CN116980118A - Key management method, apparatus, computer program product, device, and storage medium - Google Patents

Key management method, apparatus, computer program product, device, and storage medium Download PDF

Info

Publication number
CN116980118A
CN116980118A CN202310760504.2A CN202310760504A CN116980118A CN 116980118 A CN116980118 A CN 116980118A CN 202310760504 A CN202310760504 A CN 202310760504A CN 116980118 A CN116980118 A CN 116980118A
Authority
CN
China
Prior art keywords
key
key management
certificate
target application
application program
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310760504.2A
Other languages
Chinese (zh)
Inventor
陈志�
廖若晨
贺意武
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202310760504.2A priority Critical patent/CN116980118A/en
Publication of CN116980118A publication Critical patent/CN116980118A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides a key management method, a device, a computer program product, equipment and a storage medium, wherein the related embodiment can be applied to various scenes such as cloud technology, cloud security, session data encryption and the like, and the method comprises the following steps: acquiring configuration information of a key management certificate; creating a corresponding key management certificate for the target application; acquiring a key acquisition request sent by a target application program, and analyzing a custom extension field of a key management certificate to obtain a key value list; the application can control the distribution process of the key by using the configured key management certificate according to different key use environments, ensure that the key is not revealed and improve the safety of data.

Description

Key management method, apparatus, computer program product, device, and storage medium
Technical Field
The present application relates to key management techniques for computer hardware devices, and more particularly, to key management methods, apparatus, computer program products, devices, and storage media.
Background
In the related art, a key management server is a server based on hardware security module support widely used in computing and communication systems, and is used for storing key information required by different applications. The key stored by the key server plays a very important role in the identity authentication, the security storage and the integrity measurement of the computing and communication system, so how to manage the key distribution and the key authorization is an important link for realizing the key management. In the related art, when key management is implemented, the defects of complicated operation and poor security exist, for example, when data exchange is performed between applications (i.e., TEE applications) running in a trusted execution environment (Trusted Execution Environment, TEE), the security of data communication needs to be ensured by means of a key. The TEE applications are online at the same time and remotely verify identities, after the validity of the opposite party is determined, a symmetric key is negotiated, a secure channel is established based on the key to exchange data ciphertext, and the key management is easy to risk key leakage.
Disclosure of Invention
In view of this, embodiments of the present application provide a method, an apparatus, a computer program product, a device, and a storage medium for managing keys, which not only can uniformly manage all keys of a target application, but also can control a distribution process of the keys according to different key usage environments by using a configured key management certificate, so as to ensure that the keys are not revealed, and improve security of data.
The technical scheme of the embodiment of the application is realized as follows:
the embodiment of the application provides a key management method, which comprises the following steps:
responding to a key management certificate creation request, and acquiring configuration information of the key management certificate;
creating a corresponding key management certificate for a target application program according to the configuration information of the key management certificate, wherein the target application program is used for installing the key management certificate;
acquiring a key acquisition request sent by the target application program, wherein the key acquisition request comprises a key identifier of a target key;
responding to the key acquisition request, analyzing the custom extension field of the key management certificate to obtain a key value list;
and carrying out consistency detection on the key value list and the key identification, and if a consistency detection result shows that the key value list comprises a target key corresponding to the key identification, sending the target key to the target application program.
The embodiment of the application also provides a key management device, which comprises:
the information transmission module is used for responding to the key management certificate creation request and acquiring configuration information of the key management certificate;
The certificate configuration module is used for creating a corresponding key management certificate for a target application program according to the configuration information of the key management certificate, and the target application program is used for installing the key management certificate;
the information transmission module is further configured to obtain a key obtaining request sent by the target application program, where the key obtaining request includes a key identifier of the target key;
the information processing module is used for responding to the key acquisition request and analyzing the custom extension field of the key management certificate to obtain a key value list;
the information processing module is further configured to perform consistency detection on the key value list and the key identifier, and if a consistency detection result indicates that the key value list includes a target key corresponding to the key identifier, send the target key to the target application program.
In some embodiments, the key management certificate creation request includes an identification of the target application;
the information transmission module is further used for searching an approval object of the key management certificate in a preset approval object list of the key management certificate according to the identification of the target application program;
The information transmission module is further configured to search a first key list of the key management certificate in a preset key original list according to the identifier of the target application program;
the information transmission module is further used for determining an IP address list matched with the target application program according to the identification of the target application program;
the information transmission module is further configured to determine the approval object, the first key list and the IP address list as configuration information of the key management certificate.
In some embodiments, the certificate configuration module is further configured to determine a type of the key management certificate that matches the target application;
the certificate configuration module is further used for determining a field to be filled of the key management certificate according to the type of the key management certificate;
and the certificate configuration module is further used for filling the approval object of the key management certificate, the first key list and the IP address list into the field to be filled to obtain the key management certificate of the target application program.
In some embodiments, the information processing module is further configured to parse the custom extension field of the key management certificate when the target application is started by the client, to obtain an identity verification manner of the target application;
The information processing module is further used for carrying out identity verification on the target application program according to the identity verification mode to obtain an identity verification result;
the information processing module is further configured to configure first authority information for the key management server when the identity verification result is that the identity verification passes, where the first authority information characterizes that the key management server has authority to communicate with the target application program.
In some embodiments, the information processing module is further configured to establish a communication connection with the target application when the target application is started by the client;
the information processing module is further used for receiving the key management certificate sent by the client by the key management server;
the information processing module is further used for carrying out field analysis on the key management certificate by the key management server to obtain a custom extension field of the key management certificate;
the information processing module is further configured to perform content analysis on the custom extension field of the key management certificate by using the key management server to obtain an approval object and reserved check information of the key management certificate, and determine an identity check mode of the target application program as checking through the approval object and checking through the reserved check information.
In some embodiments, the information processing module is further configured to perform a first identity verification on the target application according to the approval object, to obtain a first identity verification result;
the information processing module is further used for performing second identity verification on the target application program according to the reserved verification information when the first identity verification result is that the first identity verification is passed, so as to obtain a second identity verification result;
the information processing module is further configured to, when the second identity verification result is that the second identity verification passes, configure a random code for the target application program, where the random code is used to verify the target key obtaining request.
In some embodiments, the information processing module is further configured to parse header information of the target key acquisition request to obtain a random code in response to the target key acquisition request;
the information processing module is further configured to configure second authority information for the key management server when the random code of the header information of the target key acquisition request is consistent with the random code stored by the key management server, where the second authority information characterizes that the key management server has authority to parse the custom extension field.
In some embodiments, the information processing module is further configured to obtain a root certificate, where the root certificate is used to detect key management certificates corresponding to different target applications;
the information processing module is further used for detecting the range of a first key list of the key management certificate through the root certificate;
the information processing module is further configured to determine that the state of the key management certificate is a valid key management certificate when the range of the first key list is consistent with the range of the key list in the root certificate.
In some embodiments, the method is applied to a key management system that, when a newly added application needs to invoke at least one key of the target application,
the certificate configuration module is also used for adding a new application program into the key management system;
the certificate configuration module is also used for acquiring attribute parameters of the new application program;
the certificate configuration module is further used for respectively adjusting an approval object and a first key list in the configuration information of the key management certificate according to the attribute parameters to obtain updated configuration information;
the certificate configuration module is further used for creating a corresponding newly-added key management certificate for the new application program according to the updated configuration information;
The information transmission module is further configured to send the new key management certificate to the new application program, so that at least one key of the target application program can be called by the new application program based on the new key management certificate.
The embodiment of the application also provides electronic equipment, which comprises:
a memory for storing executable instructions;
and the processor is used for realizing the key management method when running the executable instructions stored in the memory.
The embodiment of the application also provides a computer readable storage medium which stores executable instructions which when executed by a processor realize the key management method.
The embodiment of the application also provides a computer program product, which comprises a computer program or instructions, wherein the computer program or instructions realize the key management method when being executed by a processor.
The embodiment of the application has the following beneficial effects:
1) The embodiment of the application obtains the configuration information of the key management certificate by responding to the key management certificate creation request; creating a corresponding key management certificate for a target application program according to the configuration information of the key management certificate, wherein the target application program is used for installing the key management certificate; through the configured key management certificates, unified management of all keys of the target application program can be realized, and meanwhile, the distribution range of the keys can be flexibly controlled through configuration of different key management certificates.
2) The key acquisition request sent by the target application program is acquired, wherein the key acquisition request comprises a key identifier of a target key; responding to the key acquisition request, analyzing the custom extension field of the key management certificate to obtain a key value list; performing consistency detection on the key value list and the key identification, and if a consistency detection result shows that the key value list comprises a target key corresponding to the key identification, sending the target key to the target application program; therefore, when the target application program acquires the corresponding key, the authority of acquiring the key is detected through the key management certificate due to the non-tamper property of the key management certificate, so that the key is prevented from being revealed, and the security of data is improved.
Drawings
Fig. 1 is a schematic diagram of an application scenario of a key management method according to an embodiment of the present application;
fig. 2 is a schematic flow chart of an implementation of a key management method according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a system architecture of a key management system according to the present application;
fig. 4 is a schematic flow chart of an implementation of a key management method according to an embodiment of the present application;
FIG. 5 is a diagram illustrating a configuration of a key management certificate in x509 format according to an embodiment of the present application
FIG. 6 is a schematic diagram of configuration information of a key management certificate in x509 format according to an embodiment of the present application;
FIG. 7 is a schematic diagram illustrating the effect of mounting a key management certificate in x509 format according to an embodiment of the present application;
FIG. 8 is an alternative schematic diagram of key management in an embodiment of the application;
fig. 9 is a schematic structural diagram of an electronic device for executing the key management method according to the embodiment of the present application.
Detailed Description
The present application will be further described in detail with reference to the accompanying drawings, for the purpose of making the objects, technical solutions and advantages of the present application more apparent, and the described embodiments should not be construed as limiting the present application, and all other embodiments obtained by those skilled in the art without making any inventive effort are within the scope of the present application.
In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is to be understood that "some embodiments" can be the same subset or different subsets of all possible embodiments and can be combined with one another without conflict.
Before describing embodiments of the present invention in further detail, the terms and terminology involved in the embodiments of the present invention will be described, and the terms and terminology involved in the embodiments of the present invention will be used in the following explanation.
1) In response to a condition or state that is used to represent the condition or state upon which the performed operation depends, the performed operation or operations may be in real-time or with a set delay when the condition or state upon which it depends is satisfied; without being specifically described, there is no limitation in the execution sequence of the plurality of operations performed.
2) Terminals, including but not limited to: the device comprises a common terminal and a special terminal, wherein the common terminal is in long connection or short connection with a sending channel, and the special terminal is in long connection with the sending channel.
3) The client, the carrier for realizing the specific function in the terminal, such as the mobile client (APP), is the carrier for realizing the specific function in the mobile terminal, such as the function of executing report making or the function of displaying report.
4) An applet (Mini Program), a Program developed based on a front-end oriented language (e.g., javaScript) that implements services in hypertext markup language (HTML, hyper Text Markup Language) pages, is software downloaded by a client (e.g., a browser or any client with an embedded browser core) via a network (e.g., the internet) and interpreted and executed in the client's browser environment, saving steps installed in the client. For example, applets for implementing various services such as ticket purchase, report making, data presentation, etc. may be downloaded and run in the social networking client.
5) Cloud technology (Cloud technology) refers to a hosting technology for integrating hardware, software, network and other series resources in a wide area network or a local area network to realize calculation, storage, processing and sharing of data. The cloud computing business model application-based network technology, information technology, integration technology, management platform technology, application technology and the like can be collectively called to form a resource pool, and the resource pool is flexible and convenient as required. Cloud computing technology will become an important support. Background services of technical networking systems require a large amount of computing, storage resources, such as video websites, picture-like websites, and more portals. Along with the high development and application of the internet industry, each article possibly has an own identification mark in the future, the identification mark needs to be transmitted to a background system for logic processing, data with different levels can be processed separately, and various industry data needs strong system rear shield support and can be realized only through cloud computing.
6) Cloud Security (Cloud Security) refers to a generic term for Security software, hardware, target objects, institutions, and secure Cloud platforms based on Cloud computing business model applications. Cloud security fuses emerging technologies and concepts such as parallel processing, grid computing, unknown virus behavior judgment and the like, acquires the latest information of Trojan horse and malicious programs in the Internet through abnormal detection of software behaviors in a network by a large number of netlike clients, sends the latest information to a fictive engine server for automatic analysis and processing, and distributes solutions of viruses and Trojan horse to each client.
7) A Server cluster (Server cluster) refers to a cluster of at least two servers that together perform the same service, and appears to a client as if there is only one Server. The server cluster can use a plurality of computers to perform parallel computation so as to obtain high computation speed, and can also use a plurality of computers to perform backup, so that any machine breaks the whole system or can normally operate. The key management method provided by the application can be applied to cloud server use scenes and distributed server use scenes, and can be used for realizing state detection and fault restoration of server hard disks in different use scenes. For example, cloud servers (CVM, cloud Virtual Machine) are a simple, efficient, secure, reliable computing service with flexible processing capabilities. The management mode is simpler and more efficient than the traditional single physical server. The target object can quickly create or release any plurality of cloud servers for the business process of the target object without purchasing hardware in advance, and store the data of the cloud server target object. The data and the programs of the target objects in the use environment of the distributed server can be scattered into a plurality of servers instead of being located on one server, and similarly, the key management method provided by the application can realize unified management of keys of different target application programs stored in the cloud server, so that key leakage is avoided.
Before explaining the key management method provided by the present application, firstly explaining the defects in the related art, the inventor finds out in the study that when carrying out unified key management and key distribution (i.e. key authorization) on different keys stored in the server, the key management method mainly comprises the following management modes:
1) The key rights of the target application are assigned to other applications by means of token authorization. The disadvantage of this approach is that: when managing the key, the authorized application needs to be forced to register on the key management platform, and then the key can be authorized. After the key authorization is completed, the authorized application also needs to manually download the installation certificate, and the key is acquired through the acquired authorized token, so that the operation is complex, and the use experience of the user is affected. Meanwhile, the key management mode has security risk, the token for acquiring the key can be leaked in the transmission process, and the certificate of the corresponding target application program can be obtained through the leaked token, so that the data corresponding to the key can be easily acquired through the leaked token.
2) When a target application program is created, the relation between the target application program and the secret key is established, the range of the secret key is controlled through the relation list, and the secret key is managed. The disadvantage of this approach is that: when a plurality of target applications are established in relation to the same key, the key is shared by different target applications, but in practice the keys should be managed by a unified master application. For example, an application a needs the keys of two other applications b and c, and then an application b and an application c need to be newly added to the key management platform, so that the keys can be shared. However, in order to realize the controllable management of the secret key, the processing method adopted should be as follows: the application program a issues a certificate to authorize the key acquisition authority, and part of the key is not shared by a mode of adding an application newly; the key acquisition authority of the application program a is at risk of being tampered with (e.g., tampered with by the platform); taking the example that the key acquisition authority of the application program a is tampered by the platform, the following two cases may be included: the key acquisition authority of the application program a is enlarged (the application program a illegally acquires the corresponding key), or the key acquisition authority of the application program a is reduced (the application program a cannot acquire the corresponding key).
In order to solve the above-mentioned defects, the application provides a key management method, which can not only uniformly manage all keys of target application programs, but also control the distribution process of the keys by using the configured key management certificates according to different key use environments, ensure that the keys are not revealed, and improve the security of data so as to adapt to the key management requirements of different target application programs.
Fig. 1 is a schematic diagram of an application scenario of a key management method according to an embodiment of the present application, referring to fig. 1, with the continuous development of computer technology, a cloud server may provide a secure and reliable elastic computing service, and may also provide different instance types to satisfy a specific usage scenario of a target object. The electronic device 100 may comprise two different types of terminals or electronic devices, namely, the terminal 10-1 and the terminal 10-2, and the target object may be selected according to the usage requirement of the usage scenario of the key information. The terminal (including the terminal 10-1 and the terminal 10-2) is provided with a corresponding client capable of executing the key management function, and when executing the key management, the terminal (including the terminal 10-1 and the terminal 10-2) needs to acquire the corresponding key from the cloud server 200 first to decrypt the acquired encrypted data, so as to obtain the data plaintext and perform the key management. The key stored in the cloud server 200 is a parameter that is input in an algorithm for converting plaintext into ciphertext or converting ciphertext into plaintext. In the embodiment of the application, the keys are divided into two main categories according to the functions of the keys in the whole flow of the embodiment of the application: session keys and data encryption keys. The session key is a key for encrypting and decrypting communication data by both communication parties and is mainly used for safety communication and protecting the communication data of both communication parties; the data encryption key is mainly used for encrypting and decrypting data which need to be exchanged between the TEE applications.
The terminals (including the terminal 10-1 and the terminal 10-2) acquire different keys from the corresponding cloud servers 200 through the network 300, decrypt the acquired encrypted data using the acquired keys, and deploy different services in the cloud server network according to the acquired different types of keys, and the cloud server 200 may be a server performing the key management service. The terminal is connected to the server 200 through the network 300, and the network 300 may be a wide area network or a local area network, or a combination of the two, and uses a wireless link to implement data transmission. As shown in connection with fig. 1, in an embodiment provided by the present application, cloud server 200 may be written in software code environments of different programming languages, and code objects may be different types of code entities. For example, in software code in the C language, a code object may be a function. In software code in the JAVA language, a code object may be a class.
Referring to fig. 2, fig. 2 is a schematic flow chart of an implementation of a key management method according to an embodiment of the present application, where the embodiment of the present application may be implemented in combination with Cloud technology (Cloud technology), which refers to a hosting technology that integrates serial resources such as hardware, software, and networks in a wide area network or a local area network to implement calculation, storage, processing, and sharing of data, and may also be understood as a generic term of network technology, information technology, integration technology, management platform technology, application technology, and the like applied based on a Cloud computing business model. Background services of technical network systems require a large amount of computing and storage resources, such as video websites, picture websites and more portal websites, so cloud technologies need to be supported by cloud computing.
It should be noted that cloud computing is a computing mode, which distributes computing tasks on a resource pool formed by a large number of computers, so that various application systems can acquire computing power, storage space and information service as required. The network that provides the resources is referred to as the "cloud". Resources in the cloud are infinitely expandable in the sense of users, and can be acquired at any time, used as needed, expanded at any time and paid for use as needed. As a basic capability provider of cloud computing, a cloud computing resource pool platform, referred to as a cloud platform for short, is established, and is generally called an infrastructure as a service (IaaS Infrastructure as a Service), and multiple types of virtual resources are deployed in the resource pool for external clients to select for use. The cloud computing resource pool mainly comprises: computing devices (which may be virtualized machines, including operating systems), storage devices, and network devices. Different operation rights are given to a target object subjected to key management by a cloud server.
Cloud storage (cloud storage) is a new concept that extends and develops in the concept of cloud computing, and a distributed cloud storage system (hereinafter referred to as a storage system for short) refers to a storage system that integrates a large number of storage devices (storage devices are also referred to as storage nodes) of various types in a network to work cooperatively through application software or application interfaces through functions such as cluster application, grid technology, and a distributed storage file system, so as to provide data storage and service access functions for the outside. In the related art, the storage method of the storage system is as follows: when creating logical volumes, each logical volume is allocated a physical storage space, which may be a disk composition of a certain storage device or of several storage devices. The client stores data on a certain logical volume, that is, the data is stored on a file system, the file system divides the data into a plurality of parts, each part is an object, the object not only contains the data but also contains additional information such as a data identifier (ID IDentity), the file system writes each object into a physical storage space of the logical volume, and the file system records storage location information of each object, so that when the client requests to access the data, the file system can enable the client to access the data according to the storage location information of each object. The process of allocating physical storage space for the logical volume by the storage system specifically includes: physical storage space is divided into stripes in advance according to the set of capacity measures for objects stored on a logical volume (which measures tend to have a large margin with respect to the capacity of the object actually to be stored) and redundant array of independent disks (RAID Redundant Array of Independent Disk), and a logical volume can be understood as a stripe, whereby physical storage space is allocated for the logical volume.
It will be appreciated that the execution body of the steps shown in fig. 2 may be implemented by a terminal running the key management apparatus alone or by a server running the key management apparatus. Of the processing steps shown in fig. 2, a server is taken as an implementation example, and the steps shown in fig. 2 are described below.
Step 201: and responding to the key management certificate creation request, and acquiring configuration information of the key management certificate.
In some embodiments, the configuration information of the key management certificate needs to be matched with the format of the key management certificate, so that the key management certificate carries the format identifier of the key management certificate, and the types of the key management certificate supported by the key management server in the application include but are not limited to: the system comprises a self-signed certificate, an intermediary certificate, an authorization certificate, a terminal entity certificate and other public key certificates, wherein the types of the key management certificates support the configuration format of a unified key certificate, configuration information can be filled into corresponding fields of the key management certificate through the configuration format of the unified key certificate, the key management certificate is packaged, and the key management certificate is installed and operated by a client of a target application program.
In some embodiments, the configuration format of the unified key certificate may be an X509 format or an X500 format, where, taking the X509 format as an example, the content in the key management certificate in one X509 format at least includes: 1) The serial number of the certificate, each key management certificate (X509 certificate for short) in the format of X509 has a unique certificate serial number; 2) A signature algorithm used by the certificate; 3) The certificate issuing authority name is generally in the x.500 format (for example, the issuing authority of the key management certificate in the present application may be the issuing authority of the master application 1 storing all key information, the name is 101.500, the name may be the issuing authority of the master application 2 storing part of the key information, the name is 102.500); 4) The validity period of the certificate is that the current general certificate generally adopts UTC time format, and the timing range is 1950-2049; 5) The name of the certificate owner, the naming rule generally adopts an x.500 format (for example, the name of the owner of the key management certificate in the present application may be the client of the target application 1, the name is named as x01.500, the name may also be the client of the target application 2, the name is named as x 02.500); 6) Public keys of certificate owners; 7) Signature of the certificate by the certificate issuer.
In some embodiments, before obtaining the configuration information of the key management certificate, the identification of the target application program matched with the key management certificate creation request may be further determined according to the key management certificate creation request; after the key management server receives the key management certificate creation request through the front-end device, the type of the key to be managed can be determined according to the determined identification of the target application program, and different key information (such as a session key and a data encryption key) is respectively stored in corresponding cloud servers (i.e. the key management servers providing the key management service) in the cloud server cluster according to the type of the key to be managed, so that the keys of the same type in the cloud server cluster can be uniformly stored and managed, and the storage space of hardware equipment occupied by key storage is saved. For example: the types of the keys are a session key and a data encryption key, when the key management server receives a key management certificate creation request through the front-end equipment, the session key can be stored in the cloud server 1, the data encryption key is stored in the cloud server 2, and when a client of a target application program initiates a key acquisition request and passes verification, the key stored in the cloud server 1 or the cloud server 2 is sent to the corresponding client.
In some embodiments, in response to a key management certificate creation request, obtaining configuration information for a key management certificate may be accomplished by:
in some embodiments, the configuration information of the key management certificate includes: the process of obtaining the configuration information of each key management certificate is described below with reference to the approval object, the first key list, and the IP address list, respectively:
in some embodiments, according to the identification of the target application program, the approval object of the key management certificate may be searched in a preset approval object list of the key management certificate; searching a first key list of a key management certificate in a preset key original list according to the identification of a target application program; and determining an IP address list matched with the target application program according to the identification of the target application program. In order to ensure the security of the key, prevent the data leakage caused by the key leakage, and reduce the risk of tampering the key acquisition authority, the key management certificate may be configured with corresponding detection information for detecting the target application program that initiates the key acquisition request. For example, the number of the approval objects of the key management certificate is at least one, and the approval objects are notified to manually detect the key management certificate by the office automation application client (MOA, manager Office Automation), so that the content of the key management certificate is not tampered, for example: the approval object list of the key management certificate preset in the key management server comprises the following components: and when the identification of the target application program represents the data decryption program through the target application program, the acquired key type is a data encryption key, and the examination object searching the key management certificate in the examination object list of the preset key management certificate can be at least one of the examination person a, the examination person b and the examination person c.
In some embodiments, the approval object list of the key management certificate preset in the key management server includes: when the identification of the target application program characterizes the communication data encryption and decryption program through the target application program, and the acquired key type is a session key, in an approval object list of a preset key management certificate, the approval objects of the key management certificate can be a first-level approver a, a second-level approver b and a third-level approver c, and when the target application program sequentially approves the first-level approver a, the second-level approver b and the third-level approver c, the target application program can acquire the corresponding session key.
In some embodiments, the original key list stores a session key 1, a session key 2 and a session key 3 for encrypting and decrypting communication data, and when the target application program a is created, the key management can determine that the target application program a needs to acquire the session key 1 according to attribute information of the target application program a, and at this time, the key information in the first key list is the key 1; when the target application program b is created, the key management can determine that the target application program b needs to acquire a session key 1 and a session key 3 according to the attribute information of the target application program b, and at this time, the key information in the first key list is the key 1 and the session key 3; when the target application program c is created, the key management can determine that the target application program c needs to acquire the session key 1, the session key 3 and the session key 4 according to the attribute information of the target application program c, and as the session key 4 exceeds the record of the preset key original list, the management server can not send prompt information to the corresponding front end, so as to prompt an administrator of the key server to modify the attribute information of the target application program c or add the key information in the preset key original list, and the session key 4 is added into the preset key original list.
In some embodiments, when the session key used for encrypting and decrypting the communication data is stored in the key original list, the target application program can only ensure that the plaintext of the communication data decrypted by the key is not revealed for the application program in the corresponding intranet, so that the IP address of the target application program can be limited, for example, when the IP address matched with the target application program is determined to be 116.179.33.17-116.179.34.17 by using the identification of the target application program, the target application program is determined to be located in the corresponding intranet environment, and at this time, the IP address recorded in the IP address list matched with the target application program is 116.179.33.17-116.179.34.17.
In some embodiments, the configuration information of the key management certificate may further include: country code: CN (CN represents china), province of the address location of the target network: beijin, city of address location of target network: beijing, organization of target network: beijingKs, name of enterprise to which the target network belongs: ks, domain name of target network: root, number of valid days of identity certificate: 365. information about the identity certificate encryption algorithm: RSA (an encryption algorithm) number of bits is 2048, public key cryptography: xxx. The public key cryptography may refer to certificate public key encryption standard (Public Key Cryptography Standards, PCKS) 12 cryptography, and the present application is not particularly limited thereto.
Step 202: and creating a corresponding key management certificate for the target application program according to the configuration information of the key management certificate, wherein the target application program is used for installing the key management certificate.
In some embodiments, creating a corresponding key management certificate for the target application based on the configuration information of the key management certificate may be accomplished by:
determining a type of key management certificate that matches the target application; determining a field to be filled of the key management certificate according to the type of the key management certificate; filling the approval object, the first key list and the IP address list of the key management certificate into the field to be filled to obtain the key management certificate of the target application program. Taking the type of the key management certificate as an example, the field to be filled of the key management certificate is a custom extension field (extension fields) in the x509 certificate, and when the session data analysis application program is used as the target application program, as shown in the foregoing embodiment, the approval object is object 1, the key in the first key list is key 1, the IP address matched with the target application program is 116.179.33.17-116.179.34.17, and at this time, the approval object, the first key list and the IP address list are filled into the custom extension field in the x509 certificate, so as to obtain the x509 certificate of the session data analysis application program.
In some embodiments, before step 203 is performed, the key management certificate may be sent to the target application program, and after the target application program installs the key management certificate, when the target application program is started by the client, through the link established between the client and the key management server, the key management server may detect the corresponding key management certificate, so as to ensure validity of key acquisition and avoid disclosure of key information.
In some embodiments, when the target application is started through the client, the key management server may parse the custom extension field of the key management certificate to obtain an identity verification manner of the target application; then, according to the identity verification mode, carrying out identity verification on the target application program to obtain an identity verification result; when the identity verification result is that identity verification passes, configuring first authority information for the key management server, wherein the first authority information characterizes that the key management server has the authority of communicating with the target application program, and can detect the target application program sending out a key acquisition request, so that the legality of key acquisition is ensured, and the leakage of key information is avoided; when the identity verification result shows that the identity verification fails, the target application program sending the key acquisition request is illegal, and at the moment, the key management server provided by the application is required to send a notification to an administrator to prompt the administrator to timely detect the target application program sending the key acquisition request, so that the key management server is prevented from being attacked by the saturation of the illegal application program.
In some embodiments, the method for resolving the custom extension field of the key management certificate to obtain the identity verification of the target application program may be implemented by the following methods:
when the target application program is started through the client, the key management server establishes communication connection with the target application program; the key management server receives a key management certificate sent by a client; and the key management server performs field analysis on the key management certificate to obtain a custom extension field of the key management certificate. Taking the x509 certificate as a key management certificate for example, the type identifier of different identity verification modes is stored in a custom extension field in the x509 certificate, specifically, identifier 001 represents manual verification of an approval object, identifier 002 represents automatic verification of reserved information, and identifier 003 represents automatic verification by detecting firmware (e.g. an encrypted medium).
In some embodiments, when the different identity verification modes are manual verification and automatic verification of the reserved information of the approval object, according to the identity verification modes, the identity verification of the target application program for obtaining the secret key can be realized by the following modes:
performing first identity verification on the target application program according to the approval object to obtain a first identity verification result; when the first identity verification result is that the first identity verification is passed, performing second identity verification on the target application program according to the reserved verification information to obtain a second identity verification result; in some embodiments, taking types of different identity verification modes in the custom extension field in the x509 certificate as 001 and 002 as examples, when determining the identity verification mode, the key management server analyzes the content of the custom extension field of the key management certificate to obtain types of different identity verification modes as 001 and 002, namely, manually verifying an approval object and automatically verifying reserved information, then searching for the approval object of the key management certificate as 001 and 002 by using the types of different identity verification modes, and carrying out identity verification by using the approval object 1, and after the approval object 1 passes the identity verification, carrying out verification again by using the reserved verification information 001, thereby ensuring the legitimacy of the target object sending the key acquisition request and avoiding the leakage of the key information caused by the illegal application program to acquire the key.
In some embodiments, when the second identity verification result is that the second identity verification is passed, it indicates that the target application program is a legal application program, and a key acquisition request can be sent to the key management server, at this time, the key management server configures a random code for the target application program, where the random code is used to verify the key acquisition request, and when a client of the target application program is started and needs to execute a corresponding key management function, the key acquisition request needs to be sent to the key management server, and the key acquisition request carries the random code, so that the key management server can help to quickly and legally detect a client of the target application program that sends the key acquisition request through the random code. For example: taking types of different identity verification modes in a custom extension field in an x509 certificate as examples, when the identity verification mode is determined, the key management server analyzes the content of the custom extension field of the key management certificate to obtain types of the different identity verification modes as 001 and 002, namely, the manual verification of an approval object and the automatic verification of reserved information, then using the types of the different identity verification modes as 001 and 002, searching the approval object of the key management certificate as the approval object 1 and the reserved verification information as "001", carrying out identity verification through the approval object 1, when the approval object 1 passes identity verification, carrying out verification again through the reserved verification information as "001", and when the identity verification passes, setting a random code configured for a target application program a as "00a10", and at the moment, the target application program a finishes registration in the key management server, and then, sequentially sending a key acquisition request 001 (carrying the random code "00a 10"), a key acquisition request (the random code "00a 10") to the key management server, and sending an illegal application program a1 to the management server (carrying the random code "00a 10") to obtain the corresponding key code, thereby ensuring that the illegal application program a can obtain the corresponding key code a can not pass through the corresponding key code, and the corresponding key management method can not be ensured.
Step 203: and acquiring a key acquisition request sent by the target application program, wherein the key acquisition request comprises a key identifier of the target key.
In some embodiments, the target application may decrypt the encrypted data by obtaining different keys according to usage scenarios. Taking the example of acquiring a data encryption key, the first key list of the x509 certificate of the target application program a includes: and the key 101 and the key 102 are used for decrypting different types of encrypted data to obtain corresponding plaintext data. The key acquisition request sent by the target application program a to the key management server includes at least one of: key acquisition request 1 (carrying the identity of key 101), key acquisition request 2 (carrying the identity of key 102), key acquisition request 3 (carrying the identities of keys 101 and 102). By sending the key acquisition request to the key management server, the client of the target application program can acquire different keys to process corresponding encrypted data, so that the error distribution probability of the keys is reduced.
In some embodiments, before performing step 204, the header information of the key acquisition request may be further parsed to obtain a random code in response to the key acquisition request; and when the random code in the header information of the key acquisition request is consistent with the random code stored in the key management server, configuring second authority information for the key management server, wherein the second authority information characterizes that the key management server has authority for analyzing the custom extension field. For example, in combination with the above embodiment, when the random code "00a10" stored in the key management server is also "00a10", the target application program can be quickly confirmed as a legal application program that has completed registration in the key management server, the corresponding key can be passed, the key acquisition waiting time of the client of the target application program can be reduced, and the key management efficiency can be improved.
Step 204: and responding to the key acquisition request, and analyzing the custom extension field of the key management certificate to obtain a key value list.
In some embodiments, taking the example of obtaining the data encryption key, by parsing the custom extension field of the x509 certificate of the target application a, a list of key values that the client of the target application wants to obtain can be obtained, for example: the x509 certificate key value list of the parsing target application a includes: value of key 101: 0FFFF9876543210E00010004, value of key 102: 0FFFF9876543210E00010005.
Step 205: and carrying out consistency detection on the key value list and the key identification, and if the consistency detection result shows that the key value list comprises the target key corresponding to the key identification, sending the target key to the target application program.
In some embodiments, in combination with the foregoing embodiments, in order to reduce the risk of data leakage caused by a loss of a key, the key is typically stored in a server as a key value (in encrypted ciphertext form) and in a first key list of x509 certificates, where the first key value list of x509 certificates of the target application a includes: value of key 101: 0FFFF9876543210E00010004, value of key 102: 0FFFF9876543210E00010005. At this time, when the value of the target key corresponding to the key id of the key acquisition request is 0FFFF9876543210E00010004, it is indicated that the key acquired by the target application a is the key 101, and when the value of the target key corresponding to the key id of the key acquisition request is 0FFFF9876543210E00010000, it is indicated that the key acquired by the target application a exceeds the key range recorded in the key value list, and in order to avoid key leakage, it is necessary to reject the key acquisition request of the target application a.
In some embodiments, when the key management certificate is lost, the data leakage may be caused by the fact that the key management certificate is tampered, so that after the corresponding key management certificate is created for the target application program, a root certificate can be obtained, and the root certificate is used for detecting the key management certificates corresponding to different target application programs; detecting the range of a first key list of the key management certificate through the root certificate; when the range of the first key list coincides with the range of the key list in the root certificate, the state of the key management certificate is determined to be a valid key management certificate. In this process, because of the signature of the root certificate, the application manager of the key management server cannot enlarge the key access right by modifying the key management certificate. Meanwhile, the application manager of the key management server cannot revise the key management certificate without the root certificate. The application manager of the key management server does not have the private key of the client key management certificate and cannot tamper with the key management certificate. Therefore, the non-falsification of the key management certificate can be ensured, and the data leakage caused by falsification of the key management certificate is avoided.
In some embodiments, the key management server and the front end of the key management server form a key management system, and when the newly added application program needs to call at least one key of the target application program, a key management certificate matched with the newly added application program can be generated according to the key management method provided by the application so as to ensure the security of key management.
In some embodiments, to increase the key processing speed when a newly added application acquires a key, the following operations may be performed:
firstly, adding a new application program in a key management system; acquiring attribute parameters of a new application program; then, according to the attribute parameters, respectively adjusting the approval object and the first key list in the configuration information of the key management certificate to obtain updated configuration information; by adjusting the first key list, a second key list can be obtained, and the second key list can be stored in a key management server so as to trace back the key management process and realize the detection of the key distribution (key authorization) process.
Finally, creating a corresponding newly-added key management certificate for the new application program according to the updated configuration information; the new key management certificate is sent to the new application to enable at least one key of the target application to be invoked by the new application based on the new key management certificate. For example: the application program a can monopolize the secret key 1 and share the secret key 2 with other application programs, the application program b can acquire the secret key 1 now, the approval object can be updated according to the attribute parameters of the application program a to adjust the approval person to be three-level, the first secret key list is updated so that the application program b can acquire the secret key 1, after new configuration information is obtained, a secret key management certificate of the application program b is generated according to the new configuration information, and the x509 of the application program a is partially updated to obtain the x509 of the application program b, so that the application program b can acquire the secret key 1 through the secret key management certificate in the x509 format, the time consumption of secret key management is saved, and the use experience of a user of a target application program is improved.
In some embodiments, since the authority of the target application program to acquire the corresponding key may be dynamically changed, a certificate revocation list (Certificate Revocation List, CRL) may be set in the key management server, so as to record invalid key management certificates, and by periodically updating the certificate revocation list, dynamic management of the key management certificates of different target application programs may be implemented, thereby improving the processing efficiency of the key management certificates.
In order to better explain the working process of the key management method provided by the application, the key management server and the front end of the key management server form a key management system, and the working process of the key management method provided by the application is described below.
Referring to fig. 3, fig. 3 is a schematic diagram of a system architecture of a key management system according to the present application, where a key management server is used to execute the key management method provided by the present application, and a front end of the key management server is used to input configuration information of a key management certificate. The system administrator is responsible for creating the target application and configuring the application administrator for the target application. The application manager is responsible for managing the key data of the target application program and providing the configuration information of the corresponding key management certificate. Total key manager: and the key management system is responsible for keeping the starting key, inputs the corresponding starting key from the interface when the system is restarted each time, completes the system initialization, and realizes the configuration of key management certificates for different application programs.
In some embodiments, the key management service provided by the key management system shown in fig. 3 may be understood as a local key management service (KMS, local Key Manager Server), where the local KMS service belongs to an untrusted area (i.e. an untrusted memory indicated by an untrusted environment), is not used for storing keys, and provides a service interface for an application client used by a user by encapsulating the functions of the trusted memory service. A trusted storage service (i.e., sgx_kms) may be understood as an SGX module in a key management technology (the SGX module may create a cloud container in a trusted environment), where the SGX module belongs to a trusted area (i.e., a trusted memory indicated by the trusted environment) and may be used to store a key, and encapsulates basic operations related to the key. Where no matter what privilege level (i.e., privile) and mode (i.e., mode) the CPU is in, data may be written to or read from the trusted memory indicated by the trusted environment in an untrusted environment.
Referring to fig. 4, fig. 4 is a schematic flow chart of an implementation of the key management method according to an embodiment of the present application, and it can be understood that the execution body of the steps shown in fig. 4 includes: the key management server, the front end of the key management server, the client of the target application, and the office automation application client are described below with respect to the steps shown in fig. 4.
Step 401: the front end of the key management server determines configuration information of the key management certificate.
In some embodiments, referring to fig. 5, fig. 5 is a schematic configuration diagram of a key management certificate in x509 format in an embodiment of the present invention, where, taking the key management certificate in x509 format as an example, the configuration information includes: the approver, the key scope (i.e. the first key list), the allowed ip network segment information.
Step 402: the front end of the key management server transmits configuration information to the key management server in response to the key management certificate creation instruction.
Step 403: and writing the configuration information into a custom extension field of the key management certificate by the key management server to obtain the key management certificate.
In some embodiments, referring to fig. 6, fig. 6 is a schematic diagram illustrating configuration information of an X509 format key management certificate according to an embodiment of the present invention, as shown in fig. 6, each of the X509 format key management certificates (abbreviated as X509 certificates) has a unique certificate serial number; 2) A signature algorithm used by the certificate; 3) The name of the issuing organization of the certificate, the naming rule generally adopts an X.500 format; 4) The validity period of the certificate is that the current general certificate generally adopts UTC time format, and the timing range is 1950-2049; 5) The name of the certificate owner, the naming rule generally adopts an X.500 format; 6) Public keys of certificate owners; 7) Signature of the certificate by the certificate issuer. In the x509 certificate shown in fig. 6, DNS: { permission: * (representing read/write rights), ip: * Moaaaudiors: * secretKeys (representing a list of initiating approvers, i.e., the approval objects of the key management certificate): * In the x509 certificate shown in fig. 6, the approver is nebula ao (representing a certificate accessible key, i.e., a first key list), the key list includes a key range of: key1, key2.
By adjusting the configuration information of the key management certificate, the use requirements of different key distribution and key authorization can be met, so that the range of the key distribution and the key authorization is controllable.
Step 404: the key management server mounts the key management certificate to the front end of the key management server.
In some embodiments, referring to fig. 7, fig. 7 is a schematic diagram illustrating the effect of mounting a key management certificate in x509 format in the embodiment of the present invention, a target application of the key management system has multiple sets of keys under it, and different key rights can be set each time the key management certificate is created, so that the scope of access keys of different certificates can be different under the same target application. The key usage range of the key management certificate in the x509 format as shown in fig. 7 is: 123123, x, test1, key3, the key distribution or authorization scope can be effectively controlled by adjusting the key use scope of the key management certificate in the x509 format shown in fig. 7, so as to adapt to more key distribution environments.
Step 405: the target application program obtains and installs the key management certificate through the front end of the key management server.
Step 406: when the target application program is started, the key management certificate is sent to the key management server through the client side of the target application program.
Step 407: the key management server decodes the key management certificate and triggers the identity verification process.
In some embodiments, the approval of the target application includes: the key management server informs the MOA of the approval by the approver. When the approver passes the approval, other identity checks are performed, wherein the other identity checks include but are not limited to: and checking reserved information, checking a mobile phone short message receiving verification code and checking the movement of the jigsaw.
Step 408: when the verification of the identity verification process is passed, a random value is configured for the target application program, and registration of the target application program is completed in the key management server.
In some embodiments, the target application needs to carry the configured random value when initiating the key acquisition request to quickly detect the legitimacy of the target application. For example: taking types of different identity verification modes in the custom-defined extension field in the x509 certificate as examples, when the identity verification mode is determined, the key management server analyzes the content of the custom-defined extension field of the key management certificate to obtain types of the different identity verification modes as 001 and 002, namely, the manual verification of an approval object and the automatic verification of reserved information, then using the types of the different identity verification modes as 001 and 002, searching for the approval object of the key management certificate as the approval object 1 and the reserved verification information "001", carrying out identity verification through the approval object 1, when the approval object 1 passes identity verification, carrying out verification again through the reserved verification information "001", and when the identity verification passes, setting the random code configured for the target application program a as "00a10", and at the moment, the target application program a finishes registration in the key management server, and then sequentially sending a key acquisition request 001 (carrying the random code "00a10 bb"), a key acquisition request 002 (the random code "00a10 bc") to the key management server, and sending an illegal application program a1 to the random application program can obtain the random code 001 (carrying the random code "00 b 1, and the corresponding key management program can not carrying the random code" 00 b "can be obtained by the corresponding key management program and the corresponding key application program 00a, and the illegal key can be ensured to be a corresponding to the corresponding key application program.
Step 409: the client of the target application sends a key acquisition request to the key management server.
In some embodiments, the key obtaining request may carry an identifier of at least one target key, so as to achieve batch obtaining of the keys in the key management server, so as to save time of key distribution.
Step 410: the key management server analyzes the x509 key management certificate to obtain a key list stored in the key management certificate.
In some embodiments, the key list in the x509 key management certificate may be stored in the form of a plaintext key, or may be stored in the form of an encrypted key value, which is not particularly limited to this application.
In some embodiments, taking the example of obtaining the data encryption key, by parsing the custom extension field of the x509 certificate of the target application a, a list of key values that the client of the target application wants to obtain can be obtained, for example: the x509 certificate key value list of the parsing target application a includes: value of key 101: 0FFFF9876543210E00010004, value of key 102: 0FFFF9876543210E00010005. Therefore, even if the x509 certificate leaks (or the x509 certificate is illegally acquired), the private key of the target application client cannot be acquired, and the key management certificate cannot be tampered, so that the security of key management is ensured.
Step 411: it is determined whether the key list stored in the key management certificate includes the target key, if so, step 412 is performed, otherwise step 413 is performed.
In some embodiments, in combination with the foregoing embodiments, in order to reduce the risk of data leakage caused by a loss of a key, the key is typically stored in a server as a key value (in encrypted ciphertext form) and in a first key list of x509 certificates, where the first key value list of x509 certificates of the target application a includes: value of key 101: 0FFFF9876543210E00010004, value of key 102: 0FFFF9876543210E00010005. At this time, when the value of the target key corresponding to the key identifier of the key acquisition request is 0aabb9876543210E00010004, it is indicated that the key acquired by the target application a is the key 101, and when the value of the target key corresponding to the key identifier of the key acquisition request is 0aabb9876543210E00010000, it is indicated that the key acquired by the target application a exceeds the key range recorded in the key value list, and in order to avoid key leakage, it is necessary to reject the key acquisition request of the target application a.
Step 412: the key management server sends the target key to the client of the target application.
Step 413: and sending a notice of prohibiting acquisition of the target key to the client.
In some embodiments, if one target application program stores keys in the key management server in an amount equal to or greater than 2, when other application programs need to call or share part of the keys of the target application program, by executing the key management method provided by the application, only a new key management certificate is needed, a key access range is configured when the key management certificate is configured, and an approver issues the newly configured key management certificate to other application programs needing part of the keys. Therefore, different key management certificates can be issued to the key management system according to different key ranges and different approvers, and unified management of the keys is realized.
In some embodiments, referring to fig. 8, fig. 8 is an alternative schematic diagram of key management in an embodiment of the present application, as shown in fig. 8, a key (key_x_1, key_x_2, key_x_3, key_x_4, key_x_5) of an app_x, and a key (key_y_1, key_y_2, key_y_3, key_y_4, key_y_5) of an app_x may be stored in the key management server; the key management server can be any server in the cloud server cluster, in order to prevent Trojan horse and malicious programs in the Internet, ensure the storage safety of key information in the key management server in the cloud server cluster, and can control cloud services provided by the key management server through a cloud security technology, so that the cloud server is used for encrypting and decrypting data through corresponding key information.
Different target application programs respectively correspond to different clients (client_1, client_2 and client_3), wherein the clients (client_1, client_2 and client_3) can be applet clients for quickly acquiring corresponding keys to realize encryption or decryption processing of data. When different target keys are obtained by the client, 3 different certificates (cert_1, cert_2, cert_3) can be created for the target application app_x by the key management server, wherein cert_1 only allows the target keys key_x_1 and key_x_2 to be obtained by the certificate, cert_2 only allows the keys key_x_3 and key_x_4 to be obtained by the certificate; cert_3 allows only the target keys key_x_4 and key_x_5 to be obtained from the certificate, so that when client_1 accesses the kms server, only key_x_1 and key_x_2 can be accessed when the key management certificate is used to access the key management server; client_2 can only access key_x_3 and key_x_4; client_3 can only access key_x_4 and key_x_5.
In some embodiments, when an application manager of app_x is responsible for managing only key data of app_x and an application manager of app_y is responsible for managing only key data of app_y, when client_1 needs to access key_yjj 3 of app_y, the application manager of app_y configures a new key management certificate cert_1-1 for client_1 through the key management server, client_1 can access the target keys key_x_1 and key_x_2 through the key management certificate cert_1-1, and can access the target key key_y_3 through the key management certificate cert_1-1, thereby enabling effective control over the scope of key distribution or authorization and backtracking of key access records.
In some embodiments, when an application manager of app_x is not only responsible for managing the key data of app_x, but also owns the key data of rights management app_y, if app_y allows client_1 to access key_y_3, at this time, the application manager can increase the key range list of the key management certificate of client_1 through the key management server, thereby reducing the creation number of the key management certificates, improving the speed of key management, and meanwhile, by the key management method provided by the application, token transmission is not required, and the leakage risk of the key is reduced. Because the rights of the application manager are more varied, the key management method provided by the application can provide flexible key management certificate configuration modes for the rights of different application managers, so that the application manager can manage the keys more conveniently and the use feeling is improved.
In some embodiments, taking the main application app_x as personnel data as an example, the personnel department registers a main application app_x in the key management server, and the main application app_x is used for storing all personnel data (including salary data and post data), and the target application may be an application program needing to call a key to obtain corresponding personnel data, for example: the client client_1 of the application program of the financial department needs to count the payroll of the personnel of the financial year, which needs the highest authority (acquire all personnel data), so that the corresponding key management certificate cert_1 is configured through the key management server, app_x issues the certificate cert_1 to the client_1, and the cert_1 contains the key (key_x_1, key_x_2).
The client client_2 of the application program of the IT department needs personnel post information to issue different computers for the staff through the post information, so that the corresponding key management certificate cert_2 is configured through the key management server, app_x issues the certificate cert_2 to the client_2, and the cert_2 contains a key (key_x_3, key_x_4).
The client side client_3 of the application program of the legal department needs personnel post information to push different legal information according to different posts, a corresponding key management certificate cert_3 is configured through a key management server, app_x issues a certificate cert_3 to the client side client_3, and the cert_3 contains a key (key_x_4, key_x_5).
The personnel department needs to configure a client client_4 to realize unified management of all personnel data, and a corresponding key management certificate cert_4 is configured through a key management server, wherein the cert_4 contains keys (key_x_1, key_x_2, key_x_3, key_x_4 and key_x_5).
Referring to fig. 9, fig. 9 is a schematic structural diagram of an electronic device for performing the key management method provided by the present application, and the electronic device 100 shown in fig. 9 includes: each processor 410, memory 450, each network interface 420, and target object interface 430. The various components in the electronic device 100 are coupled together by a bus system 440. It is understood that the bus system 440 is used to enable connected communication between these components. The bus system 440 includes a power bus, a control bus, and a status signal bus in addition to the data bus. But for clarity of illustration the various buses are labeled in fig. 9 as bus system 440.
The processor 410 may be an integrated circuit chip having signal processing capabilities such as a general purpose processor, such as a microprocessor or any conventional processor, or the like, a digital signal processor (DSP, digital Signal Processor), or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or the like.
The target object interface 430 includes one or more output devices 431, including one or more speakers and one or more visual displays, that enable presentation of media content. The target object interface 430 also includes one or more input devices 432, including target object interface components that facilitate target object input, such as a keyboard, mouse, microphone, touch screen display, camera, other input buttons and controls.
Memory 450 may be removable, non-removable, or a combination thereof. Exemplary hardware devices include solid state memory, hard drives, optical drives, and the like. Memory 450 optionally includes one or more storage devices physically remote from processor 410.
Memory 450 includes volatile memory or nonvolatile memory, and may also include both volatile and nonvolatile memory. The nonvolatile Memory may be a Read Only Memory (ROM), and the volatile Memory may be a random access Memory (RAM, random Access Memory). The memory 450 described in embodiments of the present application is intended to comprise any suitable type of memory.
In some embodiments, memory 450 is capable of storing data to support various operations, examples of which include programs, modules and data structures, or subsets or supersets thereof, as exemplified below.
An operating system 451 including system programs, e.g., framework layer, core library layer, driver layer, etc., for handling various basic system services and performing hardware-related tasks, for implementing various basic services and handling hardware-based tasks;
a network communication module 452 for accessing other electronic devices via one or more (wired or wireless) network interfaces 420, the exemplary network interface 420 comprising: bluetooth, wireless compatibility authentication (WiFi), and universal serial bus (USB, universal Serial Bus), etc.;
a presentation module 453 for enabling presentation of information (e.g., for operating peripheral devices and displaying target object interfaces of content and information) via one or more output devices 431 (e.g., a display screen, speakers, etc.) associated with target object interface 430;
an input processing module 454 for detecting one or more target object inputs or interactions from one of the one or more input devices 432 and translating the detected inputs or interactions.
In some embodiments, the apparatus provided in the embodiments of the present application may be implemented in software, and fig. 9 shows a key management device 455 stored in a memory 450, which may be software in the form of a program, a plug-in, or the like, including the following software modules: the information transmission module 4081, the certificate configuration module 4082 and the information processing module 4083 are logical, and thus may be arbitrarily combined or further split according to the implemented functions. The functions of the respective modules will be described hereinafter.
Continuing the description below of the functions of the respective software modules in the key management device 455, wherein the information transmission module 4081 is configured to obtain the configuration information of the key management certificate in response to the key management certificate creation request; the certificate configuration module 4082 is configured to create a corresponding key management certificate for a target application according to configuration information of the key management certificate, where the target application is configured to install the key management certificate; the information transmission module 4081 is further configured to obtain a key obtaining request sent by the target application, where the key obtaining request includes a key identifier of the target key; the information processing module 4083 is configured to parse the custom extension field of the key management certificate in response to the key acquisition request to obtain a key value list; the information processing module 4083 is further configured to perform consistency detection on the key value list and the key identifier, and if the consistency detection result indicates that the key value list includes the target key corresponding to the key identifier, send the target key to the target application program.
In some embodiments, the key management certificate creation request includes an identification of the target application; the information transmission module 4081 is further configured to search for an approval object of the key management certificate in a preset approval object list of the key management certificate according to the identifier of the target application program; the information transmission module 4081 is further configured to search a first key list of the key management certificate in a preset key original list according to the identifier of the target application program; the information transmission module 4081 is further configured to determine, according to the identifier of the target application, an IP address list that matches the target application; the information transmission module 4081 is further configured to determine the approval object, the first key list and the IP address list as configuration information of the key management certificate.
In some embodiments, the certificate configuration module 4082 is further configured to determine a type of key management certificate that matches the target application; the certificate configuration module 4082 is further configured to determine a field to be filled in the key management certificate according to the type of the key management certificate; the certificate configuration module 4082 is further configured to populate the field to be populated with the approval object of the key management certificate, the first key list and the IP address list, thereby obtaining the key management certificate of the target application.
In some embodiments, the information processing module 4083 is further configured to parse the custom extension field of the key management certificate to obtain an identity verification manner of the target application program when the target application program is started through the client; the information processing module 4083 is further configured to perform identity verification on the target application according to the identity verification manner, so as to obtain an identity verification result; the information processing module 4083 is further configured to configure first authority information for the key management server when the identity verification result is that the identity verification passes, where the first authority information characterizes that the key management server has an authority to communicate with the target application.
In some embodiments, the information processing module 4083 is further configured to establish a communication connection with the target application when the target application is started by the client; the information processing module 4083 is further configured to receive, by the key management server, a key management certificate sent by the client; the information processing module 4083 is further configured to perform field analysis on the key management certificate by using the key management server to obtain a custom extension field of the key management certificate; the information processing module 4083 is further configured to perform content analysis on the custom extension field of the key management certificate by using the key management server, obtain an approval object and reserved check information of the key management certificate, and determine an identity check mode of the target application program as that the approval object is used for checking and the reserved check information is used for checking.
In some embodiments, the information processing module 4083 is further configured to perform a first identity check on the target application according to the approval object to obtain a first identity check result; the information processing module 4083 is further configured to perform a second identity check on the target application according to the reserved check information when the first identity check result is that the first identity check is passed, so as to obtain a second identity check result; the information processing module 4083 is further configured to configure a random code for the target application program when the second identity verification result is that the second identity verification is passed, where the random code is used to verify the target key obtaining request.
In some embodiments, the information processing module 4083 is further configured to parse header information of the target key acquisition request to obtain a random code in response to the target key acquisition request; the information processing module 4083 is further configured to configure second authority information for the key management server when the random code of the header information of the target key acquisition request is consistent with the random code stored in the key management server, where the second authority information characterizes that the key management server has authority to parse the custom extension field.
In some embodiments, the information processing module 4083 is further configured to obtain a root certificate, where the root certificate is used to detect key management certificates corresponding to different target applications; the information processing module 4083 is further configured to detect, by the root certificate, a range of the first key list of the key management certificate; the information processing module 4083 is further configured to determine that the state of the key management certificate is a valid key management certificate when the range of the first key list is identical to the range of the key list in the root certificate.
In some embodiments, the method is applied to a key management system, and when the newly added application program needs to call at least one key of the target application program, the certificate configuration module 4082 is further configured to add the new application program to the key management system; the certificate configuration module 4082 is further configured to obtain attribute parameters of the new application program; the certificate configuration module 4082 is further configured to respectively adjust the approval object and the first key list in the configuration information of the key management certificate according to the attribute parameter, so as to obtain updated configuration information; the certificate configuration module 4082 is further configured to create a corresponding newly added key management certificate for the new application program according to the updated configuration information; the information transmission module 4081 is further configured to send the new key management certificate to the new application program, so as to enable the new application program to call at least one key of the target application program based on the new key management certificate.
The embodiment of the application also provides electronic equipment, which comprises: a memory for storing executable instructions; and the processor is used for realizing the key management method when executing the executable instructions stored in the memory.
The embodiment of the application also provides a computer readable storage medium which stores executable instructions, and the executable instructions realize the key management method when being executed by a processor.
According to the electronic device shown in fig. 9, in one aspect of the application, the application also provides a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. A processor of a computer device reads the computer instructions from a computer readable storage medium and executes the computer instructions to cause the computer device to perform the different embodiments and combinations of embodiments provided in various alternative implementations of the key management method provided by embodiments of the present application
The above embodiments are merely examples of the present application and are not intended to limit the scope of the present application, and any modifications, equivalent substitutions and improvements made within the spirit and principle of the present application should be included in the scope of the present application.

Claims (13)

1. A method of key management, the method comprising:
responding to a key management certificate creation request, and acquiring configuration information of the key management certificate;
creating a corresponding key management certificate for a target application program according to the configuration information of the key management certificate, wherein the target application program is used for installing the key management certificate;
acquiring a key acquisition request sent by the target application program, wherein the key acquisition request comprises a key identifier of a target key;
responding to the key acquisition request, analyzing the custom extension field of the key management certificate to obtain a key value list;
and carrying out consistency detection on the key value list and the key identification, and if a consistency detection result shows that the key value list comprises a target key corresponding to the key identification, sending the target key to the target application program.
2. The method of claim 1, wherein the key management certificate creation request includes an identification of the target application; the response to the key management certificate creation request, obtaining configuration information of the key management certificate, includes:
Searching an approval object of the key management certificate in an approval object list of a preset key management certificate according to the identification of the target application program;
searching a first key list of the key management certificate in a preset key original list according to the identification of the target application program;
determining an IP address list matched with the target application program according to the identification of the target application program;
and determining the approval object, the first key list and the IP address list as configuration information of the key management certificate.
3. The method according to claim 2, wherein creating a corresponding key management certificate for the target application according to the configuration information of the key management certificate comprises:
determining a type of the key management certificate that matches the target application;
determining a field to be filled of the key management certificate according to the type of the key management certificate;
and filling the approval object of the key management certificate, the first key list and the IP address list into the field to be filled to obtain the key management certificate of the target application program.
4. The method according to claim 1, wherein the key management method is applied to a key management server;
before acquiring the key acquisition request sent by the target application program, the method further includes:
when the target application program is started through a client, analyzing the custom extension field of the key management certificate to obtain an identity verification mode of the target application program;
according to the identity verification mode, carrying out identity verification on the target application program to obtain an identity verification result;
and when the identity verification result is that the identity verification passes, configuring first authority information for the key management server, wherein the first authority information characterizes that the key management server has the authority of communicating with the target application program.
5. The method of claim 4, wherein the parsing the custom extension field of the key management certificate when the target application is started by the client to obtain the identity verification manner of the target application comprises:
when the target application program is started through the client, the key management server establishes communication connection with the target application program;
The key management server receives the key management certificate sent by the client;
the key management server performs field analysis on the key management certificate to obtain a custom extension field of the key management certificate;
the key management server analyzes the content of the custom extension field of the key management certificate to obtain an approval object and reserved check information of the key management certificate;
and determining the identity verification mode of the target application program as verification through the approval object and verification through the reserved verification information.
6. The method according to claim 5, wherein said verifying the identity of the target application according to the identity verification method comprises:
performing first identity verification on the target application program according to the approval object to obtain a first identity verification result;
when the first identity verification result is that the first identity verification is passed, performing second identity verification on the target application program according to the reserved verification information to obtain a second identity verification result;
and when the second identity verification result is that the second identity verification is passed, the key management server configures a random code for the target application program, wherein the random code is used for verifying the key acquisition request.
7. The method according to any one of claims 1 to 6, wherein before parsing the custom extension field of the key management certificate to obtain a list of key values, the method further comprises:
responding to the key acquisition request, and analyzing the head information of the key acquisition request to obtain a random code;
and when the random code in the header information of the key acquisition request is consistent with the random code stored by the key management server, configuring second authority information for the key management server, wherein the second authority information characterizes that the key management server has authority for analyzing the custom extension field.
8. The method of claim 2, wherein after creating the corresponding key management certificate for the target application, the method further comprises:
acquiring a root certificate, wherein the root certificate is used for detecting key management certificates corresponding to different target application programs;
detecting a range of the first key list of the key management certificate by the root certificate;
and when the range of the first key list is consistent with the range of the key list in the root certificate, determining that the state of the key management certificate is a valid key management certificate.
9. The method of claim 8, wherein the method is applied to a key management system, and wherein when a newly added application needs to invoke at least one key of the target application, the method further comprises:
adding a new application program in the key management system;
acquiring attribute parameters of the new application program;
according to the attribute parameters, respectively adjusting an approval object and a first key list in the configuration information of the key management certificate to obtain updated configuration information;
creating a corresponding newly added key management certificate for the new application program according to the updated configuration information;
and sending the new key management certificate to the new application program so as to realize that at least one key of the target application program can be called based on the new key management certificate by the new application program.
10. A key management apparatus, the apparatus comprising:
the information transmission module is used for responding to the key management certificate creation request and acquiring configuration information of the key management certificate;
the certificate configuration module is used for creating a corresponding key management certificate for a target application program according to the configuration information of the key management certificate, and the target application program is used for installing the key management certificate;
The information transmission module is further configured to obtain a key obtaining request sent by the target application program, where the key obtaining request includes a key identifier of the target key;
the information processing module is used for responding to the key acquisition request and analyzing the custom extension field of the key management certificate to obtain a key value list;
the information processing module is further configured to perform consistency detection on the key value list and the key identifier, and if a consistency detection result indicates that the key value list includes a target key corresponding to the key identifier, send the target key to the target application program.
11. A computer program product comprising a computer program or instructions which, when executed by a processor, implements the key management method of any one of claims 1 to 9.
12. An electronic device, the electronic device comprising:
a memory for storing executable instructions;
a processor for implementing the key management method of any one of claims 1 to 9 when executing executable instructions stored in said memory.
13. A computer readable storage medium storing executable instructions which when executed by a processor implement the key management method of any one of claims 1 to 9.
CN202310760504.2A 2023-06-26 2023-06-26 Key management method, apparatus, computer program product, device, and storage medium Pending CN116980118A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310760504.2A CN116980118A (en) 2023-06-26 2023-06-26 Key management method, apparatus, computer program product, device, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310760504.2A CN116980118A (en) 2023-06-26 2023-06-26 Key management method, apparatus, computer program product, device, and storage medium

Publications (1)

Publication Number Publication Date
CN116980118A true CN116980118A (en) 2023-10-31

Family

ID=88475823

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310760504.2A Pending CN116980118A (en) 2023-06-26 2023-06-26 Key management method, apparatus, computer program product, device, and storage medium

Country Status (1)

Country Link
CN (1) CN116980118A (en)

Similar Documents

Publication Publication Date Title
CN111708991B (en) Service authorization method, device, computer equipment and storage medium
CN106850699B (en) A kind of mobile terminal login authentication method and system
US10055561B2 (en) Identity risk score generation and implementation
EP3484125B1 (en) Method and device for scheduling interface of hybrid cloud
CN112583802B (en) Data sharing platform system and equipment based on block chain and data sharing method
JP5522307B2 (en) System and method for remote maintenance of client systems in electronic networks using software testing with virtual machines
US8254579B1 (en) Cryptographic key distribution using a trusted computing platform
WO2017129016A1 (en) Resource access method, apparatus and system
CN114513533A (en) Classified and graded fitness and health big data sharing system and method
US9223807B2 (en) Role-oriented database record field security model
CN113612740B (en) Authority management method and device, computer readable medium and electronic equipment
US10318747B1 (en) Block chain based authentication
CN112671720A (en) Token construction method, device and equipment for cloud platform resource access control
CN115580413B (en) Zero-trust multi-party data fusion calculation method and device
CN116583833A (en) Self-auditing blockchain
US9948632B2 (en) Sharing data between sandboxed applications with certificates
CN110851851B (en) Authority management method, device and equipment in block chain type account book
Huh et al. Managing application whitelists in trusted distributed systems
CN115021995B (en) Multi-channel login method, device, equipment and storage medium
CN111030816A (en) Authentication method and device for access platform of evidence obtaining equipment and storage medium
CN111292082B (en) Public key management method, device and equipment in block chain type account book
CN116980118A (en) Key management method, apparatus, computer program product, device, and storage medium
Rashid et al. Incorporating blockchain into role engineering: a reference architecture using ISO/IEC/IEEE 42010 notation
US20240214228A1 (en) Blockchain based public key infrastructure
CN114117460B (en) Data protection method, device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication