computing nodes through a threshold secret sharing algorithm, and according to the T key fragments, a key matrix vector is recovered, then a position matrix vector is obtained according to a preset sequence input by a user, and finally a new matrix vector is obtained according to the position matrix vector and the key matrix vector to obtain the key input by the user. After the key input by the user is obtained, the key is encrypted and sent to other key management devices for sharing. The method leads the secret key not to be exported to the outside of the secret key management device through plaintext, and ensures the secret key security of the secret key export period and the secret key distribution period in the secret key life cycle.

Fig. 6 is a flowchart of a key management method according to an embodiment of the present application. This embodiment is a detailed description of the key management method during the key usage period based on the embodiment of fig. 3 or 4. As shown in fig. 6, the key management method shown in this embodiment includes:

s401: the executing node acquires a preset sequence input by a user through the verification login system.

The authentication login system is a third party system, and a user inputs a preset sequence to log in the third party system to use a secret key.

S402: and the execution node acquires the position matrix vector according to the preset sequence.

Step S402 is the same as step S303, and will not be described herein.

S403: and the execution node acquires T key fragments from the T calculation nodes and recovers the key matrix vector according to the T key fragments.

Step S403 is the same as step S302, and will not be described herein.

S404: and the execution node obtains a new matrix vector according to the position matrix vector and the key matrix vector.

Step S404 is the same as step S304, and will not be described here.

S405: and the execution node obtains a new secret key according to the new matrix vector, verifies the new secret key, and successfully logs in after verification.

The executing node obtains a new key according to the new matrix vector, and the step is the same as S305, which is not described herein.

The reason for the verification failure may be, for example, that the key has been used by other key management systems, i.e. that the key has been used for a different purpose. It will be appreciated that using one key for a different purpose may reduce the security of the key; the requirements of keys with different purposes on the keys are different; limiting the use of the key reduces the possible damage to the key when it is compromised, thus failing authentication in this case.

According to the key management method provided by the embodiment, the execution node acquires a preset sequence input by a user through the verification login system, and acquires a position matrix vector; and the executing node recovers the key matrix vector from the computing node through a threshold secret sharing algorithm, obtains a new matrix vector according to the position matrix vector and the key matrix vector, converts the new matrix vector into a new key, and finally, the executing node verifies the new key and returns a verification login system result. The key is typically only used within an approved key management device. The method ensures the safety of the key service period in the key life period, and reduces the possible damage caused by the key leakage.

Fig. 2 is a schematic diagram of a scenario of a key management method provided by the present application, where the schematic diagram of the scenario illustrates a key management system provided by the present application.

The system comprises a CA node, a plurality of computing nodes in communication connection with the CA node, and a blockchain in communication connection with the plurality of computing nodes; the CA nodes form a supervision mechanism network, and the computer nodes form a multiparty safety computing network; the blockchain nodes form a blockchain network. The CA node provides identity certificates for each node in the multiparty secure computing network and the blockchain network, and the legality of the node is proved. The blockchain network is used for realizing the trusted storage of the secret key, namely, a computing node in the multiparty secure computing network encrypts the secret key fragments stored by the computing node to carry out uplink certification. The multiparty secure computing network is used for executing specific operation of key management, and guaranteeing security and credibility of the whole life cycle of the key. The supervision organization network, the multiparty secure computing network and the blockchain network are interconnected and communicated to cooperatively realize the key management of the key full life cycle.

Fig. 7 is a schematic structural diagram of a key management device according to the present application. The apparatus is applied to a key management system, the system including a CA node, a plurality of computing nodes communicatively coupled to the CA node, and a blockchain communicatively coupled to the plurality of computing nodes, the apparatus comprising:

an obtaining module 401, configured to obtain a key input by a user, and convert the key into a matrix vector; wherein the executing node is a node of the plurality of computing nodes;

a conversion module 402, configured to obtain a position matrix vector according to the corresponding positions of the elements in the matrix vector in the key, and obtain a key matrix vector according to the position matrix vector and the matrix vector;

a splitting module 403, configured to split the key matrix vector into N different key slices by using a threshold secret sharing algorithm, and distribute the N key slices to N computing nodes, so that the N computing nodes perform trusted storage or store the key slices by using the blockchain, where each computing node distributes one key slice, the key slices distributed by different computing nodes are different, and any T key slices can restore the key matrix vector, and the T is smaller than N;

And the returning module 404 is configured to convert the position matrix vector into a preset sequence and return the preset sequence to the user.

Optionally, the apparatus further includes: a selection module 405;

the selecting module 405 is configured to select T computing nodes for decryption from N computing nodes, where the executing node is a node in the T computing nodes;

the obtaining module 401 is further configured to obtain T key segments from the T computing nodes, and recover a key matrix vector according to the T key segments;

the obtaining module 401 is further configured to obtain the position matrix vector according to the preset sequence input by the user;

the conversion module 402 is further configured to obtain a new matrix vector according to the location matrix vector and the key matrix vector;

the conversion module 402 is further configured to obtain the key input by the user according to the new matrix vector.

Optionally, the apparatus further includes: an encryption module 406;

the encryption module 406 is configured to encrypt the user key with a symmetric key or an asymmetric key, and send the encrypted user key to other key management devices.

Optionally, the apparatus further includes: a transmission module 407;

The encryption module 406 is further configured to encrypt the user key with a symmetric key or an asymmetric key, and the sending module 407 is configured to send the encrypted user key to other key management devices.

The obtaining module 401 is further configured to obtain a preset sequence input by a user by verifying the login system; acquiring the position matrix vector according to the preset sequence;

the obtaining module 401 is further configured to obtain T key segments from the T computing nodes;

the conversion module 402 is further configured to recover a key matrix vector according to the T key segments;

the conversion module 402 is further configured to obtain a new key according to the new matrix vector;

the return module 404 is further configured to verify the new key, and after the verification is passed, the login is successful.

Optionally, the splitting module 403 is further configured to process the key to obtain a plurality of subkeys;

the conversion module 402 is further configured to convert the plurality of subkeys into matrix vectors according to a preset mapping relationship, where the preset mapping relationship is used to map the subkeys into elements in the matrix vectors.

Optionally, the obtaining module 401 is further configured to obtain, according to a position of each subkey in the key, a corresponding position of an element corresponding to the subkey in the key; and obtaining a position matrix vector according to the corresponding position.

Fig. 8 is a schematic structural diagram of a key management device according to the present application. The key management apparatus includes:

a memory;

a processor;

wherein the memory stores computer-executable instructions;

The application also provides a computer readable storage medium, in which computer executable instructions are stored, which when executed by a processor, implement a key management method as executed by the key management device.

Those of ordinary skill in the art will appreciate that all or some of the steps, systems, functional modules/units in the apparatus, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between the functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed cooperatively by several physical components. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as known to those skilled in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer. Furthermore, as is well known to those of ordinary skill in the art, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media.

While the present application has been described with reference to the preferred embodiments shown in the drawings, it will be readily understood by those skilled in the art that the scope of the application is not limited to those specific embodiments, and the above examples are only for illustrating the technical solution of the application, not for limiting it; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the application.

Claims

1. A key management method, the method being applied to a key management system, the system comprising a CA node, a plurality of computing nodes communicatively coupled to the CA node, and a blockchain communicatively coupled to the plurality of computing nodes, the method comprising:

2. The method of claim 1, wherein after the performing node converts the position matrix vector into a preset sequence for return to the user, the method further comprises:

3. The method of claim 2, wherein the executing node obtains the key input by the user from the new matrix vector, and wherein the method comprises:

4. The method of claim 1, wherein after the performing node converts the position matrix vector into a preset sequence for return to the user, the method further comprises:

5. The method of claim 1, wherein the performing node converts the key to a matrix vector, comprising:

6. The method of claim 5, wherein the performing node obtains a location matrix vector according to the corresponding locations of the elements in the matrix vector in the key, comprising:

And obtaining a position matrix vector according to the corresponding position.

7. A key management apparatus for use in a key management system, the system comprising a CA node, a plurality of computing nodes in communication with the CA node, and a blockchain in communication with the plurality of computing nodes, the apparatus being a computing node of a plurality of computing nodes, the apparatus comprising:

8. A key management system comprising a CA node, a plurality of computing nodes communicatively coupled to the CA node, and a blockchain communicatively coupled to the plurality of computing nodes, wherein

The execution node being adapted to perform the method of any of claims 1 to 6; the executing node is a node in the plurality of computing nodes;

9. A key management apparatus, comprising: a memory and at least one processor;

wherein the memory stores computer-executable instructions;

the at least one processor executing computer-executable instructions stored in the memory to implement the key management method of any one of claims 1-6.

10. A computer readable storage medium having stored therein computer executable instructions which when executed by a processor are adapted to implement the key management method of any of claims 1-6.