CN117395000B - Multiparty authorization method, multiparty authorization device and readable storage medium - Google Patents
Multiparty authorization method, multiparty authorization device and readable storage medium Download PDFInfo
- Publication number
- CN117395000B CN117395000B CN202311659788.2A CN202311659788A CN117395000B CN 117395000 B CN117395000 B CN 117395000B CN 202311659788 A CN202311659788 A CN 202311659788A CN 117395000 B CN117395000 B CN 117395000B
- Authority
- CN
- China
- Prior art keywords
- key
- authorization
- request
- reconstruction
- multiparty
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 277
- 238000000034 method Methods 0.000 title claims abstract description 55
- 238000003860 storage Methods 0.000 title claims abstract description 22
- 230000009471 action Effects 0.000 claims abstract description 49
- 239000012634 fragment Substances 0.000 claims description 108
- 238000012795 verification Methods 0.000 claims description 22
- 230000004044 response Effects 0.000 claims description 14
- 238000012545 processing Methods 0.000 claims description 13
- 238000004422 calculation algorithm Methods 0.000 claims description 11
- 230000011218 segmentation Effects 0.000 claims description 7
- 238000009826 distribution Methods 0.000 claims description 6
- 230000005540 biological transmission Effects 0.000 abstract description 2
- 238000005516 engineering process Methods 0.000 abstract description 2
- 238000007726 management method Methods 0.000 description 11
- 238000004590 computer program Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 8
- 230000007246 mechanism Effects 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 238000012986 modification Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000004075 alteration Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000001010 compromised effect Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013467 fragmentation Methods 0.000 description 1
- 238000006062 fragmentation reaction Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3242—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The present invention relates to the field of digital information transmission technologies, and in particular, to a multiparty authorization method, a multiparty authorization device, and a readable storage medium. Generating a key reconstruction request corresponding to an authorization request when the authorization request occurs; the key reconstruction request is sent to a server side and other authorized sides except the server side; receiving a reconstruction key responded by the server side; and executing the authorization action corresponding to the authorization request based on the reconstruction key. The security and management of the authorization key are enhanced, the security of the whole system is improved, the system can be better adapted to complex scenes of multiparty participation, and support is provided for dynamic collaboration.
Description
Technical Field
The present invention relates to the field of digital information transmission technologies, and in particular, to a multiparty authorization method, a multiparty authorization device, and a readable storage medium.
Background
Authorization mechanisms are key factors in ensuring data and resource access security, privacy protection, and compliance. In conventional authorization mechanisms, access rights are typically granted by an authority or entity. However, since the keys are all managed by a single authority, if the institution or entity is hacked or compromised internally, the sensitive data and private information of the user and other parties may be at risk of being compromised, tampered with or misused. Therefore, the conventional authorization mechanism has the defect of insufficient security.
The foregoing is provided merely for the purpose of facilitating understanding of the technical solutions of the present invention and is not intended to represent an admission that the foregoing is prior art.
Disclosure of Invention
The invention mainly aims to provide a multiparty authorization method which aims to solve the problem of insufficient security existing in the traditional authorization mechanism.
In order to achieve the above object, the present invention provides a multiparty authorization method applied to an authorization terminal, the multiparty authorization method comprising the steps of:
when an authorization request occurs, generating a key reconstruction request corresponding to the authorization request;
the key reconstruction request is sent to a server side and other authorized sides except the server side;
receiving a reconstruction key responded by the server side;
and executing the authorization action corresponding to the authorization request based on the reconstruction key.
Optionally, the multiparty authorization method further comprises:
generating an authorization key corresponding to the authorization action;
according to the number of the authorized terminals, carrying out key segmentation processing on the authorized keys to generate key fragments of the shares corresponding to the number;
based on a random distribution algorithm, determining a corresponding relation between the authorization terminal and the key fragment;
and distributing the key fragments to the other authorized terminals according to the corresponding relation.
Optionally, after the step of performing the authorization action corresponding to the authorization request based on the reconstruction key, the method further includes:
and after the authorization action is executed, executing the step of generating the authorization key corresponding to the authorization action.
Optionally, before the step of performing the authorization action corresponding to the authorization request based on the reconstruction key, the method further includes:
executing decryption operation on a preset ciphertext based on the reconstruction key;
executing the authorization action corresponding to the authorization request based on the reconstruction key when the decryption is successful;
otherwise, discarding the reconstruction key, and executing the step of generating a key reconstruction request corresponding to the authorization request.
Optionally, after the step of generating the authorization key corresponding to the authorization action, the method further includes:
generating a random number based on a random number generation algorithm;
and encrypting the random number according to the authorization key to generate the preset ciphertext.
Optionally, the multiparty authorization method further comprises:
receiving the key reconstruction request sent by the other authorized end;
determining the key fragment corresponding to the key reconstruction request;
and sending the key fragment to the server side.
Optionally, after the step of receiving the key reconstruction request sent by the other authorized end, the method further includes:
reading a key fragment in the key reconstruction request;
performing consistency verification on the key fragments in the key reconstruction request;
after the key fragments in the key reconstruction request pass the consistency verification, executing the step of determining the key fragments corresponding to the key reconstruction request;
and if the key fragment in the key reconstruction request fails to pass the consistency verification, sending response information of the failed key fragment verification to the sending end of the key reconstruction request.
Optionally, the multiparty authorization method applied to the server comprises the following steps:
receiving a key reconstruction request sent by an authorization terminal and a key fragment;
generating a reconstruction key corresponding to the key reconstruction request according to the key fragment;
and sending the reconstruction key to a sending end of the key reconstruction request as response information of the key reconstruction request.
In addition, in order to achieve the above object, the present invention also provides a multiparty authorization device, which includes a memory, a processor, and a multiparty authorization program stored on the memory and executable on the processor, the multiparty authorization program implementing the steps of the multiparty authorization method as described above when executed by the processor.
In addition, to achieve the above object, the present invention also provides a computer-readable storage medium having stored thereon a multiparty authorization program which, when executed by a processor, implements the steps of the multiparty authorization method as described above.
The embodiment of the invention provides a multiparty authorization method, which realizes multiparty participating key management by generating a key reconstruction request and sending the key reconstruction request to a server end and other authorization ends, and can avoid the risk and burden of bearing all key management by a single authorization end; in addition, the generation and storage of the secret key are dispersed to a plurality of participants, so that the security of the secret key is improved. By generating a new key reconstruction request each time of authorization request and transmitting it to other authorization terminals, the system can dynamically adapt to different authorization requests and participants. The flexibility and the dynamic collaboration enable the system to adapt to complex scenarios involving multiple parties and to be improved in real-time and security. Therefore, the security and management of the authorized key can be enhanced through the decentralized key management and the dynamic cooperation support, the security of the whole system is improved, the complex scene of multiparty participation can be better adapted, and the support is provided for dynamic cooperation.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention. In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, and it will be obvious to those skilled in the art that other drawings can be obtained from these drawings without inventive effort.
FIG. 1 is a schematic architecture diagram of a hardware operating environment of a multiparty authorization device in accordance with an embodiment of the present invention;
FIG. 2 is a flow chart of a first embodiment of the multi-party authorization method of the present invention;
FIG. 3 is a flow chart of a second embodiment of the multi-party authorization method of the present invention;
fig. 4 is a flow chart of a third embodiment of the multiparty authorization method of the present invention.
Fig. 5 is a flow chart of an example of the multiparty authorization method of the present invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
The application discloses a multiparty authorization method, which is characterized in that when an authorization request occurs, a key reconstruction request corresponding to the authorization request is generated; the key reconstruction request is sent to a server side and other authorized sides except the server side; receiving a reconstruction key responded by the server side; and executing the authorization action corresponding to the authorization request based on the reconstruction key. The security and management of the authorization key are enhanced, the security of the whole system is improved, the system can be better adapted to complex scenes of multiparty participation, and support is provided for dynamic collaboration.
In order to better understand the above technical solution, exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
As an implementation scheme, fig. 1 is a schematic architecture diagram of a hardware running environment of a multiparty authorization device according to an embodiment of the present invention.
As shown in fig. 1, the multiparty authorization device may include: a processor 101, such as a central processing unit (Central Processing Unit, CPU), a memory 102, a communication bus 103. The Memory 102 may be a high-speed random access Memory (Random Access Memory, RAM) Memory or a stable nonvolatile Memory (NVM), such as a disk Memory. The memory 102 may alternatively be a storage device separate from the aforementioned processor 101. The communication bus 103 is used to enable connected communication among the components.
It will be appreciated by those skilled in the art that the structure shown in fig. 1 is not limiting of the multiparty authorization device and may include more or fewer components than shown, or may combine certain components, or a different arrangement of components.
As shown in fig. 1, an operating system, a data storage module, a network communication module, a user interface module, and a multiparty authorization program may be included in the memory 102, which is one type of computer-readable storage medium.
In the multiparty authentication device shown in fig. 1, the processor 101, the memory 102 may be provided in a multiparty authentication device that invokes a multiparty authentication program stored in the memory 102 through the processor 101 and performs the following operations:
when an authorization request occurs, generating a key reconstruction request corresponding to the authorization request;
the key reconstruction request is sent to a server side and other authorized sides except the server side;
receiving a reconstruction key responded by the server side;
and executing the authorization action corresponding to the authorization request based on the reconstruction key.
In one embodiment, the processor 101 may be configured to invoke the multiparty authorization program stored in the memory 102 and perform the following operations:
generating an authorization key corresponding to the authorization action;
according to the number of the authorized terminals, carrying out key segmentation processing on the authorized keys to generate key fragments of the shares corresponding to the number;
based on a random distribution algorithm, determining a corresponding relation between the authorization terminal and the key fragment;
and distributing the key fragments to the other authorized terminals according to the corresponding relation.
In one embodiment, the processor 101 may be configured to invoke the multiparty authorization program stored in the memory 102 and perform the following operations:
and after the authorization action is executed, executing the step of generating the authorization key corresponding to the authorization action.
In one embodiment, the processor 101 may be configured to invoke the multiparty authorization program stored in the memory 102 and perform the following operations:
executing decryption operation on a preset ciphertext based on the reconstruction key;
executing the authorization action corresponding to the authorization request based on the reconstruction key when the decryption is successful;
otherwise, discarding the reconstruction key, and executing the step of generating a key reconstruction request corresponding to the authorization request.
In one embodiment, the processor 101 may be configured to invoke the multiparty authorization program stored in the memory 102 and perform the following operations:
generating a random number based on a random number generation algorithm;
and encrypting the random number according to the authorization key to generate the preset ciphertext.
In one embodiment, the processor 101 may be configured to invoke the multiparty authorization program stored in the memory 102 and perform the following operations:
receiving the key reconstruction request sent by the other authorized end;
determining the key fragment corresponding to the key reconstruction request;
and sending the key fragment to the server side.
In one embodiment, the processor 101 may be configured to invoke the multiparty authorization program stored in the memory 102 and perform the following operations:
reading a key fragment in the key reconstruction request;
performing consistency verification on the key fragments in the key reconstruction request;
after the key fragments in the key reconstruction request pass the consistency verification, executing the step of determining the key fragments corresponding to the key reconstruction request;
and if the key fragment in the key reconstruction request fails to pass the consistency verification, sending response information of the failed key fragment verification to the sending end of the key reconstruction request.
In one embodiment, the processor 101 may be configured to invoke the multiparty authorization program stored in the memory 102 and perform the following operations:
receiving a key reconstruction request sent by an authorization terminal and a key fragment;
generating a reconstruction key corresponding to the key reconstruction request according to the key fragment;
and sending the reconstruction key to a sending end of the key reconstruction request as response information of the key reconstruction request.
Based on the hardware architecture of the multiparty authorization device, the embodiment of the multiparty authorization method is provided.
Referring to fig. 2, in a first embodiment, the multiparty authorization method is applied to an authorization side, and includes the steps of:
step S100: when an authorization request occurs, a key reconstruction request corresponding to the authorization request is generated.
In this embodiment, when an authorization request occurs at the authorization end, a key reconstruction request corresponding to the authorization request is generated according to an authorization action corresponding to the authorization request. The key reconstruction request is used for requesting to acquire an authorization key required for executing the authorization action corresponding to the authorization request. It will be appreciated that, in this embodiment, the response information of the key reconstruction request is referred to as a reconstruction key, but the reconstruction key is not necessarily equivalent to the authorization key corresponding to the authorization request, and the reconstruction key is only equivalent to the authorization key when the reconstruction key can be used to perform the authorization action corresponding to the authorization request.
Optionally, the key reconstruction request comprises an authorization request, or a key fragment comprising the authorization request and the authorization key. It should be noted that, the authorization request is used to determine a key fragment corresponding to the target authorization key required by the authorization action. And carrying out key reconstruction operation on the key fragments belonging to the same authorization key to obtain a reconstructed key.
Step S200: and sending the key reconstruction request to a server side and other authorized sides except the server side.
In this embodiment, after generating the key reconstruction request, the authorization terminal sends the key reconstruction request to the server terminal and other authorization terminals other than the server terminal itself. The other authorization end here holds the key fragment needed for generating the reconstruction key.
Optionally, before sending the key reconstruction request to other authorized ends, determining the share sent by the key reconstruction request according to the number of the other authorized ends; and selecting a corresponding number of target authorized terminals from other authorized terminals to send the key reconstruction request according to the share sent by the key reconstruction request. It should be noted that the key reconstruction operation can be performed only when a certain number of key fragments of the same authorization key are possessed.
As an alternative embodiment, it is assumed that only the authorization request is included in the key reconstruction request. When the total number of the authorized terminals is 5, the number of the selected target authorized terminals is at least 3; when the total number of the authorized terminals is 7, the number of the selected target authorized terminals is at least 5.
As another alternative embodiment, it is assumed that the key reconstruction request includes an authorization request and a key fragment. When the total number of the authorized terminals is 5, the number of the selected target authorized terminals is at least 2; when the total number of the authorized terminals is 7, the number of the selected target authorized terminals is at least 4.
Step S300: and receiving the reconstruction key responded by the server side.
Step S400: and executing the authorization action corresponding to the authorization request based on the reconstruction key.
In this embodiment, after a key reconstruction request is sent to the server side and other authorized sides, a reconstruction key generated by the server side in response to the key reconstruction request is received. It will be appreciated that the step of generating a reconstruction key based on the key reconstruction operation is performed at the server side.
And after receiving the reconstruction key sent by the server, executing the authorization action corresponding to the authorization request based on the reconstruction key.
Further, the multiparty authorization method further comprises:
step S510: generating an authorization key corresponding to the authorization action;
step S520: according to the number of the authorized terminals, carrying out key segmentation processing on the authorized keys to generate key fragments of the shares corresponding to the number;
step S530: based on a random distribution algorithm, determining a corresponding relation between the authorization terminal and the key fragment;
step S540: and distributing the key fragments to the other authorized terminals according to the corresponding relation.
In this embodiment, each authorization action corresponds to an authorization key that is generated at the authorization side before an authorization request occurs. After the authorization terminal generates the authorization key corresponding to the authorization action, the authorization key is not saved, but the authorization key is subjected to key segmentation processing according to the number of the authorization terminals, so that key fragments with shares corresponding to the number of the authorization terminals are generated. And then, after one key fragment is stored, based on a random distribution algorithm, determining the corresponding relation between other authorized ends except the key fragment and the rest key fragments, and distributing the rest key fragments to other authorized ends except the key fragment according to the corresponding relation. It can be appreciated that, through the above process, each authorization terminal stores a key fragment of the authorization key corresponding to the authorization action.
By generating, dividing and distributing the authorization key, the corresponding authorization action of the authorization request needs to be completed by cooperation of a plurality of authorization terminals. This is done in order to enhance the security and reliability of the authorization process.
Optionally, after the authorization action is executed, the step of generating the authorization key corresponding to the authorization action is executed, so as to update the authorization key corresponding to the authorization action. In addition, the condition for executing the step of generating the authorization key corresponding to the authorization action may be when the number of authorized terminals is changed or when the key fragment or the authorization key is leaked.
After the authorization action is finished, the step of generating the authorization key corresponding to the authorization action is performed, so that the new authorization key can be ensured to be used for each authorization action. And further, the security of the authorization action is enhanced, and the risk of potential key leakage or key failure to the system security is prevented. In addition, the number of authorized ends becomes necessary to regenerate and distribute the authorization keys and key fragments to ensure that the new authorized end can obtain the key fragments required for the key reconstruction operation and that the original authorized end no longer has the authority to perform the authorization actions. If a key fragment or authorization key leaks, a new authorization key needs to be generated and the key fragment reassigned in order to protect the security of the system, to ensure that an unauthorized person or entity cannot obtain a valid authorization key or key fragment. The aim of this is to ensure the security and reliability of the authorization process and to deal with potential security risks in time by generating the authorization key corresponding to the authorization action at the appropriate moment.
Optionally, after receiving the reconstructed key sent by the server, the authorization terminal needs to verify the reconstructed key, and after the reconstructed key passes the verification, the authorization terminal executes the authorization action corresponding to the authorization request based on the reconstructed key. Specifically, the verification step of the reconstruction key includes performing a decryption operation on a preset ciphertext based on the reconstruction key; executing the authorization action corresponding to the authorization request based on the reconstruction key when the decryption is successful; otherwise, discarding the reconstruction key, and executing the step of generating a key reconstruction request corresponding to the authorization request. It can be understood that if the reconstructed key can successfully decrypt the preset ciphertext, it can be determined that the reconstructed ciphertext corresponds to the authorization key corresponding to the authorization action, and the reconstructed key can be used for executing the authorization action.
Further, the preset ciphertext is generated and stored in the authorization terminal when the authorization terminal generates the authorization key. Specifically, after generating an authorization key, the authorization terminal generates a random number based on a random number generation algorithm; and then, encrypting the random number by adopting the authorization key to generate a preset ciphertext. It will be appreciated that the preset ciphertext is used to verify the validity of the reconstructed key.
In the technical scheme provided by the embodiment, the key management of multiparty participation is realized by generating the key reconstruction request and sending the key reconstruction request to the server end and other authorized ends, so that the risk and burden of bearing all key management by a single authorized end can be avoided; in addition, the generation and storage of the secret key are dispersed to a plurality of participants, so that the security of the secret key is improved. By generating a new key reconstruction request each time of authorization request and transmitting it to other authorization terminals, the system can dynamically adapt to different authorization requests and participants. The flexibility and the dynamic collaboration enable the system to adapt to complex scenarios involving multiple parties and to be improved in real-time and security. Therefore, the security and management of the authorized key can be enhanced through the decentralized key management and the dynamic cooperation support, the security of the whole system is improved, the complex scene of multiparty participation can be better adapted, and the support is provided for dynamic cooperation.
Referring to fig. 3, based on the above embodiment, in a second embodiment, the multiparty authorization method further includes:
step S600: receiving the key reconstruction request sent by the other authorized end;
step S700: determining the key fragment corresponding to the key reconstruction request;
step S800: and sending the key fragment to the server side.
In this embodiment, when the authorization terminal receives a key reconstruction request sent by another authorization terminal, an authorization key to be reconstructed is determined according to the key reconstruction request; and then, from the key fragments corresponding to the stored authorization keys, the key fragments corresponding to the authorization keys. It will be appreciated that the key fragment corresponding to the last determined authorization key, i.e. the key fragment corresponding to the key reconstruction request. Further, after determining the key fragment corresponding to the key reconstruction request, the key fragment is sent to the server side, so that the server side can generate the reconstruction key.
Further, after receiving the key reconstruction request, the authorization terminal verifies the key reconstruction request, and when the reconstruction request passes the verification, the authorization terminal invokes a key fragment corresponding to the key and sends the key fragment to the server terminal; otherwise, sending response information which is not passed by the verification of the key reconstruction request to the sending end of the key reconstruction request.
By verifying the key reconstruction request, a threat to system security by an illegal request from an unauthorized sender or a malicious attacker can be prevented. Only after the request passes the verification, the authorization terminal can send the corresponding key fragment to the server terminal, thereby protecting the confidentiality and the integrity of the authorization key. Therefore, by verifying the key reconstruction request, illegal requests can be effectively prevented, the security of the authorized key is protected, and the aim of improving the system security is fulfilled.
In one embodiment, the key reconstruction request includes a key fragment. And reading the key fragments in the key reconstruction request, and performing consistency verification on the key fragments in the key reconstruction request. After the key fragments in the key reconstruction request pass the consistency verification, executing the step of determining the key fragments corresponding to the key reconstruction request; and if the key fragment in the key reconstruction request fails to pass the consistency verification, sending response information of the failed key fragment verification to the sending end of the key reconstruction request.
In another embodiment, the key reconstruction request includes a key fragment and a MAC value for the key fragment. Acquiring the MAC value of the key fragment in the key reconstruction request by reading the MAC value in the key reconstruction request and based on an HMAC algorithm; then, verifying the MAC value of the key fragment, and the consistency of the MAC value in the key reconstruction request; and executing the step of determining the key fragment corresponding to the key reconstruction request when the MAC value of the key fragment passes the consistency verification.
In the technical scheme provided by the embodiment, the corresponding key fragments are determined according to the key reconstruction request, and the determined key fragments are sent to the server side for key reconstruction. The multi-party participation, the decentralized management and the multi-party authorization are realized, and the purposes of improving the security of the secret key and the security of the system are further achieved.
Referring to fig. 4, based on the above embodiment, in a third embodiment, the multiparty authorization method is applied to a server side, and includes:
step S910: receiving a key reconstruction request sent by an authorization terminal and a key fragment;
step S920: generating a reconstruction key corresponding to the key reconstruction request according to the key fragment;
step S930: and sending the reconstruction key to a sending end of the key reconstruction request as response information of the key reconstruction request.
In this embodiment, after receiving a key reconstruction request and a key fragment sent by an authorization terminal, a server executes a key reconstruction operation based on the key fragment, generates a reconstruction key corresponding to the key reconstruction request, and sends the reconstruction key as response information of the key reconstruction request to a sending terminal of the key reconstruction request.
Optionally, before executing the key reconstruction operation based on the key fragment, the server side needs to determine whether the key reconstruction condition is met according to the received share of the key fragment and the number of the authorized sides; and performing key reconstruction operation when the share of the key fragment meets the key reconstruction condition. Illustratively, when the number of authorized ends is 5, at least 3 key fragments are required to meet the key reconstruction condition; when the number of authorized ends is 7, at least 5 key fragments are required to meet the key reconstruction condition.
For example, as shown in fig. 5, a total of 5 authorized ends are assumed, namely, authorized end a, authorized end B, authorized end C, authorized end D, and authorized end E. Firstly, an authorization terminal A generates a corresponding authorization key according to an authorization action, encrypts a random number based on the authorization key, and generates and stores a preset ciphertext. Then, according to the number of the authorized terminals, the key segmentation processing is carried out on the authorized key to generate 5 key fragments, namely fragments 1, 2, 3, 4 and 5. Then, the authorized end a saves the segment 1 and distributes the segments 2, 3, 4, and 5 to the authorized end B, C, D, and E randomly.
Assume that segment 2 is received by authorization terminal B, segment 3 is received by authorization terminal C, segment 4 is received by authorization terminal D, and segment 5 is received by authorization terminal E. When the authorization terminal E receives an authorization request sent by a requester, the authorization terminal E generates a key reconstruction request based on the authorization request. Then, based on the number of the authorized terminals being 5, 3 target authorized terminals are selected from other authorized terminals except the authorized terminal.
Suppose that the selected target authorized end is authorized end B, authorized end C, and authorized end D. After receiving the key reconstruction request, the authorization terminal B, the authorization terminal C and the authorization terminal D correspondingly send the segments 2, 3 and 4 to the server according to the key reconstruction request. And the server side performs key reconstruction operation according to the received fragments 2, 3 and 4, generates a reconstruction key and sends the reconstruction key to the authorization side E.
After receiving the reconstruction key, the authorization terminal E performs authorization operation on the request terminal based on the reconstruction key and the authorization request of the response terminal.
In the technical scheme provided by the embodiment, the server side has stronger security performance and protection mechanism, so that the security of key reconstruction can be ensured, and important information is prevented from being revealed. Thus, by sending the key reconstruction request and the key fragment to the server side, the process of key reconstruction can be completed in a relatively secure environment. By completing the process of key reconstruction at the server side, the flow of key management can be simplified. The authorization terminal only needs to send the key reconstruction request and the key fragment to the server terminal, and does not need to actually perform the calculation process of key reconstruction, thereby reducing the calculation burden of the authorization terminal and improving the efficiency and response speed of the system.
Furthermore, it will be appreciated by those of ordinary skill in the art that implementing all or part of the processes in the methods of the above embodiments may be accomplished by computer programs to instruct related hardware. The computer program comprises program instructions, and the computer program may be stored in a storage medium, which is a computer readable storage medium. The program instructions are executed by at least one processor in the multi-party authorization device to implement the flow steps of the embodiments of the method described above.
Accordingly, the present invention also provides a computer-readable storage medium storing a multiparty authorization program which, when executed by a processor, implements the steps of the multiparty authorization method described in the above embodiments.
The computer readable storage medium may be a usb disk, a removable hard disk, a Read-Only Memory (ROM), a magnetic disk, or an optical disk, etc. which may store the program code.
It should be noted that, because the storage medium provided in the embodiments of the present application is a storage medium used to implement the method in the embodiments of the present application, based on the method described in the embodiments of the present application, a person skilled in the art can understand the specific structure and the modification of the storage medium, and therefore, the description thereof is omitted herein. All storage media used in the methods of the embodiments of the present application are within the scope of protection intended in the present application.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It should be noted that in the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second and third, et cetera do not indicate any ordering. These words may be interpreted as names.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Claims (9)
1. A multi-party authorization method, characterized in that it is applied to an authorization terminal, the multi-party authorization method comprising:
generating an authorization key corresponding to the authorization action;
according to the number of the authorized terminals, carrying out key segmentation processing on the authorized keys to generate key fragments of the shares corresponding to the number;
after one of the key fragments is stored, based on a random distribution algorithm, determining the corresponding relation between other authorization ends except the authorization ends and the key fragments;
distributing the rest key fragments to the other authorized terminals according to the corresponding relation;
when an authorization request occurs, generating a key reconstruction request corresponding to the authorization request, wherein the key reconstruction request comprises the authorization request and a key fragment corresponding to the authorization request;
sending the key reconstruction request to a server side and the other authorization side;
receiving a reconstruction key responded by the server side;
executing decryption operation on a preset ciphertext based on the reconstruction key;
and when the decryption is successful, executing the authorization action corresponding to the authorization request based on the reconstruction key.
2. The multi-party authorization method according to claim 1, further comprising, after the step of performing an authorization action corresponding to the authorization request based on the reconstruction key:
and after the authorization action is executed, executing the step of generating the authorization key corresponding to the authorization action.
3. The multi-party authorization method according to claim 1, further comprising, after the step of performing a decryption operation on a preset ciphertext based on the reconstruction key:
and when decryption fails, discarding the reconstruction key, and executing the step of generating a key reconstruction request corresponding to the authorization request.
4. The multi-party authorization method according to claim 1, wherein after the step of generating the authorization key corresponding to the authorization action, further comprises:
generating a random number based on a random number generation algorithm;
and encrypting the random number according to the authorization key to generate the preset ciphertext.
5. The multi-party authorization method according to claim 1, further comprising:
receiving the key reconstruction request sent by the other authorized end;
determining the key fragment corresponding to the key reconstruction request;
and sending the key fragment to the server side.
6. The multiparty authorization method according to claim 1, wherein after the step of receiving the key reconstruction request sent by the other authorized end, further comprises:
reading a key fragment in the key reconstruction request;
performing consistency verification on the key fragments in the key reconstruction request;
after the key fragments in the key reconstruction request pass the consistency verification, executing the step of determining the key fragments corresponding to the key reconstruction request;
and if the key fragment in the key reconstruction request fails to pass the consistency verification, sending response information of the failed key fragment verification to the sending end of the key reconstruction request.
7. A multi-party authorization method, characterized in that it is applied to a server side, the multi-party authorization method comprising:
the method comprises the steps that an authorization terminal generates an authorization key corresponding to an authorization action, and key segmentation processing is carried out on the authorization key according to the number of the authorization terminal, so as to generate key fragments with corresponding shares;
after one of the key fragments is stored by the authorization terminal, based on a random distribution algorithm, determining the corresponding relation between other authorization terminals except the authorization terminal and the key fragment, and distributing the rest key fragments to the other authorization terminals according to the corresponding relation;
when an authorization request occurs, the authorization terminal generates a key reconstruction request corresponding to the authorization request and sends the key reconstruction request to a server terminal and the other authorization terminals, wherein the key reconstruction request comprises the authorization request and a key fragment corresponding to the authorization request;
the server receives a key reconstruction request sent by an authorization terminal and key fragments sent by other authorization terminals except the authorization terminal;
generating a reconstruction key corresponding to the key reconstruction request according to the key fragment;
the reconstructed key is used as response information of the key reconstruction request and is sent to a sending end of the key reconstruction request;
the authorization terminal receives the reconstruction key and executes decryption operation on a preset ciphertext based on the reconstruction key;
and when the decryption is successful, the authorization terminal executes the authorization action corresponding to the authorization request based on the reconstruction key.
8. A multi-party authorization device, the multi-party authorization device comprising: a memory, a processor and a multiparty authorisation program stored on the memory and executable on the processor, the multiparty authorisation program being configured to implement any one of claims 1 to 6, or the steps of a multiparty authorisation method as claimed in claim 7.
9. A readable storage medium, characterized in that the readable storage medium has stored thereon a multiparty authorization program, which when executed by a processor, implements the steps of the multiparty authorization method according to any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311659788.2A CN117395000B (en) | 2023-12-06 | 2023-12-06 | Multiparty authorization method, multiparty authorization device and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311659788.2A CN117395000B (en) | 2023-12-06 | 2023-12-06 | Multiparty authorization method, multiparty authorization device and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117395000A CN117395000A (en) | 2024-01-12 |
| CN117395000B true CN117395000B (en) | 2024-04-05 |
Family
ID=89465261
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311659788.2A Active CN117395000B (en) | 2023-12-06 | 2023-12-06 | Multiparty authorization method, multiparty authorization device and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117395000B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111971929A (en) * | 2018-12-03 | 2020-11-20 | 福瑞斯有限公司 | Secure distributed key management system |
| CN113779606A (en) * | 2021-09-15 | 2021-12-10 | 杭州溪塔科技有限公司 | Information verification method and system for reducing privacy disclosure risk |
| CN115048657A (en) * | 2021-03-09 | 2022-09-13 | 技术创新研究所 | System, method, and computer-readable medium for protecting cryptographic keys |
| CN115549907A (en) * | 2022-11-24 | 2022-12-30 | 北京智芯微电子科技有限公司 | Root key management system, backup method, recovery method, device and electronic equipment |
| CN117040764A (en) * | 2023-08-31 | 2023-11-10 | 蚂蚁区块链科技(上海)有限公司 | Secret key share updating method, computer equipment and storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9413735B1 (en) * | 2015-01-20 | 2016-08-09 | Ca, Inc. | Managing distribution and retrieval of security key fragments among proxy storage devices |
| US20230188330A1 (en) * | 2021-03-02 | 2023-06-15 | Fortytwo42 Labs Llp | System and method for identity-based key agreement for secure communication |
-
2023
- 2023-12-06 CN CN202311659788.2A patent/CN117395000B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111971929A (en) * | 2018-12-03 | 2020-11-20 | 福瑞斯有限公司 | Secure distributed key management system |
| CN115048657A (en) * | 2021-03-09 | 2022-09-13 | 技术创新研究所 | System, method, and computer-readable medium for protecting cryptographic keys |
| CN113779606A (en) * | 2021-09-15 | 2021-12-10 | 杭州溪塔科技有限公司 | Information verification method and system for reducing privacy disclosure risk |
| CN115549907A (en) * | 2022-11-24 | 2022-12-30 | 北京智芯微电子科技有限公司 | Root key management system, backup method, recovery method, device and electronic equipment |
| CN117040764A (en) * | 2023-08-31 | 2023-11-10 | 蚂蚁区块链科技(上海)有限公司 | Secret key share updating method, computer equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117395000A (en) | 2024-01-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7272960B2 (en) | Method, storage medium and electronic device for secure dynamic threshold signature schemes utilizing trusted hardware | |
| CN110120869B (en) | Key management system and key service node | |
| CN106548345B (en) | Method and system for realizing block chain private key protection based on key partitioning | |
| CN114726643B (en) | Data storage and access methods and devices on cloud platform | |
| CN110750803B (en) | Method and device for providing and fusing data | |
| US10797868B2 (en) | Shared secret establishment | |
| CN111971929B (en) | Secure distributed key management system | |
| CN103138939A (en) | Secret key use time management method based on credible platform module under cloud storage mode | |
| JP2007511810A (en) | Proof of execution using random number functions | |
| CN113987554B (en) | Method, device and system for obtaining data authorization | |
| CN111368340A (en) | Block chain-based evidence-based security verification method and device and hardware equipment | |
| CN110138548B (en) | Quantum communication service station key negotiation method and system based on asymmetric key pool pair and DH protocol | |
| CN113259123B (en) | Block chain data writing and accessing method and device | |
| CN113098697B (en) | Block chain data writing and accessing method and device | |
| JP2010231404A (en) | System, method, and program for managing secret information | |
| CN113726733A (en) | Encryption intelligent contract privacy protection method based on trusted execution environment | |
| CN117240625A (en) | Tamper-resistant data processing method and device and electronic equipment | |
| CN117436043A (en) | Method and device for verifying source of file to be executed and readable storage medium | |
| CN109587115A (en) | A kind of data file security distribution application method | |
| CN117395000B (en) | Multiparty authorization method, multiparty authorization device and readable storage medium | |
| CN115225286A (en) | Application access authentication method and device | |
| CN113949988A (en) | Position protection method and system, and storage medium | |
| Akshay et al. | Dynamic list based data integrity verification in cloud environment | |
| CN115361168B (en) | Data encryption method, device, equipment and medium | |
| CN115396103B (en) | AI data sharing method, system and device based on white box key |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |