CN118316632A - An encryption system and a key management server - Google Patents
An encryption system and a key management server Download PDFInfo
- Publication number
- CN118316632A CN118316632A CN202211735877.6A CN202211735877A CN118316632A CN 118316632 A CN118316632 A CN 118316632A CN 202211735877 A CN202211735877 A CN 202211735877A CN 118316632 A CN118316632 A CN 118316632A
- Authority
- CN
- China
- Prior art keywords
- key
- service
- key management
- broadband
- management information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
本发明公开了一种加密系统及密钥管理服务器。系统应用于专网通信中,包括密钥管理服务器和至少一个终端,密钥管理服务器独立于业务服务器设置,终端中至少包括加密模块,在终端为宽带终端时,宽带终端中至少还包括密钥服务模块;密钥管理服务器与密钥服务模块间设置有第一密钥信道,第一密钥信道占用宽带中的资源以进行密钥管理信息传输;密钥管理服务器,用于在满足预设密钥更新条件时,通过第一密钥信道向对应的密钥服务模块发送宽带密钥管理信息;密钥服务模块,用于接收宽带密钥管理信息,并将宽带密钥管理信息转发至加密模块,以使加密模块解析密钥管理信息并对业务数据进行加解密。实现了密钥管理与业务相关安全数据的解耦和隔离。
The present invention discloses an encryption system and a key management server. The system is applied to private network communication, and includes a key management server and at least one terminal. The key management server is set independently of the business server. The terminal includes at least an encryption module. When the terminal is a broadband terminal, the broadband terminal also includes at least a key service module. A first key channel is set between the key management server and the key service module. The first key channel occupies resources in the broadband to transmit key management information. The key management server is used to send broadband key management information to the corresponding key service module through the first key channel when the preset key update condition is met. The key service module is used to receive the broadband key management information and forward the broadband key management information to the encryption module, so that the encryption module parses the key management information and encrypts and decrypts the business data. The decoupling and isolation of key management and business-related security data are realized.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to an encryption system and a key management server.
Background
With the continuous development of communication technology, more and more industries begin to introduce the construction and use of private networks. The implementation idea of private network communication realized by the broadband technology is basically consistent with that in a public network, namely, a complete instant messaging service which accords with the communication characteristics of the private network is constructed for the application layer of the current basic broadband network. In order to ensure the security of data transmission, data encryption is usually performed in the data transmission process.
However, since the conventional public network security policy relies on the public network, the encryption method based on the public network architecture is often used to encrypt data in the data transmission process by introducing a key system, the coupling between the encryption method and the public network architecture is high, and for different types of systems, the key management server and each system need to be strongly coupled to realize the key management between different systems, and the currently used schemes are all based on the end-to-end encryption of the application layer communication service, that is, the connection with the service channel is tight, so that the requirements of high concurrency and low time delay of private network communication are difficult to be satisfied. Because of the close connection with the service channel, when a large number of users are concurrent or group call members are more, the network pressure is increased, the risk of network delay is further increased, and the demands of private network communication users are difficult to meet.
Disclosure of Invention
The invention provides the encryption system and the key management server, which realize the unbinding of the encryption function and the service system, better meet the service characteristics and performance requirements of private network communication, improve the security of the data transmission process, reduce the network delay, realize the compatibility and quick butt joint of various instant messaging systems and improve the user experience.
The embodiment of the invention provides an encryption system which is applied to private network communication, wherein the encryption system comprises a key management server and at least one terminal, the key management server is independent of a service server, the terminal at least comprises an encryption module, and when the terminal is a broadband terminal, the broadband terminal at least further comprises a key service module; a first key channel is arranged between the key management server and the key service module, and occupies resources in the broadband to transmit key management information;
the key management server is used for sending broadband key management information to the corresponding key service module through the first key channel when the preset key updating condition is met;
the key service module is used for receiving the broadband key management information and forwarding the broadband key management information to the encryption module;
And the encryption module is used for analyzing the broadband key management information to obtain a service root key, encrypting service data to be sent through the service root key or decrypting the received service data through the service root key.
The embodiment of the invention also provides a key management server which is applied to an encryption system of private network communication, wherein the encryption system comprises the key management server and at least one terminal, and the key server is independent of the service server;
when the terminal is a broadband terminal, a first key channel is arranged between the key management server and the broadband terminal, and the first key channel occupies resources in the broadband to transmit key management information; the key management server is used for sending broadband key management information to the corresponding broadband terminal through the first key channel when the preset key updating condition is met;
When the terminal is a narrow-band terminal, the service server comprises a narrow-band gateway corresponding to the narrow-band terminal, and a second key channel is arranged between the key management server and the narrow-band gateway; the key management server is used for sending the narrow-band key management information to the narrow-band gateway through the second key channel when the preset key updating condition is met;
When the terminal is a dual-mode terminal, a first key channel is arranged between the key management server and the dual-mode terminal, and the first key channel occupies resources in a broadband to transmit key management information; a second key channel is arranged between the key management server and the narrow-band gateway corresponding to the dual-mode terminal; and the key management server is used for sending broadband key management information to the corresponding dual-mode terminal through the first key channel or sending narrowband key management information to the narrowband gateway through the second key channel when the preset key updating condition is met.
The embodiment of the invention provides an encryption system and a key management server, which are applied to private network communication, wherein the encryption system comprises a key management server and at least one terminal, the key management server is independent of a service server, the terminal at least comprises an encryption module, and when the terminal is a broadband terminal, the broadband terminal at least further comprises a key service module; a first key channel is arranged between the key management server and the key service module, and occupies resources in the broadband to transmit key management information; the key management server is used for sending broadband key management information to the corresponding key service module through the first key channel when the preset key updating condition is met; the key service module is used for receiving the broadband key management information and forwarding the broadband key management information to the encryption module; and the encryption module is used for analyzing the broadband key management information to obtain a service root key, encrypting service data to be sent through the service root key or decrypting the received service data through the service root key. By adopting the technical scheme, the key management server independent of the service server is arranged, the independent key service module corresponding to the key management server is arranged in the terminal, and the independent first key channel is arranged between the key management server and the key service module, so that the key management server can send broadband key management information to the key service module in the terminal through the first key channel when the preset key update condition is met, and the key service module forwards the broadband key management information to the encryption module for the terminal to execute encryption and decryption operation of service data, so that normal operation of a service system is not influenced for managing a terminal key, and because the key channel is independently arranged in a broadband for carrying out key management, the key management server does not need to transmit the key in different terminals through the service channel, and decoupling and isolation of key management and service related security data are realized. Furthermore, the transmission of the key management data does not occupy the bandwidth of a service channel, so that the network delay under a large data volume is reduced, and because the key management server is independently arranged, the association between the key management server and a plurality of different service servers and terminals can be established, the compatibility and the quick docking of the key management server to a plurality of instant messaging systems are realized, the practicability and the universality of an encryption system are improved, and the user experience is improved.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the invention or to delineate the scope of the invention. Other features of the present invention will become apparent from the description that follows.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of an encryption system according to a first embodiment of the present invention;
fig. 2 is a schematic structural diagram of an encryption system according to a second embodiment of the present invention;
Fig. 3 is a schematic structural diagram of an encryption system according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of an encryption system according to a fourth embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
Fig. 1 is a schematic structural diagram of an encryption system according to a first embodiment of the present invention, where the encryption system is applied to private network communication, and the encryption system 1 includes a key management server 10 and at least one terminal 11, where the key management server 10 is set independently of a service server, the terminal 11 includes at least an encryption module 111, and when the terminal 11 is a broadband terminal 12, the broadband terminal 12 includes at least a key service module 112; a first key channel is provided between the key management server 10 and the key service module 112, and occupies resources in a broadband for key management information transmission.
The key management server 10 is configured to send broadband key management information to the corresponding key service module 112 through the first key channel when a preset key update condition is satisfied;
a key service module 112 for receiving the wideband key management information and forwarding the wideband key management information to the encryption module 111;
The encryption module 111 is configured to parse the broadband key management information to obtain a service root key, and encrypt service data to be sent by using the service root key, or decrypt received service data by using the service root key.
As shown in fig. 1, in the embodiment of the present invention, two terminals 11 are included in the encryption system, and one of the terminals is a broadband terminal 12.
In this embodiment, private network communication is specifically understood to be a professional network that provides safe and reliable wireless services for a specific department or group, where the base network is usually independent of the public cellular mobile communication network, and may change the network architecture adaptively according to the user requirements. The key management server 10 (KEY MANAGEMENT SERVICE, KMS) can be specifically understood as a server that provides full life cycle management and password calculation of a key for a service system based on a password algorithm, and can implement operations such as application, distribution, update, and the like for the key.
In this embodiment, the service server may be specifically understood as a server in the service system for providing service for the terminal 11 associated therewith, such as a website server, an instant messaging software background server, etc., where the service server may be a server adapted to a broadband application, or may be a server adapted to a narrowband application, which is not limited in this embodiment of the present invention. The terminal 11 may be specifically understood as a computing device having an input and an output, and calculating processing power, and may include a fixed terminal, a mobile terminal, etc., such as a smart phone, a tablet computer, a computer, etc., which is not limited in this embodiment of the present invention. The encryption module 111 is specifically understood as hardware or software provided in the terminal 11 for storing a root key, generating a session key when performing a communication service, and performing encryption and decryption operations on received data.
In the present embodiment, the broadband terminal 12 may be understood as a terminal performing a service through a broadband core network in particular. The key service module 112 is specifically understood as a module independent of the service application, which is connected to the key management server 10 alone in the broadband terminal 12 and is responsible for the key management work. The first key channel is specifically understood to be a channel which is provided between the key management server 10 and the key service module 112 independently of the existence of a traffic channel, occupies a broadband resource, and is used only for transmitting information related to key management.
In this embodiment, the preset key update condition may be specifically understood as a condition preset according to an actual situation, which is used to manage, update and maintain the key issued to each terminal 11, so as to ensure the data confidentiality degree and security in the service processing process. The broadband key management information may be understood as information for managing keys corresponding to broadband applications in the terminal 11 in particular. A service root key is understood in particular to be the material used to generate the key in a multi-level key mechanism.
Specifically, in private network construction, one or more service servers are provided, and an independent key management server 10 is provided, where the key management server 10 may be used to manage and update keys of all terminals 11 under the private network. The private network comprises a plurality of types of terminals 11, and different terminals 11 can correspond to different types of service servers, so that the key management server 10 can realize the compatibility and the butt joint of a plurality of different instant messaging systems. When the terminal 11 is a broadband terminal 12 that performs a service through a broadband core network, in order to implement management of a key in the broadband terminal 12 by the key management server 10, a key service module 112 corresponding to the key management server 10 needs to be set in the broadband terminal 12, and a first key channel that is dedicated for transmission of key management information and occupies broadband resources is set between the key management server 10 and the key service module 112. The key management server 10, upon determining that the key in the broadband terminal 12 satisfies the preset key update condition, correspondingly transmits broadband key management information for managing the key in the broadband terminal 12 to the key service module 112 through the first key channel. The key service module 112, after receiving the broadband key management information, forwards the broadband key management information to the encryption module 111 in the broadband terminal 12, where the encryption module 111 is used as a data processing module for actually performing data encryption and decryption in the broadband terminal 12, and stores a key for encrypting and decrypting service data of the broadband application. The encryption module 111 analyzes the broadband key management information after receiving it, and obtains a corresponding service root key for encrypting service data. And then according to the obtained service root key, when each service is executed, the service key corresponding to the current service can be derived, and the encryption of the service data to be transmitted or the decryption of the received encrypted service data can be realized through the obtained service key.
Optionally, when the key management server 10 sends the broadband key management information to the key service module 112 through the first key channel, a set of public-private key pairs may be set for the key management server 10 and the key service module 112 to encrypt and transmit the broadband key management information, and after the key service module 112 decrypts the broadband key management information, the broadband key management information is forwarded to the encryption module 111, so that the encryption module analyzes the broadband key management information to obtain a service root key, and further encrypts and decrypts the service data by using the service root key.
For example, when executing a communication service, the encryption module 111 may generate a set of random numbers, encrypt the set of random numbers with a service root key, derive a service key corresponding to the communication service, where the service key is to be used in one or more terminals 11 corresponding to the communication service, and in the terminal 11 as a service initiator, the service key is to be used to encrypt service data to be sent, so as to obtain encrypted service data, the encrypted random numbers are to be sent as a packet header to a service server at the same time, and to be correspondingly processed by the service server and then sent to a terminal 11 as a service receiver, and since the terminal 11 as the service receiver includes a service root key identical to the service initiator, the received encrypted random numbers may be decrypted, and based on the obtained random numbers and the service root key, the service key identical to the service initiator may be derived, and further the encrypted service data may be decrypted by using the obtained service key to complete the service.
It can be understood that the key level of the public-private key pair between the key management server 10 and the key service module 112 is greater than the key level of the service root key, and the key level of the service root key is greater than the key level of the service key derived from the service root key, so that the security of the key updating and data transmission process is ensured through multi-level encryption.
The embodiment of the invention provides an encryption system which is applied to private network communication, wherein the encryption system comprises a key management server and at least one terminal, the key management server is independent of a service server, the terminal at least comprises an encryption module, and when the terminal is a broadband terminal, the broadband terminal at least further comprises a key service module; a first key channel is arranged between the key management server and the key service module, and occupies resources in the broadband to transmit key management information; the key management server is used for sending broadband key management information to the corresponding key service module through the first key channel when the preset key updating condition is met; the key service module is used for receiving the broadband key management information and forwarding the broadband key management information to the encryption module; and the encryption module is used for analyzing the broadband key management information to obtain a service root key, encrypting service data to be sent through the service root key or decrypting the received service data through the service root key. By adopting the technical scheme, the key management server independent of the service server is arranged, the independent key service module corresponding to the key management server is arranged in the terminal, and the independent first key channel is arranged between the key management server and the key service module, so that the key management server can send broadband key management information to the key service module in the terminal through the first key channel when the preset key update condition is met, and the key service module forwards the broadband key management information to the encryption module for the terminal to execute encryption and decryption operation of service data, so that normal operation of a service system is not influenced for managing a terminal key, and because the key channel is independently arranged in a broadband for carrying out key management, the key management server does not need to transmit the key in different terminals through the service channel, and decoupling and isolation of key management and service related security data are realized. Furthermore, the transmission of the key management data does not occupy the bandwidth of a service channel, so that the network delay under a large data volume is reduced, and because the key management server is independently arranged, the association between the key management server and a plurality of different service servers and terminals can be established, the compatibility and the quick docking of the key management server to a plurality of instant messaging systems are realized, the practicability and the universality of an encryption system are improved, and the user experience is improved.
Example two
Fig. 2 is a schematic structural diagram of an encryption system according to a second embodiment of the present invention, where the technical solution of the embodiment of the present invention is further refined based on the above technical solution, and a manner in which the key management server 10 updates and manages the key in the broadband terminal 12 is clarified. The broadband terminal 12 further includes a service application module 113, and the service server 20 includes a broadband service server 201 corresponding to the service of the service application module 113, where the broadband service server 201 belongs to one of the service servers 20, and a first service channel is disposed between the service application module 113 and the broadband service server 201, and the first service channel occupies resources in the broadband to perform encrypted service data transmission. In fig. 2, the encryption system 1 includes two broadband terminals 12, and the service server 20 is a broadband service server 201, where a first key channel in the broadband core network is indicated by a solid line, and a first service channel is indicated by a dashed line.
The connection relationship between the key management server 10 and the broadband service server 201 includes at least no connection;
The key management server 10 is specifically configured to:
Generating wideband key management information according to pre-stored group relation information when a key update instruction is received, and transmitting the wideband key management information to a corresponding key service module 112 through a first key channel; or alternatively
And generating broadband key management information according to the pre-stored group relation information with a preset key updating period, and transmitting the broadband key management information to the corresponding key service module 112 through the first key channel.
The connection relationship between the key management server 10 and the broadband service server 201 also includes a group relationship synchronization connection;
The key management server 10 is further configured to: when the group relationship managed by the broadband service server 201 is changed, the group relationship change information transmitted by the broadband service server 201 through the group relationship synchronous connection is received, and the stored current group relationship information is updated according to the group relationship change information.
The key management server 10 is further configured to:
Generating wideband key management information according to the current group relation information when the group relation change information is received, and correspondingly transmitting the wideband key management information to the key service module 112 through a first key channel; or alternatively
Generating wideband key management information according to the current group relation information when a key update instruction is received, and correspondingly transmitting the wideband key management information to the key service module 112 through a first key channel; or alternatively
And generating broadband key management information according to the current group relation information with a preset key updating period, and correspondingly transmitting the broadband key management information to the key service module 112 through a first key channel.
The service application module 113 is configured to receive the encrypted service data sent by the encryption module 111 when the service initiator is used, and send the encrypted service data to the broadband service server 201 through the first service channel, so that the broadband service server 201 forwards the encrypted service data to the service receiver;
The service application module 113 is further configured to, when being a service receiver, receive encrypted service data sent by the broadband service server 201 through the first service channel, and forward the encrypted service data to the encryption module 111, so that the encryption module 111 decrypts the encrypted service data.
In this embodiment, the group relationship is specifically understood as information indicating the group to which the terminal belongs and the authority level of the terminal in the group, such as which broadband service server 201 or which broadband terminal 12 is accessible to the service application module 113 in the broadband terminal 12, and the authority for performing service data transmission, which is not limited in this embodiment of the present invention. The pre-stored group relationship information may be specifically understood as information that is stored in the key management server 10 in advance when there is no connection between the key management server 10 and the broadband service server 201, and is used to indicate the group relationship of the terminal managed by the broadband service server 201. It should be clear that when there is no connection between the key management server 10 and the broadband service server 201, the pre-stored group relationship information is not changed during use, and it is applicable to low-cost communication to minimize the amount of data transmission. The group relation change information is specifically understood to be information including the group relation change content for synchronizing the key management server 10. The current group relationship information may be specifically understood as information stored in the key management server 10 at the current time to indicate the group relationship to which the terminal managed by the broadband service server 201 belongs. The service application module 113 is specifically understood to be an application provided in the broadband terminal 12 and implementing service data transmission through the broadband core network and the radio access network. The broadband service server 201 may be understood as a service server for processing service data transmitted via the broadband core network and the radio access network in particular. The key update instruction may be understood as an instruction given externally to trigger the key management server 10 to perform key update on each broadband terminal 12 that it manages. The preset key updating period can be specifically understood as a time interval preset according to actual conditions, and the key is updated for ensuring the key security without triggering. The first traffic channel may be specifically understood as a channel that is disposed between the broadband service server 201 and the service application module 113 served thereby, and occupies broadband resources to implement transmission of service data.
Specifically, the broadband service server 201 in the service server will manage each broadband terminal 12 accessed therein, and in the case that there is no connection between the key management server 10 and the broadband service server 201, the key management server 10 will store pre-stored group relationship information corresponding to the broadband service server 201 in advance before being put into use, and the pre-stored group relationship information will not change with the change of the group relationship to which the broadband service server 201 manages the terminal. In order to ensure the security of service data transmission and avoid the problem of key cracking caused by long-time non-updating of the key, the key management server 10 generates corresponding wideband key management information according to the pre-stored group relationship information after receiving a key updating instruction or after the non-updating time lasts for a preset key updating period, and sends the wideband key management information to the key service modules 112 corresponding to different wideband terminals 12 through the first key channel so as to update the service root key in the encryption modules 111 of the wideband terminals 12.
Further, when the key management server 10 and the broadband service server 201 are synchronously connected with each other by maintaining the group relationship, it can be considered that when the group or the level authority to which the terminal belongs is changed, the group relationship corresponding to the broadband terminal 12 is changed, so that the key adaptation period group relationship in the broadband terminal 12 is changed, the group relationship change information needs to be generated according to the changed group relationship, the group relationship between the broadband service server 201 and the key management server 10 is synchronously connected, the group relationship change information is sent to the key management server 10, so that the key management server 10 can update the stored current group relationship information according to the received group relationship change information, generate the broadband key management information for adjusting the terminal key according to the current group relationship information, and send the broadband key management information to the key service module 112 of the broadband terminal 12 through the first key channel, and the key service module 12 forwards the broadband key management information to the encryption module 111 in the broadband terminal 12 after receiving the broadband key management information, so that the encryption module 111 can complete the encryption and decryption operation on the service data in the subsequent service process.
Further, to ensure the security of service data transmission, the key management server 10, in addition to performing key update on each broadband terminal 12 managed by the key management server when receiving the group relationship change information sent by the broadband service server 201, generates corresponding broadband key management information according to the current group relationship information stored by the key management server 10 when receiving the trigger of the key update instruction, and sends the broadband key management information to the key service modules 112 corresponding to different broadband terminals 12 through the first key channel, so as to update the service root keys in the encryption modules 111 of the broadband terminals 12.
Further, even if the key management server 10 does not receive any external trigger, the corresponding wideband key management information is generated according to the current group relationship information stored in the key management server 10 according to the preset key update period, and the wideband key management information is sent to the key service modules 112 corresponding to different wideband terminals 12 through the first key channel, so as to realize the timing update of the service root key in the encryption module 111 of the wideband terminal 12. Alternatively, the key management server 10 may restart the timing after each transmission of the wideband key management information, and perform the corresponding wideband key management information transmission operation only when the timing reaches the preset key update period and the group relationship change information and the key update instruction are not received during the timing.
According to the technical scheme of the embodiment of the invention, the key management server 10 is triggered to update the key in each broadband terminal 12 managed by the key management server in different modes, so that the integrity of the key update coverage condition is ensured, and the security of an encryption system is improved.
Further, since the first traffic channel is set between the traffic application module 113 in the broadband terminal 12 and the broadband traffic server 201, only the encrypted traffic data is transmitted in the first traffic channel occupying broadband resources. Therefore, when the broadband terminal 12 is used as a service initiator, the service data to be transmitted needs to be encrypted by the service key derived from the service root key in the encryption module 111 to obtain encrypted service data, and since the encryption module 111 is communicatively connected with the service application module 113 in the broadband terminal 12, the encrypted service data can be transmitted to the service application module 113, and then transmitted to the broadband service server 201 by the service application module 113 through the first service channel, so that the broadband service server 201 can perform corresponding processing on the encrypted service data or forward the encrypted service data to the broadband terminal 12 corresponding to the service receiver.
Further, when the broadband terminal 12 is used as a service receiver, the service application module 113 receives the encrypted service data sent by the broadband service server 201 through the first service channel, and after receiving the encrypted service data, the service application module 113 can forward the encrypted service data to the encryption module 111, and the decryption of the encrypted service data is achieved through the service key which is the same as the service initiator in the encryption module 111.
In the embodiment of the invention, the first key channel for transmitting the key information and the first service channel for transmitting the service data are completely independent, and the key management server and the service server in the service server only keep synchronous connection of group relations, so that the encryption system and the service system are independent and do not affect each other. The management operations such as application, distribution and updating of the secret key do not depend on the service flow and the service channel realization, the delay or concurrent burden of the service session is not added, the timeliness of secret key updating management is ensured, and the security of service data transmission is ensured.
Example III
Fig. 3 is a schematic structural diagram of an encryption system according to a third embodiment of the present invention, where the technical solution of the present invention is further refined based on the above technical solution, and it is clear that when the terminal 11 is the narrowband terminal 13, the change condition of each part in the encryption system 1 and the key management manner of the narrowband terminal 13 by the independently existing key management server 10 are both determined. When the terminal 11 is the narrowband terminal 13, the narrowband terminal 13 further includes a narrowband application module 114, the service server 20 includes a narrowband gateway 202 connected to the narrowband application module 114 through a second service channel, and a second key channel is set between the key management service 10 and the narrowband gateway 202. In fig. 3, the encryption system 1 includes a narrowband terminal 13, and the service server 20 is exemplified by a narrowband gateway 202.
The key management server 10 is configured to send narrowband key management information to the narrowband gateway 202 via the second key channel when a preset key update condition is satisfied; in a corresponding manner,
A narrowband gateway 202 for sending narrowband key management information over a second traffic channel to narrowband application module 114;
a narrowband application module 114 for forwarding narrowband key management information to encryption module 111;
The encryption module 111 is configured to parse the narrowband key management information to obtain a service root key, and encrypt service data to be sent by using the service root key, or decrypt the received encrypted service data by using the service root key.
In this embodiment, the narrowband terminal 13 may be specifically understood as a terminal that performs a service through a narrowband core network. The narrowband application module 114 may be specifically understood as an application disposed in the narrowband terminal 13, and implementing service data transmission through a narrowband core network and a radio access network. Narrowband gateway 202 may be understood as a service server for accessing service data transmitted by a narrowband core network and a radio access network to a service system. The preset key updating conditions are the same as the key updating conditions in the above embodiment, and can be specifically understood as conditions preset according to actual situations for managing, updating and maintaining the keys issued to each narrowband terminal 13 to ensure the data confidentiality degree and security in the service processing process. The second key channel is specifically understood to be a channel provided between the key management server 10 and the narrowband gateway 202, which exists independently of the traffic channel, for transmitting management information of the key management server 10 for the key in the narrowband terminal 13. The second traffic channel may be specifically understood as a channel that is disposed between the narrowband gateway 202 and the narrowband application module 114 served thereby, and occupies narrowband resources to implement traffic data transmission. The narrowband key management information may be understood as information for managing a key corresponding to a narrowband application in the narrowband terminal 13.
Specifically, when the terminal 11 targeted by the encryption system 1 is the narrowband terminal 13, compared with the conventional mode of tightly coupling the key management server 10 with the service server 20 serving the narrowband terminal 13 or directly using the key management service as a module in the service server 20 to manage the key in the narrowband terminal 13, in the embodiment of the invention, the key management server 10 is independent, and only a second key channel for transmitting key management information is set between the narrowband gateway 202 corresponding to the narrowband terminal 13 and the key management server 10. When determining that the key in the narrowband terminal 13 meets the preset key updating condition, the key management server 10 sends narrowband key management information for managing the key in the narrowband terminal 13 to the narrowband gateway 202, so that the narrowband gateway 202 can send the narrowband key management channel to the narrowband application module 114 in the narrowband terminal 13 through the second service channel, the narrowband application module 114 forwards the narrowband key management information to the encryption module 111, and finally the encryption module 111 analyzes the narrowband key management information to obtain the service root key. And then according to the obtained service root key, when each service is executed, the service key corresponding to the current service can be derived, and the encryption of the service data to be transmitted or the decryption of the received encrypted service data can be realized through the obtained service key.
Optionally, the key management for the narrowband terminal 13 may be implemented by a narrowband air-interface based key update (Over THE AIR REKEYING, OTAR), in this embodiment of the present invention, only the key management server 10 is set independently, and the sending management of the narrowband key management information is correspondingly performed, and the key management manner under the pure narrowband is not limited.
Further, when the preset key update condition is met, the narrowband key management information is sent to the narrowband gateway 202 through the second key channel, which may specifically include the following cases:
Upon receiving the key update instruction, narrowband key management information is sent to the corresponding narrowband gateway 202 over the second key channel; or alternatively
The narrowband key management information is sent to the corresponding narrowband gateway 202 over the second key channel with a preset key update period.
The manner of sending the narrowband key management information to narrowband gateway 202 in the embodiment of the present invention is substantially the same as the manner of sending the wideband key management information to key service module 112 in the above-described embodiment, and this will not be explained in detail in the embodiment of the present invention.
In the embodiment of the invention, the original key management service for the narrow-band terminal is realized by the independently arranged key management server, the transmission of the narrow-band key management information is realized by arranging the independently existing second key channel between the key management server and the narrow-band gateway, and the key management service is decoupled from the narrow-band service, so that the key management server can provide different key management services for other various terminals while providing the key management service for the narrow-band terminal, and the universality of the encryption system is improved. And because the key management operation is not dependent on the service flow and the service channel realization, the delay or concurrent burden of the service session is not added, the timeliness of the key update management is ensured, and the security of the service data transmission is ensured.
Example IV
Fig. 4 is a schematic structural diagram of an encryption system according to a fourth embodiment of the present invention, where the technical solution of the present invention is further refined based on the above technical solution, so that the change condition of each part in the encryption system 1 and the key management manner of the dual-mode terminal 14 by the key management server 10 that exists independently when the terminal 11 is the dual-mode terminal 14 are clarified. When the terminal 11 is the dual-mode terminal 14, the dual-mode terminal 14 further includes a key service module 112, a service application module 113 and a narrowband application module 114, and the key management server 10 is independently set with a broadband service server 201 and a narrowband gateway 202 in the service server 20; a first key channel is arranged between the key management server 10 and the key service module 112, and occupies resources in the broadband to perform key management information transmission; a second key channel is arranged between the key management server 10 and the narrowband gateway 202, the key management server 10 and the broadband service server 201 are synchronously connected with each other in a group relation reserved mode, a second service channel is arranged between the narrowband application module 114 and the narrowband gateway 202, and the second service channel occupies resources in a narrowband to transmit service data and key management information. In fig. 4, the encryption system 1 includes a wideband terminal 12, a narrowband terminal 13, and a dual mode terminal 14.
The key management server 10 is configured to send broadband key management information to the corresponding key service module 112 through a first key channel or send narrowband key management information to the narrowband gateway 202 through a second key channel when a preset key update condition is satisfied;
a narrowband gateway 202 for sending narrowband key management information over a second traffic channel to narrowband application module 114;
a narrowband application module 114 for forwarding narrowband key management information to encryption module 111;
a key service module 112 for receiving the wideband key management information and forwarding the wideband key management information to the encryption module 111;
The encryption module 111 is configured to parse the wideband key management information or the narrowband key management information to obtain a service root key, and encrypt service data to be sent by using the service root key, or decrypt the received encrypted service data by using the service root key.
Further, the key management server 10 is specifically configured to:
upon receiving the group relationship change information transmitted by the broadband service server 201, generating broadband key management information according to the group relationship change information, and correspondingly transmitting the broadband key management information to the key service module 112 through the first key channel; or alternatively
Upon receiving the key update instruction, broadband key management information is transmitted to the corresponding key service module 112 through the first key channel, or narrowband key management information is transmitted to the narrowband gateway 202 through the second key channel; or alternatively
The broadband key management information is transmitted to the corresponding key service module 112 through the first key channel or the narrowband key management information is transmitted to the narrowband gateway 202 through the second key channel with a preset key update period.
It will be appreciated that the dual mode terminal 14 corresponds to a combination of the broadband terminal 12 and the narrowband terminal 13, and the key management server 10 manages the key therein in substantially the same manner as described above for managing the broadband terminal 12 and the narrowband terminal 13, which will not be explained in detail in the embodiment of the present invention.
Further, in the embodiment of the present invention, a scheme is provided for the key management server 10 to manage the key of the dual-mode terminal 14, where the key management server 10 is further configured to, when narrowband key management information cannot be sent to the narrowband application module 114 in the dual-mode terminal 14 through the narrowband gateway 202:
transmitting narrowband key management information to a corresponding key service module 112 over a first key channel;
In a corresponding manner,
The key service module 112 is further configured to receive the narrowband key management information, and forward the narrowband key management information to the encryption module 111.
Specifically, since the encryption module 111 of the dual-mode terminal 14 needs to manage the keys required by the service application module 113 and the narrowband application module 114 at the same time, when the key management server 10 cannot complete the management of the key corresponding to the narrowband application module 114 through the narrowband gateway 202, the narrowband key management information can be sent to the key service module 112 through the broadband network via the first key channel, and the key service module 112 can forward the received narrowband key management information to the encryption module 111, so as to complete the key management for the narrowband application module 114.
Further, there may be communication connection between the narrowband gateway 202 and the narrowband service server 201 in the service server, when any two terminals of the wideband terminal 12, the narrowband terminal 13 and the dual-mode terminal 14 are included in the group, there is a situation that the wideband application module 113 and the narrowband application module 114 access each other, at this time, transmission of encrypted service data may be completed through communication connection between the wideband service server 201 and the narrowband gateway 202, and because the same service root key is stored in the encryption module 111 of each terminal 11 in the same group, fusion coexistence of different types of terminals under the encryption system 1 may be realized.
Further, the encryption system 1 may further include a key management proxy server corresponding to the key management server 10, where the key management proxy server is to be installed between the key management server 10 and the public network, and if the key management information sent via the key management server 10 needs to be transmitted via the public network, the key management server 10 needs to send the key management information to the key management proxy server first, and then the key management proxy server sends the key management information to the corresponding address.
In the embodiment of the invention, the key management information is issued through the independently arranged key management server and the narrow band and the broadband, so that the requirements of different scenes can be flexibly met. And the interaction between the key service client and the key management server of the dual-mode terminal can flexibly use the second service channel and the second key channel corresponding to the narrow band and the first key channel corresponding to the broadband independently, so that the universality of the encryption system is better, the compatibility is strong, and the multi-mode terminal is convenient to adapt to various private network application service systems and terminals in different modes.
Example five
The fifth embodiment of the present invention further provides a key management server, where the key management server is applied to an encryption system for private network communication, that is, the encryption system provided in the foregoing embodiments. The encryption system includes a key management server and at least one terminal, the key management server being set independently of the service server. Terminals in the encryption system can be classified into broadband terminals, narrowband terminals and dual-mode terminals, and service servers corresponding to different types of terminals for providing service to the terminals can be classified into broadband service servers and narrowband gateways.
When the terminal is a broadband terminal, a first key channel is arranged between the key management server and the broadband terminal, and the first key channel occupies resources in the broadband to transmit key management information; the key management server is used for sending broadband key management information to the corresponding broadband terminal through the first key channel when the preset key updating condition is met;
When the terminal is a narrow-band terminal, the service server comprises a narrow-band gateway corresponding to the narrow-band terminal, and a second key channel is arranged between the key management server and the narrow-band gateway; the key management server is used for sending the narrow-band key management information to the narrow-band gateway through the second key channel when the preset key updating condition is met;
When the terminal is a dual-mode terminal, a first key channel is arranged between the key management server and the dual-mode terminal, and the first key channel occupies resources in a broadband to transmit key management information; a second key channel is arranged between the key management server and the narrow-band gateway corresponding to the dual-mode terminal; and the key management server is used for sending broadband key management information to the corresponding dual-mode terminal through the first key channel or sending narrowband key management information to the narrowband gateway through the second key channel when the preset key updating condition is met.
The transmission manner of the wideband key management information and the narrowband key management information by the key management server provided in the embodiment of the present invention is the same as the data transmission manner of the key management server 10 in the embodiment of the encryption system described above, and this will not be explained in detail in the embodiment of the present invention.
In the embodiment of the invention, the key management server is set independently of the service server, so that the first key channel and the second key channel which are independent of the service channel are set to finish the transmission of key management information aiming at broadband and narrowband, and the key management service is decoupled from the service, so that the key management server can provide the key management server for a plurality of different types of terminals at the same time, and the universality of the key management server is improved. And because the key management operation is not dependent on the service flow and the service channel realization, the delay or concurrent burden of the service session is not added, the timeliness of the key update management is ensured, and the security of the service data transmission is ensured.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
Claims (11)
1. The encryption system is characterized by comprising a key management server and at least one terminal, wherein the key management server is independent of a service server, the terminal at least comprises an encryption module, and when the terminal is a broadband terminal, the broadband terminal at least further comprises a key service module; a first key channel is arranged between the key management server and the key service module, and occupies resources in a broadband to transmit key management information;
the key management server is used for sending broadband key management information to the corresponding key service module through the first key channel when a preset key updating condition is met;
The key service module is used for receiving the broadband key management information and forwarding the broadband key management information to the encryption module;
The encryption module is used for analyzing the broadband key management information to obtain a service root key, encrypting service data to be sent through the service root key, or decrypting the received encrypted service data through the service root key.
2. The system of claim 1, wherein the key management server and broadband service server connection comprises at least no connection; the broadband service server is a service server corresponding to the broadband terminal;
The key management server is specifically configured to:
when a key updating instruction is received, broadband key management information is generated according to pre-stored group relation information, and the broadband key management information is sent to the corresponding key service module through a first key channel; or alternatively
And generating broadband key management information according to the pre-stored group relation information in a preset key updating period, and sending the broadband key management information to the corresponding key service module through a first key channel.
3. The system of claim 1, wherein the connection of the key management server to the broadband service server further comprises a group relationship synchronization connection; the broadband service server is a service server corresponding to the broadband terminal;
The key management server is further configured to:
And when the group relation managed by the broadband service server is changed, receiving group relation changing information sent by the broadband service server through the group relation synchronous connection, and updating the stored current group relation information according to the group relation changing information.
4. The system of claim 3, wherein the key management server is further configured to:
When the group relation change information is received, generating broadband key management information according to the current group relation information, and correspondingly transmitting the broadband key management information to a key service module through the first key channel; or alternatively
When a key updating instruction is received, generating broadband key management information according to the current group relation information, and correspondingly transmitting the broadband key management information to a key service module through the first key channel; or alternatively
And generating broadband key management information according to the current group relation information with a preset key updating period, and correspondingly transmitting the broadband key management information to a key service module through the first key channel.
5. A system according to claim 2 or 3, characterized in that the broadband terminal further comprises a service application module; a first service channel is arranged between the service application module and the broadband service server, and occupies resources in the broadband to transmit encrypted service data;
The service application module is used for receiving the encrypted service data sent by the encryption module when being used as a service initiator, and sending the encrypted service data to the broadband service server through the first service channel so that the broadband service server forwards the encrypted service data to a service receiver;
the service application module is further configured to receive encrypted service data sent by the broadband service server through the first service channel when the broadband service server is used as a service receiver, and forward the encrypted service data to the encryption module, so that the encryption module decrypts the encrypted service data.
6. The system according to claim 1, wherein when the terminal is a narrowband terminal, the narrowband terminal further comprises a narrowband application module, and wherein the service server comprises a narrowband gateway connected to the narrowband application module through a second service channel; a second key channel is arranged between the key management server and the narrow-band gateway;
The key management server is further configured to:
when a preset key updating condition is met, transmitting narrow-band key management information to the narrow-band gateway through the second key channel;
In a corresponding manner,
The narrowband gateway is configured to send the narrowband key management information to the narrowband application module through the second service channel;
the narrowband application module is used for forwarding the narrowband key management information to the encryption module;
The encryption module is used for analyzing the narrow-band key management information to obtain a service root key, encrypting service data to be sent through the service root key, or decrypting the received encrypted service data through the service root key.
7. The system of claim 6, wherein the sending narrowband key management information to the narrowband gateway over the second key channel when a preset key update condition is satisfied comprises:
When a key updating instruction is received, narrow-band key management information is sent to the corresponding narrow-band gateway through the second key channel; or alternatively
And sending the narrow-band key management information to the corresponding narrow-band gateway through the second key channel according to a preset key updating period.
8. The system according to claim 1, wherein when the terminal is a dual-mode terminal, the dual-mode terminal further comprises a key service module, a service application module and a narrowband application module, and the key management server is independently arranged with a broadband service server and a narrowband gateway in the service server;
a first key channel is arranged between the key management server and the key service module, and occupies resources in a broadband to transmit key management information; a second key channel is arranged between the key management server and the narrow-band gateway, the key management server and the broadband service server are synchronously connected with each other in a reserved group relation, a second service channel is arranged between the narrow-band application module and the narrow-band gateway, and the second service channel occupies resources in a narrow band to transmit service data and key management information;
The key management server is used for sending broadband key management information to the corresponding key service module through the first key channel or sending narrowband key management information to the narrowband gateway through the second key channel when a preset key updating condition is met;
The narrowband gateway is configured to send the narrowband key management information to the narrowband application module through the second service channel;
the narrowband application module is used for forwarding the narrowband key management information to the encryption module;
The key service module is used for receiving the broadband key management information and forwarding the broadband key management information to the encryption module;
The encryption module is used for analyzing the broadband key management information or the narrowband key management information to obtain a service root key, encrypting service data to be sent through the service root key, or decrypting the received encrypted service data through the service root key.
9. The system according to claim 8, wherein the key management server is specifically configured to:
Generating broadband key management information according to the group relation change information when the group relation change information sent by the broadband service server is received, and correspondingly sending the broadband key management information to a key service module through the first key channel; or alternatively
When a key updating instruction is received, broadband key management information is sent to the corresponding key service module through the first key channel, or narrowband key management information is sent to the narrowband gateway through the second key channel; or alternatively
And sending broadband key management information to the corresponding key service module through the first key channel or sending narrowband key management information to the narrowband gateway through the second key channel according to a preset key updating period.
10. The system of claim 8, wherein when narrowband key management information cannot be sent to the narrowband application module via the narrowband gateway, the key management server is further configured to:
Transmitting narrowband key management information to a corresponding key service module through the first key channel;
In a corresponding manner,
The key service module is further configured to receive the narrowband key management information, and forward the narrowband key management information to the encryption module.
11. A key management server, characterized in that it is applied in an encryption system of private network communication, the encryption system comprises the key management server and at least one terminal, the key management server is set independently from a service server;
When the terminal is a broadband terminal, a first key channel is arranged between the key management server and the broadband terminal, and the first key channel occupies resources in the broadband to transmit key management information; the key management server is used for sending broadband key management information to the corresponding broadband terminal through the first key channel when a preset key updating condition is met;
When the terminal is a narrowband terminal, the service server comprises a narrowband gateway corresponding to the narrowband terminal, and a second key channel is arranged between the key management server and the narrowband gateway; the key management server is used for sending narrowband key management information to the narrowband gateway through the second key channel when a preset key updating condition is met;
When the terminal is a dual-mode terminal, a first key channel is arranged between the key management server and the dual-mode terminal, and the first key channel occupies resources in a broadband to transmit key management information; a second key channel is arranged between the key management server and the narrow-band gateway corresponding to the dual-mode terminal; and the key management server is used for sending broadband key management information to the corresponding dual-mode terminal through the first key channel or sending narrowband key management information to the narrowband gateway through the second key channel when the preset key updating condition is met.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211735877.6A CN118316632A (en) | 2022-12-30 | 2022-12-30 | An encryption system and a key management server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211735877.6A CN118316632A (en) | 2022-12-30 | 2022-12-30 | An encryption system and a key management server |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118316632A true CN118316632A (en) | 2024-07-09 |
Family
ID=91719795
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211735877.6A Pending CN118316632A (en) | 2022-12-30 | 2022-12-30 | An encryption system and a key management server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118316632A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118984215A (en) * | 2024-07-25 | 2024-11-19 | 北京邮电大学 | Hierarchical key management method, device and storage medium |
-
2022
- 2022-12-30 CN CN202211735877.6A patent/CN118316632A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118984215A (en) * | 2024-07-25 | 2024-11-19 | 北京邮电大学 | Hierarchical key management method, device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8983065B2 (en) | Method and apparatus for security in a data processing system | |
| US8838972B2 (en) | Exchange of key material | |
| US8935529B2 (en) | Methods and systems for end-to-end secure SIP payloads | |
| KR100852146B1 (en) | Interception system and interception method in security security communication using third party trust | |
| EP1374533B1 (en) | Facilitating legal interception of ip connections | |
| CN115706977B (en) | A data transmission method and related equipment | |
| GB2392590A (en) | Establishing a chain of secure communication links for delegation | |
| AU2002342014A1 (en) | Method and apparatus for security in a data processing system | |
| CN102202299A (en) | Realization method of end-to-end voice encryption system based on 3G/B3G | |
| WO2012083828A1 (en) | Method, base station and system for implementing local routing | |
| CN102088352B (en) | Data encryption transmission method and system for message-oriented middleware | |
| US20260046314A1 (en) | Data transmission method, apparatus, storage medium, and device | |
| KR101123598B1 (en) | Method and apparatus for security in a data processing system | |
| JP7194732B2 (en) | Apparatus and method for data transmission | |
| Festijo et al. | Software-defined security controller-based group management and end-to-end security management | |
| CN118316632A (en) | An encryption system and a key management server | |
| CN113765900B (en) | Protocol interaction information output transmission method, adapter device and storage medium | |
| WO2001022685A1 (en) | Method and arrangement for communications security | |
| US12413965B2 (en) | Method for managing encryption by a transmitting entity in a 3GPP MCS network | |
| CN110912710B (en) | Data and algorithm transmission method | |
| US20220069982A1 (en) | Caching encrypted content in an oblivious content distribution network, and system, compter-readable medium, and terminal for the same | |
| CN119363326A (en) | A direct communication method based on a global quantum secure network | |
| Thomschutz | Security in packet-switched land mobile radio backbone networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |