CN118282778A - Key management method, data transmission method and system for computing nodes in multi-computing base - Google Patents
Key management method, data transmission method and system for computing nodes in multi-computing base Download PDFInfo
- Publication number
- CN118282778A CN118282778A CN202410699446.1A CN202410699446A CN118282778A CN 118282778 A CN118282778 A CN 118282778A CN 202410699446 A CN202410699446 A CN 202410699446A CN 118282778 A CN118282778 A CN 118282778A
- Authority
- CN
- China
- Prior art keywords
- computing node
- computing
- key
- public key
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 74
- 238000007726 management method Methods 0.000 title claims abstract description 25
- 230000005540 biological transmission Effects 0.000 title claims abstract description 20
- 230000006854 communication Effects 0.000 claims abstract description 15
- 238000004422 calculation algorithm Methods 0.000 claims description 53
- 238000012795 verification Methods 0.000 claims description 20
- 238000004590 computer program Methods 0.000 claims description 10
- 230000008569 process Effects 0.000 abstract description 18
- 238000004891 communication Methods 0.000 abstract description 9
- 238000012545 processing Methods 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000007792 addition Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 241001591005 Siga Species 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000012937 correction Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a key management method, a data transmission method and a system of an computing node in a multi-element computing base, wherein a first public key and a first private key are spontaneously generated at the initial stage of computing node deployment and used for forwarding a second private key used in the process of communication data encryption; in the communication process, the second public key for encrypting the plaintext data is directly generated by the sending-end computing node according to the identity information of the receiving-end computing node and the internet protocol address, so that the forwarding step of the second public key required for encrypting the data is omitted, the data forwarding efficiency and stability are improved, and meanwhile, the safety is also improved.
Description
Technical Field
The present invention relates to the field of encryption communications technologies, and in particular, to a key management method, a data transmission method and a system for an computing node in a multi-computing base.
Background
When computing power is scheduled based on blockchain in a cluster of computing power bases, frequent communication between computing power nodes and other computing power nodes is required. And frequent digital signature and signature verification operations are involved after the message is published and received in the blockchain, which involves the problem of distributing public keys to other computing nodes. The distribution of the traditional public key involves the deployment of PKI systems and the issuance of digital certificates, which is very complex to deploy and reduces the invoking efficiency of the computing nodes. Meanwhile, there is a certain security risk in distributing the private key directly in the network, so a new key management and data transmission scheme is needed.
Disclosure of Invention
In view of this, the embodiments of the present invention provide a key management method, a data transmission method and a system for computing nodes in a multi-component computing base, so as to eliminate or improve one or more drawbacks existing in the prior art, and solve the problem that in the current stage of computing network, the key distribution efficiency is low, so that the computing nodes are difficult to call and have security risks.
One aspect of the present invention provides a key management method for a computing node in a multi-computing chassis, the method for execution on a seed server, the seed server connecting a plurality of computing nodes, the method comprising the steps of:
when a target power node is started based on a network, configuring identity information and an Internet protocol address for the target power node;
receiving a first public key generated and sent by a target computing node; the first public key is generated by the target computing node based on a first preset asymmetric encryption algorithm, and a first private key is generated correspondingly to the first public key;
acquiring a preselected public parameter, and generating a system parameter and a master key based on the second preset asymmetric encryption algorithm;
Generating a second private key of the target computing node based on a second preset asymmetric encryption algorithm according to the identity information, the internet protocol address, the system parameter and the master key, and generating a second public key corresponding to the second private key based on the second preset asymmetric encryption algorithm according to the identity information and the internet protocol address;
Encrypting the identity information, the Internet protocol address, the system parameter, the second private key and the computing node system mirror image by adopting the first public key, and sending the encrypted information to the target computing node so that the target computing node can decrypt the encrypted information by adopting the first private key to obtain the second private key;
the second public key is used by other computing nodes in the communication process to encrypt plaintext data to obtain encrypted data, and the encrypted data is sent to the target computing node to be decrypted based on the second private key.
In some embodiments, the first preset asymmetric encryption algorithm employs an RSA algorithm or an elliptic curve encryption algorithm.
In some embodiments, the second preset asymmetric encryption algorithm is an SM9 algorithm.
In some embodiments, the method further comprises:
And storing the identity information, the Internet protocol address, the system parameters, the master key, the first public key, the second private key and the power computing node mirror image system corresponding to the target power computing node to a preset storage space for backup.
On the other hand, the invention also provides a data transmission method among the computing nodes in the multi-computing base, wherein the method is used for being executed at the receiving end computing node, and the method comprises the following steps:
Receiving ciphertext data sent by a sending terminal computing node, wherein the ciphertext data is obtained by encrypting plaintext data by the sending terminal computing node by adopting a second public key and system parameters; the second public key is generated by the sending end computing node based on a second preset asymmetric encryption algorithm according to the identity information and the Internet protocol address of the receiving end computing node;
decrypting the ciphertext data by adopting a second private key and system parameters of the computing node local to the receiving end to obtain the plaintext data; the second private key is obtained by adopting the key management method of the computing nodes in the multi-component computing base.
In some embodiments, after receiving ciphertext data sent by the sending computing node, the method further comprises:
receiving signature verification information sent by the sending terminal computing node, wherein the signature verification information is obtained by the sending terminal computing node through encryption signature according to a local third private key and the system parameter;
generating a third public key of the sending terminal computing node based on a second preset asymmetric encryption algorithm according to the identity information of the sending terminal computing node and the Internet protocol address;
and decrypting the signature verification information by adopting the third public key to verify the signature of the sending computing node.
In some embodiments, after decrypting the signature verification information using the third public key to verify the signature of the sender computing node, the method further comprises: and sending the signature verification result to the seed server for storage.
In another aspect, the present invention also provides a multi-element computing power network system, the system comprising:
The seed server is used for executing the key management method of the computing nodes in the multi-computing base;
And the force calculation nodes are used for executing the data transmission method among the force calculation nodes in the multi-element force calculation base.
In another aspect, the present invention also provides a computer readable storage medium having stored thereon a computer program/instruction which when executed by a processor performs the steps of the above method.
In another aspect, the invention also provides a computer program product comprising a computer program/instruction which, when executed by a processor, implements the steps of the above method.
The invention has the advantages that:
According to the key management method, the data transmission method and the system of the computing nodes in the multi-element computing base, the first public key and the first private key are spontaneously generated at the initial stage of computing node deployment and used for forwarding the second private key used in the communication data encryption process; in the communication process, the second public key for encrypting the plaintext data is directly generated by the sending-end computing node according to the identity information of the receiving-end computing node and the internet protocol address, so that the forwarding step of the second public key required for encrypting the data is omitted, the data forwarding efficiency and stability are improved, and meanwhile, the safety is also improved.
Further, in the signature authentication process, the sending-end computing node encrypts the signature by using a local private key, and the receiving-end computing node directly generates a corresponding public key by using the identity information of the sending-end computing node and the internet protocol address to verify, so that the public key distribution process is omitted, and the authentication efficiency is improved.
Additional advantages, objects, and features of the invention will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the invention. The objectives and other advantages of the invention may be realized and attained by the structure particularly pointed out in the written description and drawings.
It will be appreciated by those skilled in the art that the objects and advantages that can be achieved with the present invention are not limited to the above-described specific ones, and that the above and other objects that can be achieved with the present invention will be more clearly understood from the following detailed description.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate and together with the description serve to explain the application. In the drawings:
Fig. 1 is a flow chart of a key management method of a computing node in a multi-computing base according to an embodiment of the invention.
Fig. 2 is a flow chart of a data transmission method between computing nodes in a multi-computing base according to an embodiment of the invention.
Fig. 3 is a logic schematic diagram of an algorithm power cluster autonomous method based on identification encryption according to an embodiment of the invention.
Fig. 4 is a schematic structural diagram of a computer device according to an embodiment of the invention.
Detailed Description
The present invention will be described in further detail with reference to the following embodiments and the accompanying drawings, in order to make the objects, technical solutions and advantages of the present invention more apparent. The exemplary embodiments of the present invention and the descriptions thereof are used herein to explain the present invention, but are not intended to limit the invention.
It should be noted here that, in order to avoid obscuring the present invention due to unnecessary details, only structures and/or processing steps closely related to the solution according to the present invention are shown in the drawings, while other details not greatly related to the present invention are omitted.
It should be emphasized that the term "comprises/comprising" when used herein is taken to specify the presence of stated features, elements, steps or components, but does not preclude the presence or addition of one or more other features, elements, steps or components.
It is also noted herein that the term "coupled" may refer to not only a direct connection, but also an indirect connection in which an intermediate is present, unless otherwise specified.
Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings. In the drawings, the same reference numerals represent the same or similar components, or the same or similar steps.
The conventional public key distribution mechanism, particularly related to the deployment of PKI systems and the issuance of digital certificates, has the following drawbacks:
1) Safety problem: the public key has the possibility of being intercepted or tampered by a malicious attacker in the transmission process, and if the public key catalog is broken by the attacker, the attacker can forge the public key of any person.
2) Complexity of management and maintenance: when there are a large number of communication nodes in the network, public key authorization services may become a bottleneck for the overall system. Furthermore, the management, maintenance and revocation of certificates is also a complex process.
3) Performance problems: the operation of public key cryptography typically involves modular exponentiation, which requires high computational effort and is inefficient.
4) Man-in-the-middle attack: without additional security measures, the public key distribution process is vulnerable to man-in-the-middle attacks, which can intercept the public key and impersonate one of the parties.
Therefore, the present application provides a key management method for computing nodes in a multi-computing base, the method is used for executing on a seed server, the seed server is connected with a plurality of computing nodes, as shown in fig. 1, the method includes the following steps S101 to S105:
step S101: and when the target power node is started based on the network, configuring the identity information and the Internet protocol address for the target power node.
Step S102: receiving a first public key generated and sent by a target computing node; the first public key is generated by the target computing node based on a first preset asymmetric encryption algorithm, and a first private key is generated correspondingly.
Step S103: and acquiring the pre-selected public parameters, and generating system parameters and a master key based on a second preset asymmetric encryption algorithm.
Step S104: and generating a second private key of the target computing node based on a second preset asymmetric encryption algorithm according to the identity information, the Internet protocol address, the system parameters and the master key, and generating a second public key corresponding to the second private key based on the second preset asymmetric encryption algorithm according to the identity information and the Internet protocol address.
Step S105: the identity information, the Internet protocol address, the system parameters, the second private key and the computing node system mirror image are encrypted by the first public key and sent to the target computing node, and the target computing node decrypts by the first private key to obtain the second private key.
The second public key is used by other computing nodes in the communication process to encrypt plaintext data to obtain encrypted data, and the encrypted data is sent to the target computing node to be decrypted based on the second private key.
In some embodiments, the first predetermined asymmetric encryption algorithm employs an RSA algorithm or an elliptic curve encryption algorithm. In some embodiments, the second preset asymmetric encryption algorithm is an SM9 algorithm.
In steps S101 to S105, the first public key and the first private key are generated by the target computing node autonomously, and are only used for transmitting the private key of the target computing node generated by the seed server. When the target computing node is started, a first public key and a first private key are generated by adopting a first preset asymmetric encryption algorithm, the first private key is left locally, and the first public key is sent to the seed server. The seed server generates identity Information (ID) and internet protocol address (IP) for the target power node configuration, and in the key generation system of the application, the second public key for encrypting the plaintext is directly generated at the transmitting end according to a second preset asymmetric encryption algorithm, specifically, the generation process of the second public key is directly generated by adopting the identity Information (ID) and the internet protocol address (IP) disclosed by the receiving end node. The second private key for decrypting the ciphertext is generated by the seed server, and after encrypted transmission by using the first public key of the target computing node, the second private key generated by the seed server for the second private key is decrypted by the target computing node by using the local first private key.
In some embodiments, the method further comprises step S106: and storing the identity information, the Internet protocol address, the system parameters, the master key, the first public key, the second private key and the computing node mirror image system corresponding to the target computing node into a preset storage space for backup. During the backup process, log files can be built for storage and index construction for efficient retrieval and query during subsequent use.
On the other hand, the invention also provides a data transmission method between computing nodes in the multi-computing base, wherein the method is used for being executed at the receiving-end computing node, as shown in fig. 2, and comprises the following steps S201-S202:
Step S201: receiving ciphertext data sent by a sending terminal computing node, wherein the ciphertext data is obtained by encrypting plaintext data by the sending terminal computing node by adopting a second public key and system parameters; the second public key is generated by the sending terminal computing node based on a second preset asymmetric encryption algorithm according to the identity information of the receiving terminal computing node and the Internet protocol address.
Step S202: decrypting the ciphertext data by adopting a second private key and system parameters of the computing power node of the receiving end to obtain plaintext data; the second private key is obtained by adopting the key management method of the computing nodes in the multi-computing base in the steps S101-S105.
Specifically, based on the SM9 algorithm, steps S201 and S202 of the present application directly use the identity information ID and the internet protocol address IP corresponding to the computing node as public keys, and generate a private key based on a second preset asymmetric encryption algorithm according to the identity information, the internet protocol address, the system parameters and the master key. When the sending end computing node sends data, the identity information ID and the Internet protocol address IP of the receiving end computing node are directly used as public keys locally, the data are encrypted, and the public key request and transmission processes are omitted. After receiving the encrypted data, the computing node at the receiving end decrypts the encrypted data by adopting a private key generated based on the corresponding ID and IP and provided by the seed server, so as to obtain plaintext data.
In some embodiments, after receiving ciphertext data sent by the sending computing node, the method further includes steps S301 to S303:
Step S301: and receiving signature verification information sent by the sending terminal computing node, wherein the signature verification information is obtained by the sending terminal computing node through encryption and signature according to a local third private key and system parameters of the sending terminal computing node.
Step S302: and generating a third public key of the sending terminal computing node based on a second preset asymmetric encryption algorithm according to the identification information and the Internet protocol address of the sending terminal computing node.
Step S303: and decrypting the signature verification information by using the third public key to verify the signature of the computing node at the sending end.
In the steps S301-S303, based on the SM9 algorithm, verification information of the sending-end computing node is encrypted by adopting a third private key of the sending-end computing node, and the third private key is configured by a seed server based on the method of the steps S101-S105 and is given to the sending-end computing node. The receiving end computing node directly adopts the identity identification information ID and the Internet protocol address IP of the sending end computing node as a third public key to decrypt and verify the signature verification information.
In some embodiments, after decrypting the signature verification information using the third public key to verify the signature of the sender computing node, the method further comprises: and sending the signature verification result to the seed server for storage.
In another aspect, the present invention also provides a multi-element computing power network system, the system comprising:
The seed server is used for executing the key management method of the computing nodes in the multi-computing base in the steps S101-S105;
The computing nodes are used for executing the data transmission method among computing nodes in the multi-component computing base described in the steps S201-S202 and the steps S301-S303.
In another aspect, the present invention also provides a computer readable storage medium having stored thereon a computer program/instruction which when executed by a processor performs the steps of the above method.
In another aspect, the invention also provides a computer program product comprising a computer program/instruction which, when executed by a processor, implements the steps of the above method.
The invention is described below in connection with a specific embodiment:
The invention provides an algorithm force cluster autonomous method based on identification encryption, which manages keys of algorithm force nodes in a multi-element algorithm force base. The method has the core that the IBE algorithm is introduced into the computational power cluster region, public key distribution is not needed, node identification and IP addresses are adopted as public keys, so that the process of key management and distribution is simplified, and compared with the traditional Public Key Infrastructure (PKI), the IBE algorithm is adopted in the core, complicated public key certificates and authentication processes are not needed, the complexity and cost of system management can be effectively reduced, and the efficiency is improved.
IBE (Identity-based Encryption) is a public key Encryption algorithm that can use arbitrary strings as valid public keys. Although the IBE algorithm does not need to distribute a public key (can be generated by itself), the generation of each communication private key must be generated by a node with a master private key in combination with public security parameters, and how to distribute the private key needs to participate in an offline manual mode becomes the biggest obstacle restricting the IBE algorithm from being popularized in other scenes on a large scale. The system mirror image can be used for installing the same operating system on different computers or restoring the operating system when the computers fail, the system mirror image is usually stored in an ISO file format and can be manufactured or used by using specific software, and the generation and distribution of private keys are completed, so that the computing node naturally has a private key which is exactly matched based on the ID and the IP of the computing node when being started, and the problem of distributing the private keys of an IBE algorithm is well solved.
Referring to fig. 3, the embodiment is as follows:
the seed server is responsible for distributing the whole private key, when the power node is started through a network, the seed server generates an ID and an IP address of the power node, generates a public key from the ID and the IP address of the power node, then generates the private key of the power node by adopting an IBE algorithm based on the public key, and transmits the private key to the power node when an OS mirror image is transmitted. Thus, other computing nodes can use the public node ID and the node IP to encrypt or verify the signature. The method comprises the following specific steps:
1. The seed server first selects a common parameter k, generating system parameters PublicPara and master key MASTERKEY.
2. When the computing node is started through the network, a pair of prepared public and private key pairs is firstly generated, and the public key is sent to the seed server. The seed server generates NodePrivateKey (node private key) based on the system parameters PublicPara and the master key MASTERKEY using the power node nodeids and NodeIP. The generation algorithm may be based on a typical IBC algorithm, such as the SM9 quotient algorithm.
3. The seed server encrypts NodeID, nodeIP, system parameters PublicPara and node private key NodePrivatekey together with the OS image through a prepared public key provided by the computing node, and then sends the encrypted data to the computing node, and the computing node decrypts the data by using the prepared private key after being started, so that the seed server automatically owns the private key NodePrivateKey and can simultaneously pass through the NodeID: nodeIP generates a public key.
4. When the computing node a wants to communicate securely with the computing node B, the computing node a automatically generates a public key pkb = NodeIDB: nodeIPB using the computing node B as an encryption key, encrypts M, such as generating c= Epkb (M, publicPara), without obtaining the public key of B from anywhere.
5. After receiving the encrypted message C from the power node a, the power node B obtains M' = Eskb (C, publicPara) by using the private key skb= NodePrivatekeyB sent by the seed server in the self-starting process.
6. When the computing node a is to prove to the computing node B that M is itself sent, it may sign with its own private key ska = PRIVATEKEYA, SIGa =eska (M, publicPara), and then send to the computing node B along with M.
7. The computing node B adopts the public key of the computing node A to carry out signature verification, the public key of the computing node A adopts the node ID and the node IP to automatically generate, and the pka= NodeIDa: nodeIPa is adopted to carry out the signature verification.
In the whole process, the public key of the opposite node can be automatically generated by the node NodeID and NodeIP of the node, so that the distribution process is saved. Each computing node can complete subsequent encrypted communication only by acquiring a private key of the computing node and a private key generated by an encryption algorithm based on the identification in the starting process.
As shown in fig. 4, the present embodiment further provides a computer device, for executing the method for computing power cluster autonomy based on identification encryption according to the foregoing embodiment, where, as shown in fig. 4, the computer device may include a processor 810, a memory 820, and an image capturing device 830, where, the processor 810 and the memory 820 may be connected by a bus or other means, and in fig. 4, the connection is exemplified by a bus. The image acquisition device 830 may be connected to the processor 810 and the memory 820 by wired or wireless means.
The processor 810 may be a central processing unit (Central Processing Unit, CPU). The Processor 810 may also be other general purpose processors, digital Signal Processors (DSP), application SPECIFIC INTEGRATED Circuits (ASIC), field-Programmable gate arrays (Field-Programmable GATE ARRAY, FPGA) or other Programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or a combination thereof.
The memory 820 is used as a non-transitory computer readable storage medium for storing non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions/modules corresponding to the key shielding method of the in-vehicle display device in the embodiment of the invention. The processor 810 performs various functional applications of the processor and data processing, i.e., implements the image color correction method in the above-described method embodiments, by running non-transitory software programs, instructions, and modules stored in the memory 820.
Memory 820 may include a storage program area that may store an operating system, at least one application program required for functionality, and a storage data area; the storage data area may store data created by the processor 810, etc. In addition, memory 820 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, memory 820 may optionally include memory located remotely from processor 810, which may be connected to processor 810 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The embodiments of the present invention also provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the edge computing server deployment method described above. The computer readable storage medium may be a tangible storage medium such as Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, floppy disks, hard disk, a removable memory disk, a CD-ROM, or any other form of storage medium known in the art.
In summary, according to the key management method, the data transmission method and the system of the computing node in the multi-computing base, the first public key and the first private key are spontaneously generated at the initial stage of computing node deployment and used for forwarding the second private key used in the communication data encryption process; in the communication process, the second public key for encrypting the plaintext data is directly generated by the sending-end computing node according to the identity information of the receiving-end computing node and the internet protocol address, so that the forwarding step of the second public key required for encrypting the data is omitted, the data forwarding efficiency and stability are improved, and meanwhile, the safety is also improved.
Further, in the signature authentication process, the sending-end computing node encrypts the signature by using a local private key, and the receiving-end computing node directly generates a corresponding public key by using the identity information of the sending-end computing node and the internet protocol address to verify, so that the public key distribution process is omitted, and the authentication efficiency is improved.
Those of ordinary skill in the art will appreciate that the various illustrative components, systems, and methods described in connection with the embodiments disclosed herein can be implemented as hardware, software, or a combination of both. The particular implementation is hardware or software dependent on the specific application of the solution and the design constraints. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention. When implemented in hardware, it may be, for example, an electronic circuit, an Application Specific Integrated Circuit (ASIC), suitable firmware, a plug-in, a function card, or the like. When implemented in software, the elements of the invention are the programs or code segments used to perform the required tasks. The program or code segments may be stored in a machine readable medium or transmitted over transmission media or communication links by a data signal carried in a carrier wave.
It should be understood that the invention is not limited to the particular arrangements and instrumentality described above and shown in the drawings. For the sake of brevity, a detailed description of known methods is omitted here. In the above embodiments, several specific steps are described and shown as examples. The method processes of the present invention are not limited to the specific steps described and shown, but various changes, modifications and additions, or the order between steps may be made by those skilled in the art after appreciating the spirit of the present invention.
In this disclosure, features that are described and/or illustrated with respect to one embodiment may be used in the same way or in a similar way in one or more other embodiments and/or in combination with or instead of the features of the other embodiments.
The above description is only of the preferred embodiments of the present invention and is not intended to limit the present invention, and various modifications and variations can be made to the embodiments of the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A method of key management of a power node in a multi-power base, the method being for execution on a seed server, the seed server connecting a plurality of power nodes, the method comprising the steps of:
when a target power node is started based on a network, configuring identity information and an Internet protocol address for the target power node;
receiving a first public key generated and sent by a target computing node; the first public key is generated by the target computing node based on a first preset asymmetric encryption algorithm, and a first private key is generated correspondingly to the first public key;
Acquiring preselected public parameters, and generating system parameters and a master key based on a second preset asymmetric encryption algorithm;
Generating a second private key of the target computing node based on the second preset asymmetric encryption algorithm according to the identity information, the internet protocol address, the system parameter and the master key, and generating a second public key corresponding to the second private key based on the second preset asymmetric encryption algorithm according to the identity information and the internet protocol address;
Encrypting the identity information, the Internet protocol address, the system parameter, the second private key and the computing node system mirror image by adopting the first public key, and sending the encrypted information to the target computing node so that the target computing node can decrypt the encrypted information by adopting the first private key to obtain the second private key;
the second public key is used by other computing nodes in the communication process to encrypt plaintext data to obtain encrypted data, and the encrypted data is sent to the target computing node to be decrypted based on the second private key.
2. The key management method of the computing nodes in the multi-computing power base according to claim 1, wherein the first preset asymmetric encryption algorithm adopts an RSA algorithm or an elliptic curve encryption algorithm.
3. The method for key management of a computing node in a multi-computing power base according to claim 2, wherein the second preset asymmetric encryption algorithm is an SM9 algorithm.
4. The method of key management of a computing node in a multi-computing base of claim 1, further comprising:
And storing the identity information, the Internet protocol address, the system parameters, the master key, the first public key, the second private key and the power computing node mirror image system corresponding to the target power computing node to a preset storage space for backup.
5. A method for data transmission between computing nodes in a multi-component computing base, the method being for execution at a receiving-side computing node, the method comprising the steps of:
Receiving ciphertext data sent by a sending terminal computing node, wherein the ciphertext data is obtained by encrypting plaintext data by the sending terminal computing node by adopting a second public key and system parameters; the second public key is generated by the sending end computing node based on a second preset asymmetric encryption algorithm according to the identity information and the Internet protocol address of the receiving end computing node;
Decrypting the ciphertext data by adopting a second private key and system parameters of the computing node local to the receiving end to obtain the plaintext data; the second private key is obtained by adopting a key management method of the computing nodes in the multi-computing base according to any one of claims 1 to 4.
6. The method for data transmission between computing nodes in a multi-computing base according to claim 5, wherein after receiving ciphertext data sent by a computing node at a sending end, the method further comprises:
receiving signature verification information sent by the sending terminal computing node, wherein the signature verification information is obtained by the sending terminal computing node through encryption signature according to a local third private key and the system parameter;
generating a third public key of the sending terminal computing node based on a second preset asymmetric encryption algorithm according to the identity information of the sending terminal computing node and the Internet protocol address;
and decrypting the signature verification information by adopting the third public key to verify the signature of the sending computing node.
7. The method of claim 6, further comprising, after decrypting the signature verification information using the third public key to verify the signature of the sender computing node: and sending the signature verification result to the seed server for storage.
8. A multi-component computing power network system, the system comprising:
A seed server for performing a key management method of a computing node in a multi-computing base according to any one of claims 1 to 4;
A computing node for performing the method of data transmission between computing nodes in a multi-component computing base according to any one of claims 5 to 7.
9. A computer readable storage medium having stored thereon a computer program/instruction which when executed by a processor performs the steps of the method according to any of claims 1 to 7.
10. A computer program product comprising computer programs/instructions which, when executed by a processor, implement the steps of the method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410699446.1A CN118282778A (en) | 2024-05-31 | 2024-05-31 | Key management method, data transmission method and system for computing nodes in multi-computing base |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410699446.1A CN118282778A (en) | 2024-05-31 | 2024-05-31 | Key management method, data transmission method and system for computing nodes in multi-computing base |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118282778A true CN118282778A (en) | 2024-07-02 |
Family
ID=91644361
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410699446.1A Pending CN118282778A (en) | 2024-05-31 | 2024-05-31 | Key management method, data transmission method and system for computing nodes in multi-computing base |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118282778A (en) |
-
2024
- 2024-05-31 CN CN202410699446.1A patent/CN118282778A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3742696B1 (en) | Identity management method, equipment, communication network, and storage medium | |
| US11909870B2 (en) | ECDHE key exchange for mutual authentication using a key server | |
| US20160269176A1 (en) | Key Configuration Method, System, and Apparatus | |
| CN113099443B (en) | Equipment authentication method, device, equipment and system | |
| EP3700124B1 (en) | Security authentication method, configuration method, and related device | |
| US20040161110A1 (en) | Server apparatus, key management apparatus, and encrypted communication method | |
| WO2022111102A1 (en) | Method, system and apparatus for establishing secure connection, electronic device, and machine-readable storage medium | |
| JP2004266342A (en) | System and terminal for radio ad hoc communication, decrypting method and encrypting method in the terminal, broadcast encrypting key distributing method, and program for making the terminal execute the method | |
| EP3633949A1 (en) | Method and system for performing ssl handshake | |
| WO2003061241A1 (en) | Symmetrical key establishing using public key encryption | |
| CN110808834B (en) | Quantum key distribution method and quantum key distribution system | |
| CN112600668A (en) | Key agreement method, device, electronic equipment and storage medium | |
| KR102266654B1 (en) | Method and system for mqtt-sn security management for security of mqtt-sn protocol | |
| CN111654503A (en) | Remote control method, device, equipment and storage medium | |
| US20210336781A1 (en) | Network device, method for security and computer readable storage medium | |
| CN113297599B (en) | Data transmission system, data acquisition method, terminal and storage medium | |
| CN113992427A (en) | Data encryption sending method and device based on adjacent nodes | |
| CN105227313B (en) | Method for providing certificates and for communicating over multiple protocols and related devices | |
| CN115314284B (en) | Public key authentication searchable encryption method and system based on trusted execution environment | |
| CN118282778A (en) | Key management method, data transmission method and system for computing nodes in multi-computing base | |
| CN115567195A (en) | Secure communication method, client, server, terminal and network side equipment | |
| CN113034140A (en) | Method, system, equipment and storage medium for realizing intelligent contract encryption | |
| WO2008004174A2 (en) | Establishing a secure authenticated channel | |
| EP3800825A1 (en) | Method and device for configuring alias credential | |
| CN111147344B (en) | Virtual private network implementation method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication |