KR20170001633A - Tokenization-based encryption key managemnent sytem and method - Google Patents
Tokenization-based encryption key managemnent sytem and method Download PDFInfo
- Publication number
- KR20170001633A KR20170001633A KR1020160078885A KR20160078885A KR20170001633A KR 20170001633 A KR20170001633 A KR 20170001633A KR 1020160078885 A KR1020160078885 A KR 1020160078885A KR 20160078885 A KR20160078885 A KR 20160078885A KR 20170001633 A KR20170001633 A KR 20170001633A
- Authority
- KR
- South Korea
- Prior art keywords
- token
- key
- secret key
- user terminal
- secret
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
Abstract
Description
The present invention relates to a tokenization-based secret key management system and method.
As the importance of privacy has increased, the necessity of encrypting personal data has been increased not only for large corporations but also small business owners or small business owners. Encryption uses public algorithms to take security measures. It is very important to securely manage the encryption key (secret key) when actually encrypting and storing the data. That is, if the cipher key (secret key) used for encryption can not be safely managed even if the data is encrypted, an information leakage accident due to the leakage of the cipher key may occur. For this reason, encryption keys must be separately managed by introducing a cryptographic key management solution together with an encryption solution for secure cryptography.
However, the conventional data encryption and encryption key management solution includes a user terminal, an authentication period, a registration authority, and a trusting authority. When a certification authority generates a half secret key of the user and registers the secret key in the public directory, After selecting the half secret key of the organization, it must pass the blind decryption request to the certification authority to acquire its half secret key and acquire the final secret key including the half secret key of the certification authority and the half secret key of the user The number of operations to be processed by the user terminal and the certification authority is large and the structure is complicated. In addition, it is costly for small business owners or small businesses to purchase both data encryption and cryptographic key management solutions.
An object of an embodiment of the present invention is to provide a system and method for managing a secret key used for encrypting personal information using a tokenizing technique.
Embodiments according to the present invention can be used to accomplish other tasks not specifically mentioned other than the above-described tasks.
According to an embodiment of the present invention, there is provided a method of generating a token for generating a token corresponding to a received secret key by receiving a secret key transmitted from a user terminal and connected to a user terminal through a wired or wireless communication network, A first database for storing the received secret key and the generated token, and a secret key manager for receiving the token transmitted from the user terminal and searching for the secret key corresponding to the received token and transmitting the secret key to the user terminal We propose a key management system.
The first database may further include a first encryption key generator for generating a first public key and a first private key and transmitting the generated first public key to a user terminal, Key, and a second public key transmitted from the first user terminal.
The token generating unit may include a first secret key receiving unit that receives the secret key transmitted from the user terminal and verifies the digital signature of the received secret key using the second public key, A first decrypting unit for decrypting the decrypted secret key, and a first token transmitting unit for generating a token corresponding to the decrypted secret key and transmitting the token to the user terminal.
The first token transmitting unit may encrypt the generated token using the second public key, sign it using the first private key, and transmit the signed token to the user terminal.
The token generating unit may encrypt the received secret key through the first public key and store the encrypted secret key in the first database.
The secret key management unit may further include a first token receiving unit that receives the token transmitted from the user terminal and verifies the digital signature of the received token using the second public key, A secret key search unit for searching for a secret key corresponding to the decrypted token, and a second secret key searching unit for encrypting the searched secret key using the second public key, signing the first secret key using the first private key, Lt; / RTI >
According to an aspect of the present invention, there is provided a method for transmitting a user key to a user terminal using a secret key management system connected to a user terminal through a wired or wireless communication network, the method including generating a first public key and a first private key, Receiving and storing a second public key from a terminal, receiving a secret key transmitted from a user terminal, and generating a token corresponding to the received secret key and transmitting the generated token to the user terminal .
Wherein receiving the private key includes verifying the digital signature of the received private key using the second public key and decrypting the verified private key using the first public key .
The generating of the token may generate a token corresponding to the decrypted secret key, encrypt the generated token using the second public key, sign it using the first private key, and transmit the token to the user terminal.
The method further includes receiving a token transmitted from the user terminal, verifying the signature of the token received using the second public key, decrypting the token verified with the signature using the first private key, Searching for a secret key corresponding to the token, and transmitting the secret key to the user terminal.
The step of transmitting the secret key may encrypt the retrieved secret key using the second public key, sign it using the first private key, and transmit the encrypted secret key to the user terminal.
According to one embodiment of the present invention, the secret key used for encryption can be securely protected, thereby preventing leakage of personal information. In addition, the data encryption and secret key management structure can be implemented easily, and a separate encryption and secret key management solution is not required, thereby reducing the cost of encryption and secret key management.
1 shows a configuration of a secret key management system according to an embodiment of the present invention.
2 shows a token generation method using the secret key management system of FIG.
FIG. 3 illustrates a secret key transmission method using the secret key management system of FIG.
Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings, which will be readily apparent to those skilled in the art to which the present invention pertains. The present invention may be embodied in many different forms and is not limited to the embodiments described herein. In order to clearly illustrate the present invention, parts not related to the description are omitted, and the same reference numerals are used for the same or similar components throughout the specification. In the case of publicly known technologies, detailed description thereof will be omitted.
In this specification, when a part is referred to as "including " an element, it is to be understood that it may include other elements as well, without departing from the other elements unless specifically stated otherwise. Also, the terms "part," " module, "and the like, which are described in the specification, refer to a unit for processing at least one function or operation, and may be implemented by hardware or software or a combination of hardware and software.
In this specification, 'ENCRYPTION KEY' means a key used for data encryption and decryption. Also, the 'Public Key' means a key disclosed for 'secret key' encryption based on the Rivest Shamir Adleman (RSA) algorithm, and the 'Private Key' means an RSA (Rivest Shamir Adleman) Quot; secret key " decryption based on the " secret key "
In this specification, 'data' refers to personal information to be protected from leakage, and includes at least one of, for example, a resident registration number, a card number, financial transaction information, real estate transaction information, medical records and a criminal record.
1 shows a configuration of a secret key management system according to an embodiment of the present invention.
The secret
The secret
The first cryptographic
The
The
The first secret
The
The first
The secret
The secret
The first
The
The secret
The
1 includes a secret
The secret
The second encryption
The
The
The
The
The secret
The second
The secret
The second
The second secret
The third decryption unit 253 decrypts the secret key (K user ) whose digital signature is verified by using the second private key (KR user ), and decrypts the data using the decrypted secret key (K user ).
2 shows a token generation method using the secret key management system of FIG.
First, the secret key used for data encryption is transmitted to the secret
Then, the secret
Thereafter, the
FIG. 3 illustrates a secret key transmission method using the secret key management system of FIG.
First, the
Then, the secret
Then, the
The tokenization-based secret key management system according to an embodiment of the present invention separately manages a secret key required for data decryption through a secret key management system. When a secret key request corresponding to a token is received through a user terminal, It is unnecessary to manage the secret key through the user terminal, thereby preventing leakage during the data transmission and storage and improving the management efficiency.
The tokenization-based secret key management system according to the embodiment of the present invention can be implemented with a simple structure and can reduce the management cost since the amount of operations to be processed in the user terminal and the secret key management system is small compared to the public key cryptosystem .
While the present invention has been particularly shown and described with reference to exemplary embodiments, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, but, on the contrary, It belongs to the scope.
100: secret key management system 110: first encryption key generation unit
120: first database 130: token generating unit
131: first secret key receiving unit 132: first decoding unit
133: first token transmission unit 140: secret key management unit
141: first token receiving unit 142: second token receiving unit
143: Private Key Retrieval Unit 144:
200: user terminal 210: secret key generation unit
220: second encryption key generation unit 230: second database
240: Token requesting unit 241: Data receiving unit
242: second encryption unit 243: secret key transmission unit
250: second token receiving unit 260: secret key request unit
261: second token transmitting unit 262: second secret key receiving unit
263: Third decoding unit
Claims (11)
A token generating unit for receiving the secret key transmitted from the user terminal and generating a token corresponding to the received secret key,
A first database for storing the received secret key and the generated token, and
A secret key manager for receiving a token transmitted from the user terminal and searching for a secret key corresponding to the received token to transmit to the user terminal,
Wherein the secret key management system comprises:
Further comprising a first cryptographic key generator for generating a first public key and a first private key and transmitting the generated first public key to the user terminal,
Wherein the first database further stores the generated first public key, the first private key, and the second public key transmitted from the first user terminal.
Wherein the token generation unit comprises:
A first secret key receiving unit for receiving the secret key transmitted from the user terminal and verifying the digital signature of the received secret key using the second public key,
A first decryption unit for decrypting the secret key whose digital signature is verified using the first private key,
And generating a token corresponding to the decrypted secret key and transmitting the token to the user terminal.
Wherein the first token transmission unit encrypts the generated token using the second public key, signs the first token using the first private key, and transmits the signed token to the user terminal.
Wherein the token generation unit encrypts the received secret key through the first public key and stores the encrypted secret key in the first database.
The secret key management unit,
A first token receiver for receiving the token transmitted from the user terminal and verifying the electronic signature of the received token using the second public key,
A second decryption unit for decrypting the digital signature verified token using the first private key,
A secret key search unit for searching for a secret key corresponding to the decrypted token,
Encrypts the searched private key using the second public key, signs the first private key using the first private key, and transmits the signed private key to the user terminal.
Generating a first public key and a first private key,
Receiving and storing a second public key from the user terminal,
Receiving a secret key transmitted from the user terminal, and
Generating a token corresponding to the received secret key and transmitting the generated token to the user terminal
The method comprising:
Wherein the receiving the secret key comprises:
Verifying the digital signature of the received secret key using the second public key, and
And decrypting the signature-verified secret key using the first public key.
Wherein the generating the token comprises:
Generating a token corresponding to the decrypted secret key, encrypting the generated token using the second public key, signing the first token using the first private key, and transmitting the token to the user terminal.
Receiving a token transmitted from the user terminal,
Verifying the signature of the received token using the second public key,
Decrypting the verified token using the first private key, and
Searching for a secret key corresponding to the decrypted token, and transmitting the secret key to the user terminal.
Wherein the transmitting the secret key comprises:
Encrypting the searched private key using the second public key, signing the private key using the first private key, and transmitting the signed private key to the user terminal.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150090624 | 2015-06-25 | ||
KR20150090624 | 2015-06-25 |
Publications (1)
Publication Number | Publication Date |
---|---|
KR20170001633A true KR20170001633A (en) | 2017-01-04 |
Family
ID=57831614
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020160078885A KR20170001633A (en) | 2015-06-25 | 2016-06-23 | Tokenization-based encryption key managemnent sytem and method |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR20170001633A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR102311996B1 (en) * | 2020-04-02 | 2021-10-13 | 국민대학교산학협력단 | Device and method for anti-forensic unlocking for media files |
KR102319709B1 (en) * | 2020-04-27 | 2021-11-02 | 국민대학교산학협력단 | Anti-forensic unlocking device and method based on database encryption |
-
2016
- 2016-06-23 KR KR1020160078885A patent/KR20170001633A/en not_active Application Discontinuation
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR102311996B1 (en) * | 2020-04-02 | 2021-10-13 | 국민대학교산학협력단 | Device and method for anti-forensic unlocking for media files |
KR102319709B1 (en) * | 2020-04-27 | 2021-11-02 | 국민대학교산학협력단 | Anti-forensic unlocking device and method based on database encryption |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11677729B2 (en) | Secure multi-party protocol | |
CN109495274B (en) | Decentralized intelligent lock electronic key distribution method and system | |
US8239679B2 (en) | Authentication method, client, server and system | |
JP5562687B2 (en) | Securing communications sent by a first user to a second user | |
EP1676281B1 (en) | Efficient management of cryptographic key generations | |
US8396218B2 (en) | Cryptographic module distribution system, apparatus, and program | |
US20060204003A1 (en) | Cryptographic communication system and method | |
CN111371790B (en) | Data encryption sending method based on alliance chain, related method, device and system | |
EP2879323A1 (en) | Method and distributed data processing system for managing access to data | |
US20220109661A1 (en) | System and method to improve user authentication for enhanced security of cryptographically protected communication sessions | |
CN113225302A (en) | Data sharing system and method based on proxy re-encryption | |
Sun et al. | A new design of wearable token system for mobile device security | |
KR20170001633A (en) | Tokenization-based encryption key managemnent sytem and method | |
KR20060078768A (en) | System and method for key recovery using distributed registration of private key | |
KR102025989B1 (en) | DATA MANAGEMENT SCHEME BASED ON PROXY RE-ENCRYPTION IN IoT LIGHTWEIGHT DEVICES AND SYSTEM | |
KR101793528B1 (en) | Certificateless public key encryption system and receiving terminal | |
CN116599771B (en) | Data hierarchical protection transmission method and device, storage medium and terminal | |
JP2005151004A (en) | Radio tag privacy protection method, radio tag device, security server, program for radio tag device, and program for security server | |
CN113162766B (en) | Key management method and system for key component | |
Reddy et al. | Data Storage on Cloud using Split-Merge and Hybrid Cryptographic Techniques | |
KP et al. | Sequential Computational Time-Released Encryption Technique Using Variable Time Delay | |
JP2007521525A (en) | System for authenticating and authorizing a party in a secure communication network | |
CN117294522A (en) | Block chain-based financial data sharing method, device, equipment and storage medium | |
WO2023110148A1 (en) | Secure data transmission | |
CN115766268A (en) | Processing method, device, equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
E902 | Notification of reason for refusal | ||
E601 | Decision to refuse application |