CN117014143A - Key distribution method, system and equipment of load encryption gateway equipment - Google Patents
Key distribution method, system and equipment of load encryption gateway equipment Download PDFInfo
- Publication number
- CN117014143A CN117014143A CN202311279697.6A CN202311279697A CN117014143A CN 117014143 A CN117014143 A CN 117014143A CN 202311279697 A CN202311279697 A CN 202311279697A CN 117014143 A CN117014143 A CN 117014143A
- Authority
- CN
- China
- Prior art keywords
- encryption gateway
- key
- load encryption
- networking
- load
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 230000006855 networking Effects 0.000 claims abstract description 110
- 238000012545 processing Methods 0.000 claims description 4
- 238000001914 filtration Methods 0.000 claims description 3
- 238000004590 computer program Methods 0.000 claims description 2
- 230000005540 biological transmission Effects 0.000 abstract description 7
- 238000004891 communication Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000001960 triggered effect Effects 0.000 description 3
- 230000006978 adaptation Effects 0.000 description 2
- 238000000354 decomposition reaction Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000006798 recombination Effects 0.000 description 2
- 238000005215 recombination Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000002071 nanotube Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a key distribution method, a system and equipment of load encryption gateway equipment, and relates to the technical field of link security. The key distribution method of the load encryption gateway equipment is applied to a load encryption gateway equipment management system and comprises the following steps: obtaining a target key of networking, wherein the networking comprises at least two load encryption gateway devices; according to the preset updating period of each networking, the target key is sent to at least two load encryption gateway devices in the networking; receiving feedback signals of at least two load encryption gateway devices; sending a key starting instruction to the at least two load encryption gateway devices according to the feedback signals; the starting instruction is used for controlling the load encryption gateway equipment and replacing a working key in the load encryption gateway equipment with a target key. The scheme of the invention realizes the simultaneous updating of the session key of the load encryption gateway in the networking and ensures the safe transmission of data between devices.
Description
Technical Field
The invention relates to the technical field of link security, in particular to a key distribution method, a system and equipment of load encryption gateway equipment.
Background
With the continuous development of information technology, network security is more and more important, and a load encryption gateway plays an important role in link encryption technology, however, with the increase of security requirements, the traditional load encryption gateway networking scene exposes the following problems: the intra-networking payload encryption gateway session key cannot be updated simultaneously.
Disclosure of Invention
The invention provides a key distribution method, a system and equipment of load encryption gateway equipment. The method solves the problem that the existing load encryption gateway cannot update the session key of the load encryption gateway in the networking at the same time under the networking scene.
In order to solve the technical problems, the technical scheme of the invention is as follows:
the embodiment of the invention provides a key distribution method of load encryption gateway equipment, which is applied to a load encryption gateway equipment management system and comprises the following steps:
obtaining a target key of networking, wherein the networking comprises at least two load encryption gateway devices;
according to the preset updating period of each networking, the target key is sent to at least two load encryption gateway devices in the networking;
receiving feedback signals of at least two load encryption gateway devices;
sending a key starting instruction to the at least two load encryption gateway devices according to the feedback signals; the starting instruction is used for controlling the load encryption gateway equipment and replacing a working key in the load encryption gateway equipment with a target key.
Optionally, obtaining the target key of the networking includes:
acquiring the number of key strips stored in a current key standby library through a dispatcher;
when the number of spare key stripes in the key spare library is smaller than a preset value, acquiring a backup key through a secret management system until the number of backup key stripes in the key spare library is larger than the preset value;
and when the number of the spare keys in the key spare library is larger than a preset value, randomly acquiring the networking target keys from the key spare library.
Optionally, the networking is formed by grouping at least two load encryption gateway devices according to a networking policy.
Optionally, performing policy grouping on at least two load encryption gateway devices according to a networking policy, including:
and setting a strategy according to the address information of the load encryption gateway equipment, and configuring a source address and a destination address of at least two load encryption gateway equipment to form a networking.
Optionally, according to a preset update period of each networking, the sending the target key to at least two load encryption gateway devices in the networking includes:
acquiring the current identifier of the network to be updated according to the preset updating period of each network;
updating the networking identifier according to the current requirement to filter the intra-networking strategy, and acquiring a load encryption gateway equipment list to be issued by the target key;
and respectively issuing the target keys to the load encryption gateway devices in the device list through the secure channel.
Optionally, updating the intra-networking policy according to the identifier of the networking to obtain a load encryption gateway device list to be issued by the target key, including:
acquiring policy data of all load encryption gateway devices in a networking corresponding to a current networking identifier to be updated through a preset language;
acquiring a source terminal device address and a destination terminal device address in each piece of policy data;
and de-duplicating all the obtained source terminal equipment addresses and destination terminal equipment addresses, and obtaining a load encryption gateway equipment list to be issued by the target key.
Optionally, obtaining, by a preset language, policy data of all load encryption gateway devices in the networking corresponding to the current networking identifier to be updated includes:
obtaining policy data of all load encryption gateway devices in a networking corresponding to a current networking identifier to be updated through a structured query language, wherein the policy data comprises: at least one set of payloads encrypts address data of the gateway device.
The embodiment of the invention also provides a load encryption gateway equipment management system, which comprises:
the system comprises an acquisition module, a load encryption gateway device and a load encryption gateway device, wherein the acquisition module is used for acquiring a target key of networking, and the networking comprises at least two load encryption gateway devices;
the processing module is used for sending the target key to at least two load encryption gateway devices in the networking according to the preset updating period of each networking; receiving feedback signals of at least two load encryption gateway devices; sending a key starting instruction to the at least two load encryption gateway devices according to the feedback signals; the starting instruction is used for controlling the load encryption gateway equipment and replacing a working key in the load encryption gateway equipment with a target key.
Embodiments of the present invention also propose a computing device comprising: and a processor, a memory storing a computer program which, when executed by the processor, performs the method of key distribution for the load encryption gateway device described above.
An embodiment of the present invention also proposes a computer-readable storage medium comprising storing instructions that, when executed on a computer, cause the computer to perform the above-described key distribution method of a load encryption gateway device.
The scheme of the invention at least comprises the following beneficial effects:
the key distribution method of the load encryption gateway equipment comprises the following steps: obtaining a target key of networking, wherein the networking comprises at least two load encryption gateway devices; according to the preset updating period of each networking, the target key is sent to at least two load encryption gateway devices in the networking; receiving feedback signals of at least two load encryption gateway devices; sending a key starting instruction to the at least two load encryption gateway devices according to the feedback signals; the starting instruction is used for controlling the load encryption gateway equipment and replacing a working key in the load encryption gateway equipment with a target key. The method realizes the simultaneous updating of the session key of the load encryption gateway in the networking and ensures the safe transmission of data between devices.
Drawings
Fig. 1 is a flow diagram of a key distribution method of a payload encryption gateway device of the present invention;
FIG. 2 is a block diagram of a load encryption gateway device management system of the present invention;
FIG. 3 is a flow diagram of a load encryption gateway device management system of the present invention;
fig. 4 is a schematic diagram of a specific structure of the load encryption gateway device management system of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present invention are shown in the drawings, it should be understood that the present invention may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
As shown in fig. 1, an embodiment of the present invention provides a key distribution method of a load encryption gateway device, which is applied to a load encryption gateway device management system, including:
step 11, obtaining a target key of networking, wherein the networking comprises at least two load encryption gateway devices;
step 12, according to the preset update period of each networking, the target key is sent to at least two load encryption gateway devices in the networking;
step 13, receiving feedback signals of at least two load encryption gateway devices;
step 14, sending a key start instruction to the at least two load encryption gateway devices according to the feedback signals; the starting instruction is used for controlling the load encryption gateway equipment and replacing a working key in the load encryption gateway equipment with a target key.
In this embodiment, the networking is formed by performing policy grouping on at least two load encryption gateway devices according to a networking policy; before the key distribution method of the load encryption gateway equipment is used, at least two load encryption gateway equipment needs to be arranged in the load encryption gateway equipment management system, and then strategy grouping is carried out on the at least two load encryption gateway equipment in the load encryption gateway equipment management system according to communication requirements to form at least one networking; setting a key update period (which can be no update, 30 minutes, 1 day, 30 days, 365 days and custom time) for each networking according to the requirement; then according to the preset updating period of each networking, the target key is sent to at least two load encryption gateway devices in the networking, and feedback signals of all load encryption gateway devices distributing the target key in the networking distributed with the target key are received; and then, according to the feedback signal, a key starting instruction is sent to the load encryption gateway equipment distributed with the target key in the network, the load encryption gateway equipment distributed with the target key is controlled by the starting instruction, and the working key in the load encryption gateway equipment is replaced by the target key. The key distribution method of the load encryption gateway equipment solves the problem that the session key of the load encryption gateway in the networking cannot be updated simultaneously under the networking scene of the existing load encryption gateway through the simultaneous distribution design of the secret keys in the networking; the method realizes the simultaneous updating of the session key of the load encryption gateway in the networking and ensures the safe transmission of data between devices.
In a preferred embodiment, the load encryption gateway device in the load encryption gateway device management system may be divided into a plurality of networks according to the communication requirement, and when in use, the network is used as a unit to perform unified update and distribution management of the key for all the load encryption gateway devices in the network, thereby improving the key distribution efficiency and convenience.
In an alternative embodiment of the present invention, obtaining a target key for networking includes:
step 111, obtaining, by a scheduler, the number of key pieces stored in a current key standby library;
step 112, when the number of spare key stripes in the key spare library is smaller than a first preset value, obtaining a backup key through a secret management system until the number of backup key stripes in the key spare library is larger than a second preset value;
and 113, randomly acquiring a networking target key from the key standby library when the number of the standby keys in the key standby library is larger than a preset value.
In this embodiment, the first preset value may be set to 50 pieces; the second preset value may be set to 500 bars; the specific process of the target key may be: checking a spare library key through the dispatcher, and triggering a decryption management system to acquire the key until the backup key table is more than or equal to 500 if the spare library key is less than 50; and when the number of the spare keys in the key spare library is larger than a second preset value, randomly acquiring the networking target keys from the key spare library.
In an alternative embodiment of the present invention, policy grouping at least two load encryption gateway devices according to a networking policy includes:
and setting a strategy according to the address information of the load encryption gateway equipment, and configuring a source address and a destination address of at least two load encryption gateway equipment to form a networking.
In this embodiment, the specific formation of the networking may be set according to the communication requirement, and the communication requirement is taken as an example that three load encryption gateway devices are required to carry out the transmission communication, that is, the networking includes: the three load encryption gateway devices are respectively a first load encryption gateway device, a second load encryption gateway device and a third load encryption gateway device, wherein the first load encryption gateway device and the second load encryption gateway device need to be communicated, and the second load encryption gateway device needs to be communicated with the third load encryption gateway device;
firstly, three load encryption gateway devices are required to be determined, then strategy grouping is carried out on the load encryption gateway devices to form a networking, namely, the three load encryption gateway devices are connected through the strategy to form the networking, and the specific implementation mode is as follows:
setting a first source equipment address in a first load encryption gateway device, and setting a first destination equipment address corresponding to the first source equipment address in a second load encryption gateway device; setting a second source end equipment address in a second load encryption gateway equipment; and setting a second destination end device address corresponding to the second source end device address in the third load encryption gateway device.
In this embodiment, according to the communication requirement, by designing policy grouping for the load encryption gateway devices associated with each other in the load encryption gateway device management system, updating of the key for each network according to the update requirement of each network can be achieved, convenience in key issuing is improved, and management during simultaneous issuing of the keys in the network is facilitated.
In an alternative embodiment of the present invention, step 12 may include:
step 121, obtaining the current identifier of the network to be updated according to the preset update period of each network;
step 122, filtering intra-networking strategies according to the identification of the current required update networking, and obtaining a load encryption gateway equipment list to be issued by the target key;
and step 123, respectively issuing the target keys to the load encryption gateway devices in the device list through the secure channel.
In this embodiment, the security channel may be a 0050 security channel, where the 0050 security channel is obtained by a security channel protocol in GMT 0050-2016 password device management technical specification, before the target key is sent to a load encryption gateway device in a network, an identifier of each network needs to be set in a load encryption gateway device management system, and at the same time, policy data needs to be bound with the network identifier when the network is constructed; then, according to the preset updating period of each networking, acquiring the current identifier of the networking to be updated; updating the networking identifier according to the current requirement to filter the intra-networking strategy, and acquiring a load encryption gateway equipment list to be issued by the target key; and respectively issuing the target keys to the load encryption gateway devices in the device list through the secure channel.
In an alternative embodiment of the present invention, step 122 may include:
acquiring policy data of all load encryption gateway devices in a networking corresponding to a current networking identifier to be updated through a preset language;
acquiring a source terminal device address and a destination terminal device address in each piece of policy data;
and de-duplicating all the obtained source terminal equipment addresses and destination terminal equipment addresses, and obtaining a load encryption gateway equipment list to be issued by the target key.
The method comprises the steps that the preset language is a structured query language, policy data of all load encryption gateway devices in a networking corresponding to a current networking identifier to be updated are obtained through the structured query language, and the policy data comprise: at least one set of payloads encrypts address data of the gateway device.
In this embodiment, the specific process of obtaining the load encryption gateway device list is illustrated by taking three load encryption gateway devices in the network and including three policies as an example; the three load encryption gateway devices are A, B, C respectively; the first strategy is that the source equipment address is A, and the destination equipment address is B; strategy II: the source end device address is A, and the destination end device address is C; strategy III: the source end equipment address is B, and the destination end equipment address is C; firstly, acquiring a source terminal equipment address and a destination terminal equipment address in each piece of strategy data; the address of the load encryption gateway equipment collected according to the three strategies is A, B, A, C, B, C; the set of payload encryption gateway device addresses A, B, A, C, B, C is then deduplicated to obtain a payload encryption gateway device list of A, B, C.
As shown in fig. 2, an embodiment of the present invention provides a load encryption gateway device management system 20, including:
an obtaining module 21, configured to obtain a target key of a networking, where the networking includes at least two load encryption gateway devices;
the processing module 22 is configured to send the target key to at least two load encryption gateway devices in the network according to a preset update period of each network; receiving feedback signals of at least two load encryption gateway devices; sending a key starting instruction to the at least two load encryption gateway devices according to the feedback signals; the starting instruction is used for controlling the load encryption gateway equipment and replacing a working key in the load encryption gateway equipment with a target key.
Optionally, obtaining the target key of the networking includes:
acquiring the number of key strips stored in a current key standby library through a dispatcher;
when the number of spare key stripes in the key spare library is smaller than a preset value, acquiring a backup key through a secret management system until the number of backup key stripes in the key spare library is larger than the preset value;
and when the number of the spare keys in the key spare library is larger than a preset value, randomly acquiring the networking target keys from the key spare library.
Optionally, the networking is formed by grouping at least two load encryption gateway devices according to a networking policy.
Optionally, performing policy grouping on at least two load encryption gateway devices according to a networking policy, including:
and setting a strategy according to the address information of the load encryption gateway equipment, and configuring a source address and a destination address of at least two load encryption gateway equipment to form a networking.
Optionally, according to a preset update period of each networking, the sending the target key to at least two load encryption gateway devices in the networking includes:
acquiring the current identifier of the network to be updated according to the preset updating period of each network;
updating the networking identifier according to the current requirement to filter the intra-networking strategy, and acquiring a load encryption gateway equipment list to be issued by the target key;
and respectively issuing the target keys to the load encryption gateway devices in the device list through the secure channel.
Optionally, updating the intra-networking policy according to the identifier of the networking to obtain a load encryption gateway device list to be issued by the target key, including:
acquiring policy data of all load encryption gateway devices in a networking corresponding to a current networking identifier to be updated through a preset language;
acquiring a source terminal device address and a destination terminal device address in each piece of policy data;
and de-duplicating all the obtained source terminal equipment addresses and destination terminal equipment addresses, and obtaining a load encryption gateway equipment list to be issued by the target key.
Optionally, obtaining, by a preset language, policy data of all load encryption gateway devices in the networking corresponding to the current networking identifier to be updated includes:
obtaining policy data of all load encryption gateway devices in a networking corresponding to a current networking identifier to be updated through a structured query language, wherein the policy data comprises: at least one set of payloads encrypts address data of the gateway device.
As shown in fig. 4, in a specific preferred embodiment, the load encryption gateway device management system may specifically include:
the load encryption gateway device management module 31: the method is used for the nano-tube load encryption gateway equipment so as to ensure the communication and the safe transmission between the load encryption gateway equipment management system and the load encryption gateway equipment.
The key policy configuration module mainly comprises a policy grouping configuration module 32, a key application recording module 33, a configuration issuing recording module 34 and the like;
wherein the policy packet configuration module 32: the method is used for realizing the functions of grouping management, grouping equipment list, key re-issuing, strategy adding, strategy issuing and the like;
the grouping management is mainly used for managing the key update period (which can be set to be not updated, 30 minutes, 1 day, 30 days, 365 days and custom time), the key application type (which can be SM4-CBC (SM 4 encryption algorithm using CBC mode), HMAC-SM3 (message authentication code generation algorithm based on hash function)), the key identification number used by the load encryption gateway device in the networking and the latest key update time;
the grouping device list: all load encryption gateways used for checking networking;
the key is re-issued: for manually triggering updating of session keys;
the addition strategy comprises the following steps: the method comprises the steps of connecting encrypted data transmission between two load encryption gateway devices, adding a strategy main parameter active end device address, a source end protection subnet, a destination end device address and a source end destination end protection subnet; one policy group configuration module 32 may add multiple policies, one policy connecting two load encryption gateway devices to achieve multiple load encryption gateway devices to form a network.
The key application recording module 33: the method is used for mainly recording a load encryption gateway equipment management system decryption management system application key record so as to check an application key batch number, a key identification, a strategy grouping update period, key generation time, an encryption algorithm, an authentication algorithm, an application result and remarks;
the configuration issuing record module 34: the method comprises the steps of recording the state of a load encryption gateway device management system for issuing a key to the load encryption gateway device, wherein the state comprises strategy grouping, issuing time, issuing key batch, issuing related devices and issuing key results.
In a preferred embodiment, the load encryption gateway device management system further includes:
backup key management module: the key backup database backup key table data used for the load encryption gateway equipment management system is used for checking the management system at regular time and triggering the decryption management system to acquire the key when the key backup database backup key table data is less than 50 keys until the key backup database backup key table is more than or equal to 500 and the acquisition is stopped.
And the load encryption gateway key issuing scheduling management module: when the policy grouping configuration module 32 sets the key update policy setting timing update, the system will issue the key at a timing according to the key update period, and the key issue schedule management will record a timing task list, where the timing task list includes the current execution state (in execution, all successful, part successful, all failed), the next task execution time, and the last task parameter;
the load encryption gateway key issuing and repeating management module: when the normal load encryption gateway key issuing state is not completely successful, a retry function is triggered and task data are entered into a task retry list, the task retries until the next key updating period, and the retry strategy is gradually increased for the time interval;
the specific process of key issuing of the load encryption gateway management system is shown in fig. 3, and specifically includes:
the update period in the networking is configured through the grouping management of the strategy grouping configuration module 32, when the update period is reached, the load gateway equipment management module is triggered to update the dispatcher to execute dispatching, the dispatcher searches the key of the standby library, and if the key of the standby library is less than 50, the decryption management system is triggered to acquire the key until the backup key table is more than or equal to 500, and the acquisition is stopped; when the number of the spare keys in the key spare library is larger than a preset value, randomly acquiring a networking target key from the key spare library; after obtaining the key successfully, filtering the intra-group policy according to the network identifier, collecting a device list to be issued by the current key according to the source device address and the destination device address in the policy data content, and respectively issuing the key to the load encryption gateway device through 0050 security channels (structured query language), wherein at this time, the load encryption gateway device management module 31 establishes a new update task according to the network identifier, starts a new thread to monitor the task state and waits for receiving a key response message, and if all the load encryption gateway devices receive the target key (adding the key to the pre-use position of the load encryption gateway device) and send a message to the scheduling task successfully, the scheduling task sends a key enabling instruction to each load encryption gateway device in the network, and the load encryption gateway device receives the start instruction and starts the key of the pre-use position as a working key (i.e. the target key and the original working key are replaced to form a new working key). If the returned information of the networking load encryption gateway equipment is not fully received within the timeout time, entering a task retry team, wherein the retry rule is that the retry is executed every 3 seconds for the first 10 times, and the execution interval is increased along with the increase of the retry times until the next group update strategy update period is reached or succeeded.
The load encryption gateway equipment management system introduces a group management concept, and groups the load encryption gateway equipment according to specific service requirements to form a group network, so that a key issuing mechanism is perfected, correct full issuing and rotation of keys are ensured through a secondary confirmation mode and a retry mechanism, the problem of simultaneous issuing of a plurality of equipment keys is solved, simultaneous updating of the load encryption gateway session keys in the group network is realized, and safe transmission of data between the equipment is ensured.
It should be noted that, the system is a system corresponding to the key distribution method of the load encryption gateway device, and all implementation manners in the method are applicable to the embodiment of the system, so that the same technical effects can be achieved.
Embodiments of the present invention also provide a computing device comprising: a processor, a memory and a program or instruction stored on the memory and executable on the processor, which when executed by the processor, implement the steps of the key distribution method of a load encryption gateway device as described above.
Embodiments of the present invention also provide a computer-readable storage medium comprising instructions that, when executed on a computer, cause the computer to perform a key distribution method of a load encryption gateway device as described above. All the implementation manners in the above method embodiments are applicable to the embodiment, and the same technical effects can be achieved.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk, etc.
Furthermore, it should be noted that in the apparatus and method of the present invention, it is apparent that the components or steps may be disassembled and/or assembled. Such decomposition and/or recombination should be considered as equivalent aspects of the present invention. Also, the steps of performing the series of processes described above may naturally be performed in chronological order in the order of description, but are not necessarily performed in chronological order, and some steps may be performed in parallel or independently of each other. It will be appreciated by those of ordinary skill in the art that all or any of the steps or components of the methods and apparatus of the present invention may be implemented in hardware, firmware, software, or a combination thereof in any computing device (including processors, storage media, etc.) or network of computing devices, as would be apparent to one of ordinary skill in the art after reading this description of the invention.
The object of the invention can thus also be achieved by running a program or a set of programs on any computing device. The computing device may be a well-known general purpose device. The object of the invention can thus also be achieved by merely providing a program product containing program code for implementing said method or apparatus. That is, such a program product also constitutes the present invention, and a storage medium storing such a program product also constitutes the present invention. It is apparent that the storage medium may be any known storage medium or any storage medium developed in the future. It should also be noted that in the apparatus and method of the present invention, it is apparent that the components or steps may be disassembled and/or assembled. Such decomposition and/or recombination should be considered as equivalent aspects of the present invention. The steps of executing the series of processes may naturally be executed in chronological order in the order described, but are not necessarily executed in chronological order. Some steps may be performed in parallel or independently of each other.
While the foregoing is directed to the preferred embodiments of the present invention, it will be appreciated by those skilled in the art that various modifications and adaptations can be made without departing from the principles of the present invention, and such modifications and adaptations are intended to be comprehended within the scope of the present invention.
Claims (10)
1. A key distribution method for a load encryption gateway device, which is applied to a load encryption gateway device management system, comprising:
obtaining a target key of networking, wherein the networking comprises at least two load encryption gateway devices;
according to the preset updating period of each networking, the target key is sent to at least two load encryption gateway devices in the networking;
receiving feedback signals of at least two load encryption gateway devices;
sending a key starting instruction to the at least two load encryption gateway devices according to the feedback signals; the starting instruction is used for controlling the load encryption gateway equipment and replacing a working key in the load encryption gateway equipment with a target key.
2. The key distribution method of a payload encryption gateway device according to claim 1, wherein obtaining a target key of a network comprises:
acquiring the number of key strips stored in a current key standby library through a dispatcher;
when the number of spare key stripes in the key spare library is smaller than a preset value, acquiring a backup key through a secret management system until the number of backup key stripes in the key spare library is larger than the preset value;
and when the number of the spare keys in the key spare library is larger than a preset value, randomly acquiring the networking target keys from the key spare library.
3. The key distribution method of a load encryption gateway device according to claim 1, wherein the networking is formed by policy grouping at least two load encryption gateway devices according to a networking policy.
4. A key distribution method for a load encryption gateway device according to claim 3, wherein policy grouping at least two load encryption gateway devices according to a networking policy comprises:
and setting a strategy according to the address information of the load encryption gateway equipment, and configuring a source address and a destination address of at least two load encryption gateway equipment to form a networking.
5. The key distribution method of a load encryption gateway device according to claim 4, wherein transmitting the target key to at least two load encryption gateway devices within a network according to a preset update period of each network, comprises:
acquiring the current identifier of the network to be updated according to the preset updating period of each network;
updating the networking identifier according to the current requirement to filter the intra-networking strategy, and acquiring a load encryption gateway equipment list to be issued by the target key;
and respectively issuing the target keys to the load encryption gateway devices in the device list through the secure channel.
6. The method for distributing the key of the load encryption gateway device according to claim 5, wherein filtering intra-networking policies according to the identifier of the current network to obtain the load encryption gateway device list to be issued by the target key comprises:
acquiring policy data of all load encryption gateway devices in a networking corresponding to a current networking identifier to be updated through a preset language;
acquiring a source terminal device address and a destination terminal device address in each piece of policy data;
and de-duplicating all the obtained source terminal equipment addresses and destination terminal equipment addresses, and obtaining a load encryption gateway equipment list to be issued by the target key.
7. The key distribution method of load encryption gateway device according to claim 6, wherein obtaining policy data of all load encryption gateway devices in a network corresponding to a network identifier currently required to be updated through a preset language includes:
obtaining policy data of all load encryption gateway devices in a networking corresponding to a current networking identifier to be updated through a structured query language, wherein the policy data comprises: at least one set of payloads encrypts address data of the gateway device.
8. A load encryption gateway device management system, comprising:
the system comprises an acquisition module, a load encryption gateway device and a load encryption gateway device, wherein the acquisition module is used for acquiring a target key of networking, and the networking comprises at least two load encryption gateway devices;
the processing module is used for sending the target key to at least two load encryption gateway devices in the networking according to the preset updating period of each networking; receiving feedback signals of at least two load encryption gateway devices; sending a key starting instruction to the at least two load encryption gateway devices according to the feedback signals; the starting instruction is used for controlling the load encryption gateway equipment and replacing a working key in the load encryption gateway equipment with a target key.
9. A computing device, comprising: a processor, a memory storing a computer program which, when executed by the processor, performs the method of any one of claims 1 to 7.
10. A computer readable storage medium storing instructions which, when run on a computer, cause the computer to perform the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311279697.6A CN117014143B (en) | 2023-10-07 | 2023-10-07 | Key distribution method, system and equipment of load encryption gateway equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311279697.6A CN117014143B (en) | 2023-10-07 | 2023-10-07 | Key distribution method, system and equipment of load encryption gateway equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117014143A true CN117014143A (en) | 2023-11-07 |
| CN117014143B CN117014143B (en) | 2024-01-05 |
Family
ID=88567579
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311279697.6A Active CN117014143B (en) | 2023-10-07 | 2023-10-07 | Key distribution method, system and equipment of load encryption gateway equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117014143B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020048368A1 (en) * | 2000-06-07 | 2002-04-25 | Gardner Steven Holmsen | Method and apparatus for medium access control in powerline communication network systems |
| CN105681031A (en) * | 2016-01-08 | 2016-06-15 | 成都卫士通信息产业股份有限公司 | Storage encryption gateway key management system and method |
| CN106656910A (en) * | 2015-10-28 | 2017-05-10 | 网神信息技术(北京)股份有限公司 | Method and system for updating secret key of VPN gateway |
| US20180309549A1 (en) * | 2015-10-15 | 2018-10-25 | Ntt Docomo, Inc. | Uplink pilot reuse and user-proximity detection in wireless networks |
| US20210273920A1 (en) * | 2020-02-28 | 2021-09-02 | Vmware, Inc. | Secure certificate or key distribution for synchronous mobile device management (mdm) clients |
| CN114499969A (en) * | 2021-12-27 | 2022-05-13 | 天翼云科技有限公司 | Communication message processing method and device, electronic equipment and storage medium |
| CN116155621A (en) * | 2023-04-14 | 2023-05-23 | 中国科学技术大学 | Data protection method and system based on IPSec dynamic fusion quantum key |
| CN116155491A (en) * | 2023-02-02 | 2023-05-23 | 广州万协通信息技术有限公司 | Symmetric key synchronization method of security chip and security chip device |
-
2023
- 2023-10-07 CN CN202311279697.6A patent/CN117014143B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020048368A1 (en) * | 2000-06-07 | 2002-04-25 | Gardner Steven Holmsen | Method and apparatus for medium access control in powerline communication network systems |
| US20180309549A1 (en) * | 2015-10-15 | 2018-10-25 | Ntt Docomo, Inc. | Uplink pilot reuse and user-proximity detection in wireless networks |
| CN106656910A (en) * | 2015-10-28 | 2017-05-10 | 网神信息技术(北京)股份有限公司 | Method and system for updating secret key of VPN gateway |
| CN105681031A (en) * | 2016-01-08 | 2016-06-15 | 成都卫士通信息产业股份有限公司 | Storage encryption gateway key management system and method |
| US20210273920A1 (en) * | 2020-02-28 | 2021-09-02 | Vmware, Inc. | Secure certificate or key distribution for synchronous mobile device management (mdm) clients |
| CN114499969A (en) * | 2021-12-27 | 2022-05-13 | 天翼云科技有限公司 | Communication message processing method and device, electronic equipment and storage medium |
| CN116155491A (en) * | 2023-02-02 | 2023-05-23 | 广州万协通信息技术有限公司 | Symmetric key synchronization method of security chip and security chip device |
| CN116155621A (en) * | 2023-04-14 | 2023-05-23 | 中国科学技术大学 | Data protection method and system based on IPSec dynamic fusion quantum key |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117014143B (en) | 2024-01-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108429759B (en) | Decentralized storage safety implementation method | |
| CN111543031B (en) | Method and control system for controlling and/or monitoring a device | |
| CN111314067B (en) | Block storage method and device, computer equipment and storage medium | |
| US9043278B1 (en) | System and method for the merging of databases | |
| EP2959631B1 (en) | Verification system and method with extra security for lower-entropy input records | |
| CA2510366C (en) | System and method for remote device registration | |
| CN102801559B (en) | Intelligent local area network data collecting method | |
| EP1950931A1 (en) | Devices, system and method for distributing and synchronizing service data | |
| WO2015069921A1 (en) | Storage array password management | |
| CN110601830B (en) | Key management method, device, equipment and storage medium based on block chain | |
| CN106533807A (en) | Method and system for remotely upgrading terminal equipment | |
| CN111654395B (en) | Voting information processing method, device, equipment and storage medium | |
| CN113079215B (en) | Block chain-based wireless security access method for power distribution Internet of things | |
| CN112734576B (en) | Block chain consensus system and method | |
| CN112468537A (en) | Block chain network building structure based on local area network environment and data processing method | |
| US11290436B2 (en) | Mechanism for encryption key distribution in computer networks | |
| EP3648430B1 (en) | Hardware security module | |
| CN117014143B (en) | Key distribution method, system and equipment of load encryption gateway equipment | |
| WO2024159804A1 (en) | Blockchain-based key generation method and apparatus, electronic device, computer-readable storage medium, and computer program product | |
| CN113378169A (en) | Safety protection system for virtual power plant operation | |
| EP3739819A1 (en) | Method and control system for controlling and/or monitoring devices | |
| CN110602133B (en) | Intelligent contract processing method, block chain management device and storage medium | |
| CN112565104A (en) | Flow control method, device, medium and electronic equipment of block chain system | |
| DE102018102608A1 (en) | Method for user management of a field device | |
| CN115567203A (en) | Method, device, equipment and storage medium for recovering secret information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |