WO2019227557A1 - Key management method, device, storage medium and apparatus - Google Patents

Key management method, device, storage medium and apparatus Download PDF

Info

Publication number
WO2019227557A1
WO2019227557A1 PCT/CN2018/092987 CN2018092987W WO2019227557A1 WO 2019227557 A1 WO2019227557 A1 WO 2019227557A1 CN 2018092987 W CN2018092987 W CN 2018092987W WO 2019227557 A1 WO2019227557 A1 WO 2019227557A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
target
server
identifier
encryption
Prior art date
Application number
PCT/CN2018/092987
Other languages
French (fr)
Chinese (zh)
Inventor
易周成
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2019227557A1 publication Critical patent/WO2019227557A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords

Definitions

  • the present application relates to the technical field of key management, and in particular, to a key management method, device, storage medium, and device.
  • the encryption machine purchases hardware and software separately, which is troublesome to upgrade and troublesome to update the algorithm.
  • Key management is bloated and inconvenient to use. It is controlled by external vendors and has no security verification means.
  • the first server and the second server need to perform data interaction.
  • the identity certification agency needs to verify the identities of the first server and the second server, pass the audit, and issue certificates.
  • Communication, issuance and management of documents need to involve a large amount of data management, which is inefficient, and the keys are easily lost or stolen.
  • Key management is a very large system, including key distribution, key storage, key expiration, and key expiration period. There are situations where the key is invalid and the key expiration period expires, such as when updating the algorithm or key expiration period.
  • the first server When the time limit expires, the first server is notified, and the second server is not notified.
  • the second server receives the ciphertext sent by the first server, it cannot be decrypted using the original key because the original key has expired.
  • the first server and the second server must be notified to update the encryption algorithm.
  • the process of updating the algorithm is exposed to a non-secure environment. There is a risk of exposing the algorithm during the update process. Therefore, the cost of the update algorithm is high and the risk is high.
  • the main purpose of this application is to provide a key management method, device, storage medium, and device, which are aimed at solving the technical problems of bloated key management and low security in the prior art.
  • the present application provides a key management method, which includes the following steps:
  • the key management device receives the plain text and the target key identifier sent by the first server;
  • Decrypt the ciphertext according to the target decryption key obtain a plaintext, and send the plaintext to the second server.
  • the present application also proposes a key management device.
  • the key management device includes a memory, a processor, and a key management program stored on the memory and operable on the processor.
  • the key management program is configured to implement the steps of the key management method as described above.
  • the present application also proposes a storage medium on which a key management program is stored.
  • the key management program is executed by a processor, the key management method described above is implemented. step.
  • the present application also proposes a key management device, which includes a receiving module, a searching module, an encryption module, and a decryption module;
  • the receiving module is configured to receive a plain text and a target key identifier sent by the first server;
  • the search module is configured to search for a target encryption key corresponding to the target key identifier
  • the encryption module is configured to encrypt the plaintext according to the target encryption key, obtain a ciphertext, and feed back the ciphertext to the first server, so that the first server will encrypt the plaintext Sending the text and the target key identifier to a second server;
  • the receiving module is further configured to receive the ciphertext and the target key identifier sent by a second server;
  • the search module is further configured to search for a target decryption key corresponding to the target key identifier
  • the decryption module is configured to decrypt the ciphertext according to the target decryption key, obtain a plaintext, and send the plaintext to the second server.
  • FIG. 1 is a schematic structural diagram of a key management device for a hardware operating environment according to a solution of an embodiment of the present application
  • FIG. 2 is a schematic flowchart of a first embodiment of a key management method of this application
  • FIG. 3 is a schematic flowchart of a second embodiment of a key management method of this application.
  • FIG. 4 is a schematic flowchart of a third embodiment of a key management method of this application.
  • FIG. 5 is a schematic flowchart of a fourth embodiment of a key management method of this application.
  • FIG. 6 is a structural block diagram of a first embodiment of a key management apparatus of the present application.
  • FIG. 1 is a schematic structural diagram of a key management device in a hardware operating environment according to a solution of an embodiment of the present application.
  • the key management device may include: a processor 1001, such as a central processing unit (Central Processing Unit (CPU), communication bus 1002, user interface 1003, network interface 1004, and memory 1005.
  • the communication bus 1002 is configured to implement connection and communication between these components.
  • the user interface 1003 may include a display screen.
  • the optional user interface 1003 may further include a standard wired interface and a wireless interface.
  • the wired interface of the user interface 1003 may be a USB interface in this application.
  • the network interface 1004 may optionally include a standard wired interface and a wireless interface (such as a WIreless-FIdelity (WI-FI) interface).
  • the memory 1005 may be a high-speed random access memory (Random Access Memory (RAM) memory or non-volatile memory Memory (NVM), such as disk storage.
  • the memory 1005 may optionally be a storage device independent of the foregoing processor 1001.
  • RAM Random Access Memory
  • NVM non-volatile memory Memory
  • FIG. 1 does not constitute a limitation on the key management device, and may include more or fewer components than shown in the figure, or combine certain components, or arrange different components.
  • the memory 1005 as a computer storage medium may include an operating system, a network communication module, a user interface module, and a key management program.
  • the network interface 1004 is mainly configured to connect to a background server and perform data communication with the background server;
  • the user interface 1003 is mainly configured to connect to a user device;
  • 1001 calls a key management program stored in the memory 1005, and executes the key management method provided in the embodiment of the present application.
  • FIG. 2 is a schematic flowchart of a first embodiment of a key management method of the present application, and a first embodiment of a key management method of the present application is proposed.
  • the key management method includes the following steps:
  • Step S10 The key management device receives the plain text and the target key identifier sent by the first server.
  • the execution subject of this embodiment is a key management device, where the key management device may be an electronic device such as a personal computer or a server.
  • the key management device is in a secure environment, and there are security measures such as a firewall to prevent key leakage and improve the security of key management.
  • the key management device stores a key identifier, an encryption key, and The corresponding relationship between the decryption keys can be obtained by using the target key identifier to find the corresponding target encryption key to encrypt the plaintext.
  • the target encryption key corresponds to a unique target key identifier, and the key identifier sent by the first server may be randomly selected from a key identifier table.
  • the key management device stores a plurality of encryption keys, and sets a corresponding key identifier for each encryption key.
  • the key identifier may be a number or a letter, and is set to the The encryption keys are numbered to facilitate the management and differentiation of each encryption key.
  • the key management device may store key identifiers corresponding to all encryption keys stored in the key management device as a key identifier table, and when the first server needs to encrypt the plain text, send the first server to the first server. Sending the key identification table, so that the first server randomly selects a key identification from the key identification table as the target key identification.
  • Step S20 Find a target encryption key corresponding to the target key identifier.
  • the encryption key is stored in the key management device, and each encryption key corresponds to a key identifier, and the corresponding encryption key can be found in the key management device according to the key identifier.
  • Each encryption key in the key management device is randomly generated.
  • the encryption key may be an encryption key generated by a combination of one or more encryption algorithms.
  • the target encryption key may be a combination of one or more encryption algorithms
  • the encryption algorithm includes a data encryption algorithm (Data Encryption Algorithm (DEA) encryption algorithm, Advanced Encryption Standard Standard (AES) encryption algorithm, RSA encryption algorithm, base64 encryption algorithm, Message Digest Algorithm fifth edition MD5), Secure Hash Algorithm Algorithm, SHA1), combinations of mathematical operations, combinations of alphabetical operations, etc.
  • the key management device may obtain multiple encryption keys by randomly combining one or any of the encryption algorithms.
  • Step S30 encrypt the plaintext according to the target encryption key to obtain a ciphertext, and feed the ciphertext back to the first server, so that the first server sends the ciphertext and the ciphertext
  • the target key identifier is sent to the second server.
  • the key management device stores a correspondence between a key identifier, an encryption key, and a decryption key
  • the target encryption key is any combination of one or more algorithms.
  • the target encryption key encrypts the plain text, and the key management device is in a secure environment, making the encryption process more secure. For example, if the plaintext is 5678, the target key identifier is 001, and the corresponding target encryption key is: (plaintext + 1234) * 2, and the target decryption key is: ciphertext / 2-1234, then the ciphertext is obtained.
  • Is 13824, the ciphertext 13824 and the target key identifier 001 are sent to the first server, and the first server sends the ciphertext 13824 and the target key identifier 001 to the second server .
  • the amount of data sent by the first server to the second server is large, but only part of the data is plain text that needs to be encrypted.
  • Step S40 Receive the ciphertext and the target key identifier sent by the second server.
  • the second server when the second server receives the ciphertext and the target key identifier sent by the first server, the ciphertext and the target key identifier are sent to the ciphertext.
  • a key management device so that the key management device searches for a target decryption key corresponding to the target key identifier to decrypt the ciphertext.
  • Step S50 Find a target decryption key corresponding to the target key identifier.
  • the key management device stores a correspondence between an encryption key corresponding to a key identifier and a decryption key, and extracts a target corresponding to the target key identifier from the correspondence. Decryption key.
  • Step S60 Decrypt the ciphertext according to the target decryption key, obtain a plaintext, and send the plaintext to the second server.
  • the ciphertext is decrypted by using the found target decryption key, and the key management device is in a secure environment, making the decryption process more secure.
  • the second server sends the ciphertext 13824 and the target key identifier 001 to the key management device, and the key management device searches for and associates the key identifier with the stored correspondence.
  • the target decryption key: ciphertext / 2-1234 is used to decrypt the ciphertext 13824, so that the plaintext is 5678, and the decrypted
  • the plain text 5678 is sent to the second server, thereby implementing communication between the first server and the second server, and improving the security of data encryption and decryption.
  • the key management device receives the plaintext and the target key identifier sent by the first server, finds a target encryption key corresponding to the target key identifier, and pairs the plaintext according to the target encryption key.
  • the key management device which is usually in a secure environment, which improves the security of encryption; and feeds back the ciphertext to the A first server, so that the first server sends the ciphertext and the target key identifier to a second server without transmitting a key, reducing the risk of key leakage; receiving the secret sent by the second server Text and the target key identifier, find a target decryption key corresponding to the target key identifier, decrypt the ciphertext according to the target decryption key, obtain a plaintext, and send the plaintext to all Mentioned second server.
  • the key management device decrypts the ciphertext to improve the security of decryption.
  • FIG. 3 is a schematic flowchart of a second embodiment of the key management method of the present application. Based on the first embodiment shown in FIG. 2 above, a second embodiment of the key management method of the present application is proposed.
  • the method before step S10, the method includes:
  • Step S01 Receive the encryption request sent by the second server.
  • the encryption requirement may be that the second server requires that the ciphertext must be in a certain format (such as visible characters or numbers), or in order to confuse audiovisual, make the ciphertext appear
  • the plaintext is similar.
  • the plaintext is a string of numbers.
  • Step S02 Find a target encryption key and a corresponding target key identifier according to the encryption requirement.
  • the encryption requirements of each server may be collected in advance, and a corresponding encryption key is set according to the collected encryption requirements of each server, so that the plaintext encryption obtained through the encryption key is used for encryption. Text can meet the encryption requirements.
  • Step S03 Send the target key identifier to the first server.
  • the first server may encrypt the plain text by sending the plain text to be encrypted and the target key identifier to the key management device.
  • the key management device receives an encryption request sent by a second server, finds a target encryption key and a corresponding target key identifier according to the encryption request, and sends the target key identifier to all
  • the first server is described, so that the first server can encrypt the plain text by sending the plain text that needs to be encrypted and the target key identifier to the key management device to obtain encryption requirements that meet the requirements of the second server. Cipher text.
  • FIG. 4 is a schematic flowchart of a third embodiment of the key management method of the present application. Based on the second embodiment shown in FIG. 3 described above, a third embodiment of the key management method of the present application is proposed.
  • the step S02 includes:
  • Step S021 Extract the target ciphertext type from the encryption requirement.
  • the encryption requirement may be to encrypt plain text into a series of numbers, characters, or a combination of numbers and characters, that is, the target cipher text type includes a series of numbers, characters, or a combination of numbers and characters.
  • Step S022 Finding a target encryption key set corresponding to the target ciphertext type from a first preset mapping relationship table, where the first preset mapping relationship table includes information between the ciphertext type and the encryption key set. Correspondence.
  • the encryption requirements of the second server may be collected in advance, and corresponding encryption keys are set according to the collected encryption requirements of the second server, so that all The ciphertext obtained by encrypting the plaintext by using the encryption key can meet the encryption requirements.
  • different encryption keys are set for different cipher text types.
  • the keys are respectively set with corresponding key identifiers, and multiple encryption keys that meet the requirements can be stored as an encryption key set, and a first preset relationship is established between the encryption key set and the corresponding cipher text type. Mapping relationship table. Therefore, a target encryption key set that meets the encryption requirements can be found from the first preset mapping relationship table.
  • Step S023 randomly select an encryption key from the target encryption key set as the target encryption key.
  • Step S024 Find a target key identifier corresponding to the target encryption key.
  • each encryption key is provided with a corresponding key identifier, and then a target key identifier corresponding to the target encryption key can be found, and the target key identifier is sent to the first server. So that the first server can encrypt the plaintext by sending the plaintext that needs to be encrypted and the target key identifier to the key management device to obtain a ciphertext that meets the encryption requirements.
  • the ciphertext needs to be decrypted by the corresponding target decryption key.
  • the target encryption key is a
  • the target decryption key is a series of reverse mathematical operations corresponding to the target encryption key.
  • the key management device stores multiple encryption keys, and generally generates corresponding decryption keys based on the encryption keys. In order to quickly find the corresponding encryption key and decryption key through the key identifier, the encryption key and the decryption key are decrypted.
  • the correspondence between the key and the key identifier is established as a second preset mapping relationship table, and then the target decryption key corresponding to the target key identifier can be quickly found through the second preset mapping relationship table.
  • the step S50 includes: finding a target decryption key corresponding to the target key identifier from the second preset mapping relationship table, and the second preset mapping relationship table includes Correspondence between key identification, encryption key, and decryption key.
  • step S60 the method further includes:
  • Step S70 Receive a key update instruction sent by the first server, and extract a target key identifier from the key update instruction.
  • the key management device does not need to perform key distribution at the time of use, and directly distributes and uses keys in a secure environment, and can even encrypt one key at a time, which is suitable for confidential transmission between most systems.
  • the first server may send a key update instruction to the key management device for key update.
  • the key update instruction usually includes a target key identifier, and the key management device may update the key according to the instruction from the key.
  • the original target encryption key can be found by extracting the target key identifier from it, so as to find an encryption key different from the original target encryption key as the new target encryption key.
  • Step S80 randomly select an encryption key from the encryption keys in the encryption key set other than the target encryption key corresponding to the target key identifier as a new target encryption key.
  • the encryption key set includes multiple encryption keys
  • the target encryption key corresponding to the target key identifier is an encryption key originally used by the first server and the second server. , Exclude it, and randomly obtain an encryption key from the remaining encryption keys as the new target encryption key, that is, update the encryption key.
  • Step S90 Find a new target key identifier corresponding to the new target encryption key, and send the new target key identifier to the first server, so that the first server sends the The plain text and the new target key are identified to the key management device to encrypt the plain text.
  • a new target key identifier corresponding to the new target encryption key can be found from the second preset mapping relationship, and the new target encryption key is Sending the target key identifier to the first server, so that the first server and the second server can be encrypted by using the new target encryption key corresponding to the new key identifier, and using the new The new target decryption key corresponding to the key ID is decrypted.
  • the key management device receives the plain text and the new target key identifier sent by the first server; finds a new target encryption key corresponding to the new target key identifier; and according to the new target encryption key pair Encrypt the plaintext to obtain a ciphertext, and feed the ciphertext to the first server, so that the first server sends the ciphertext and the new target key identifier to a second server Receiving the ciphertext and the new target key identifier sent by the second server; finding a new target decryption key corresponding to the new target key identifier; and according to the new target decryption key pair The ciphertext is decrypted to obtain a plaintext, and the plaintext is sent to the second server.
  • the key management device can update the stored encryption key at any time. Since the key management device is in a secure environment, there are security measures such as a firewall to prevent the leakage of encryption keys and decryption keys, and to improve the update of encryption keys. Key and decryption key security.
  • the security of encryption is improved.
  • the first server and the second server may perform encryption by using a new target encryption key corresponding to the new key identifier, and perform decryption by using a new target decryption key corresponding to the new key identifier, With the key update instruction sent by the first server, it is even possible to update the encryption key every time data is transmitted, thereby improving the security of updating the encryption key and the decryption key.
  • FIG. 5 is a schematic flowchart of a fourth embodiment of the key management method of the present application. Based on the first embodiment, the second embodiment, and the third embodiment, a fourth embodiment of the key management method of the present application is proposed. In this embodiment, the description will be based on the first embodiment.
  • the method before step S20, the method further includes:
  • Step S101 Obtain a first device identifier of the first server, and determine whether the first server belongs to a registered user of the key management device according to the first device identifier.
  • the first device identifier is an identifier set to identify the first server, and the first server corresponds to a unique first device identifier.
  • the key management device is in a secure environment. Before encrypting the plain text sent by the first server, the identity of the first server needs to be checked to determine whether the first server is the key management. A registered user of the device, if the first server is a registered user of the key management device, finds a target encryption key corresponding to the target key identifier.
  • step S20 is performed.
  • the first server if it belongs to a registered user of the key management device, it searches for a target encryption key corresponding to the target key identifier, and then according to the found target encryption key pair The plain text is encrypted; if the first server does not belong to a registered user of the key management device, the step of finding a target encryption key corresponding to the target key identifier is not performed.
  • the key management device is in a secure environment and only encrypts its registered users, which further improves the security of key management.
  • the method before step S50, the method further includes:
  • Step S401 Obtain a second device identifier of the second server, and determine whether the second server belongs to a registered user of the key management device according to the second device identifier.
  • the second device identifier is an identifier set to identify the second server, and the second server corresponds to a unique second device identifier.
  • the key management device is in a secure environment. Before decrypting the ciphertext sent by the second server, the identity of the second server needs to be checked to determine whether the second server is the key. A registered user of the management device, if the second server is a registered user of the key management device, finds a target decryption key corresponding to the target key identifier.
  • step S50 is performed.
  • the second server belongs to a registered user of the key management device, find a target decryption key corresponding to the target key identifier, and then according to the found target decryption key pair, The ciphertext is decrypted; if the second server does not belong to a registered user of the key management device, the step of finding a target decryption key corresponding to the target key identifier is not performed.
  • the key management device is in a secure environment and only decrypts its registered users, which further improves the security of key management.
  • whether the first server belongs to a registered user of the key management device is determined according to the first device identifier, and only the registered user is encrypted, which further improves the security of key management;
  • the second device identifier of the second server is used to determine whether the second server belongs to a registered user of the key management device according to the second device identifier, and only the registered user is decrypted, which further improves the key management. safety.
  • an embodiment of the present application further provides a storage medium, where a key management program is stored, and when the key management program is executed by a processor, implements the steps of the key management method described above.
  • the storage medium may be a non-volatile readable storage medium.
  • an embodiment of the present application further provides a key management apparatus.
  • the key management apparatus includes: a receiving module 10, a searching module 20, an encryption module 30, and a decryption module 40;
  • the receiving module 10 is configured to receive a plain text and a target key identifier sent by the first server;
  • the search module 20 is configured to search for a target encryption key corresponding to the target key identifier
  • the encryption module 30 is configured to encrypt the plaintext according to the target encryption key, obtain a ciphertext, and feed back the ciphertext to the first server, so that the first server sends the Sending the ciphertext and the target key identifier to a second server;
  • the receiving module 10 is further configured to receive the ciphertext and the target key identifier sent by a second server;
  • the search module 20 is further configured to search for a target decryption key corresponding to the target key identifier
  • the decryption module 40 is configured to decrypt the ciphertext according to the target decryption key, obtain a plaintext, and send the plaintext to the second server.
  • the method of the embodiment can be implemented by means of software plus a necessary universal hardware platform. Hardware, but in many cases the former is a better implementation.
  • the technical solution of the present application in essence or a part that contributes to the existing technology may be in the form of a software product.
  • the computer software product is stored in a storage medium (such as a Read Only Memory image (ROM) / Random Access Memory (Random Access Memory (RAM), magnetic disks, and optical disks) include a number of instructions for causing a terminal device (which may be a mobile phone, computer, server, air conditioner, or network device, etc.) to execute the methods described in the embodiments of this application.
  • ROM Read Only Memory image
  • RAM Random Access Memory
  • magnetic disks magnetic disks
  • optical disks include a number of instructions for causing a terminal device (which may be a mobile phone, computer, server, air conditioner, or network device, etc.) to execute the methods described in the embodiments of this application.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

Disclosed by the present application are a key management method, device, storage medium and apparatus, the method comprising: a key management device receiving a plaintext and target key identifier that are sent by a first server; searching for a target encryption key corresponding to the target key identifier; encrypting the plaintext according to the target encryption key to obtain a ciphertext, and feeding back the ciphertext to the first server such that the first server sends the ciphertext and target key identifier to a second server; receiving the ciphertext and target key identifier that are sent by the second server; searching for a target decryption key corresponding to the target key identifier; decrypting the ciphertext according to the target decryption key to obtain a plaintext, and sending the plaintext to the second server.

Description

密钥管理方法、设备、存储介质及装置  Key management method, device, storage medium and device Ranch
本申请要求于2018年06月01日提交中国专利局、申请号为201810561050.5、发明名称为“密钥管理方法、设备、存储介质及装置”的中国专利申请的优先权,其全部内容通过引用结合在申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on June 01, 2018, with application number 201810561050.5, and the invention name is "Key Management Method, Device, Storage Medium and Device", the entire contents of which are incorporated by reference In the application.
技术领域Technical field
本申请涉及密钥管理的技术领域,尤其涉及一种密钥管理方法、设备、存储介质及装置。The present application relates to the technical field of key management, and in particular, to a key management method, device, storage medium, and device.
背景技术Background technique
现有技术中,加密机都是单独购买硬件和软件,升级麻烦,而且更新算法麻烦,密钥管理臃肿且使用不便,外部厂商控制,没有安全性验证手段。第一服务器和第二服务器需要进行数据交互,首先需要身份认证机构对第一服务器和第二服务器的身份进行审核,审核通过,签发证件,在第一服务器和第二服务器都审核通过时,才能进行通信,签发和管理证件需要涉及大量数据管理,效率低,而且密钥容易丢失或被盗。密钥管理是一套非常庞大的系统,包括密钥分配,密钥存储,密钥失效,密钥有效期等,存在密钥失效、密钥有效期到期限的情况,比如在更新算法或密钥有效期期限到时,通知了第一服务器,未通知第二服务器,则第二服务器在接收到第一服务器发送的密文,使用原来的密钥无法进行解密,因为原来的密钥已经失效。更新加密算法必须通知第一服务器和第二服务器,更新算法的过程暴露在非安全环境中,更新过程存在暴露算法的风险,所以,更新算法成本高、风险大。In the prior art, the encryption machine purchases hardware and software separately, which is troublesome to upgrade and troublesome to update the algorithm. Key management is bloated and inconvenient to use. It is controlled by external vendors and has no security verification means. The first server and the second server need to perform data interaction. First, the identity certification agency needs to verify the identities of the first server and the second server, pass the audit, and issue certificates. Communication, issuance and management of documents need to involve a large amount of data management, which is inefficient, and the keys are easily lost or stolen. Key management is a very large system, including key distribution, key storage, key expiration, and key expiration period. There are situations where the key is invalid and the key expiration period expires, such as when updating the algorithm or key expiration period. When the time limit expires, the first server is notified, and the second server is not notified. When the second server receives the ciphertext sent by the first server, it cannot be decrypted using the original key because the original key has expired. The first server and the second server must be notified to update the encryption algorithm. The process of updating the algorithm is exposed to a non-secure environment. There is a risk of exposing the algorithm during the update process. Therefore, the cost of the update algorithm is high and the risk is high.
上述内容仅设置为辅助理解本申请的技术方案,并不代表承认上述内容是现有技术。The above content is only provided to assist in understanding the technical solution of the present application, and does not mean that the above content is prior art.
发明内容Summary of the Invention
本申请的主要目的在于提供一种密钥管理方法、设备、存储介质及装置,旨在解决现有技术中密钥管理臃肿且安全性不高的技术问题。The main purpose of this application is to provide a key management method, device, storage medium, and device, which are aimed at solving the technical problems of bloated key management and low security in the prior art.
为实现上述目的,本申请提供一种密钥管理方法,所述密钥管理方法包括以下步骤:To achieve the above objective, the present application provides a key management method, which includes the following steps:
密钥管理设备接收第一服务器发送的明文和目标密钥标识;The key management device receives the plain text and the target key identifier sent by the first server;
查找与所述目标密钥标识对应的目标加密密钥;Find a target encryption key corresponding to the target key identifier;
根据所述目标加密密钥对所述明文进行加密,获得密文,并将所述密文反馈至所述第一服务器,以使所述第一服务器将所述密文和所述目标密钥标识发送至第二服务器;Encrypt the plaintext according to the target encryption key to obtain a ciphertext, and feed back the ciphertext to the first server, so that the first server sends the ciphertext and the target key Sending the identification to the second server;
接收第二服务器发送的所述密文和所述目标密钥标识;Receiving the ciphertext and the target key identifier sent by the second server;
查找与所述目标密钥标识对应的目标解密密钥;Find a target decryption key corresponding to the target key identifier;
根据所述目标解密密钥对所述密文进行解密,获得明文,并将所述明文发送至所述第二服务器。Decrypt the ciphertext according to the target decryption key, obtain a plaintext, and send the plaintext to the second server.
此外,为实现上述目的,本申请还提出一种密钥管理设备,所述密钥管理设备包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的密钥管理程序,所述密钥管理程序配置为实现如上文所述的密钥管理方法的步骤。In addition, in order to achieve the above object, the present application also proposes a key management device. The key management device includes a memory, a processor, and a key management program stored on the memory and operable on the processor. The key management program is configured to implement the steps of the key management method as described above.
此外,为实现上述目的,本申请还提出一种存储介质,所述存储介质上存储有密钥管理程序,所述密钥管理程序被处理器执行时实现如上文所述的密钥管理方法的步骤。In addition, in order to achieve the above-mentioned object, the present application also proposes a storage medium on which a key management program is stored. When the key management program is executed by a processor, the key management method described above is implemented. step.
此外,为实现上述目的,本申请还提出一种密钥管理装置,所述密钥管理装置包括:接收模块、查找模块、加密模块和解密模块;In addition, in order to achieve the above object, the present application also proposes a key management device, which includes a receiving module, a searching module, an encryption module, and a decryption module;
所述接收模块,设置为接收第一服务器发送的明文和目标密钥标识;The receiving module is configured to receive a plain text and a target key identifier sent by the first server;
所述查找模块,设置为查找与所述目标密钥标识对应的目标加密密钥;The search module is configured to search for a target encryption key corresponding to the target key identifier;
所述加密模块,设置为根据所述目标加密密钥对所述明文进行加密,获得密文,并将所述密文反馈至所述第一服务器,以使所述第一服务器将所述密文和所述目标密钥标识发送至第二服务器;The encryption module is configured to encrypt the plaintext according to the target encryption key, obtain a ciphertext, and feed back the ciphertext to the first server, so that the first server will encrypt the plaintext Sending the text and the target key identifier to a second server;
所述接收模块,还设置为接收第二服务器发送的所述密文和所述目标密钥标识;The receiving module is further configured to receive the ciphertext and the target key identifier sent by a second server;
所述查找模块,还设置为查找与所述目标密钥标识对应的目标解密密钥;The search module is further configured to search for a target decryption key corresponding to the target key identifier;
所述解密模块,设置为根据所述目标解密密钥对所述密文进行解密,获得明文,并将所述明文发送至所述第二服务器。The decryption module is configured to decrypt the ciphertext according to the target decryption key, obtain a plaintext, and send the plaintext to the second server.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1是本申请实施例方案涉及的硬件运行环境的密钥管理设备的结构示意图;FIG. 1 is a schematic structural diagram of a key management device for a hardware operating environment according to a solution of an embodiment of the present application; FIG.
图2为本申请密钥管理方法第一实施例的流程示意图;FIG. 2 is a schematic flowchart of a first embodiment of a key management method of this application;
图3为本申请密钥管理方法第二实施例的流程示意图;3 is a schematic flowchart of a second embodiment of a key management method of this application;
图4为本申请密钥管理方法第三实施例的流程示意图;4 is a schematic flowchart of a third embodiment of a key management method of this application;
图5为本申请密钥管理方法第四实施例的流程示意图;5 is a schematic flowchart of a fourth embodiment of a key management method of this application;
图6为本申请密钥管理装置第一实施例的结构框图。FIG. 6 is a structural block diagram of a first embodiment of a key management apparatus of the present application.
本申请目的的实现、功能特点及优点将结合实施例,参照附图做进一步说明。The implementation, functional characteristics and advantages of the purpose of this application will be further described with reference to the embodiments and the drawings.
具体实施方式Detailed ways
应当理解,此处所描述的具体实施例仅仅用以解释本申请,并不设置为限定本申请。It should be understood that the specific embodiments described herein are only used to explain the application, and are not intended to limit the application.
参照图1,图1为本申请实施例方案涉及的硬件运行环境的密钥管理设备结构示意图。Referring to FIG. 1, FIG. 1 is a schematic structural diagram of a key management device in a hardware operating environment according to a solution of an embodiment of the present application.
如图1所示,该密钥管理设备可以包括:处理器1001,例如中央处理器(Central Processing Unit,CPU),通信总线1002、用户接口1003,网络接口1004,存储器1005。其中,通信总线1002设置为实现这些组件之间的连接通信。用户接口1003可以包括显示屏(Display),可选用户接口1003还可以包括标准的有线接口、无线接口,对于用户接口1003的有线接口在本申请中可为USB接口。网络接口1004可选的可以包括标准的有线接口、无线接口(如无线保真(WIreless-FIdelity,WI-FI)接口)。存储器1005可以是高速的随机存取存储器(Random Access Memory,RAM)存储器,也可以是稳定的存储器(Non-volatile Memory,NVM),例如磁盘存储器。存储器1005可选的还可以是独立于前述处理器1001的存储装置。As shown in FIG. 1, the key management device may include: a processor 1001, such as a central processing unit (Central Processing Unit (CPU), communication bus 1002, user interface 1003, network interface 1004, and memory 1005. The communication bus 1002 is configured to implement connection and communication between these components. The user interface 1003 may include a display screen. The optional user interface 1003 may further include a standard wired interface and a wireless interface. The wired interface of the user interface 1003 may be a USB interface in this application. The network interface 1004 may optionally include a standard wired interface and a wireless interface (such as a WIreless-FIdelity (WI-FI) interface). The memory 1005 may be a high-speed random access memory (Random Access Memory (RAM) memory or non-volatile memory Memory (NVM), such as disk storage. The memory 1005 may optionally be a storage device independent of the foregoing processor 1001.
本领域技术人员可以理解,图1中示出的结构并不构成对密钥管理设备的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。Those skilled in the art can understand that the structure shown in FIG. 1 does not constitute a limitation on the key management device, and may include more or fewer components than shown in the figure, or combine certain components, or arrange different components.
如图1所示,作为一种计算机存储介质的存储器1005中可以包括操作系统、网络通信模块、用户接口模块以及密钥管理程序。As shown in FIG. 1, the memory 1005 as a computer storage medium may include an operating system, a network communication module, a user interface module, and a key management program.
在图1所示的密钥管理设备中,网络接口1004主要设置为连接后台服务器,与所述后台服务器进行数据通信;用户接口1003主要设置为连接用户设备;所述密钥管理设备通过处理器1001调用存储器1005中存储的密钥管理程序,并执行本申请实施例提供的密钥管理方法。In the key management device shown in FIG. 1, the network interface 1004 is mainly configured to connect to a background server and perform data communication with the background server; the user interface 1003 is mainly configured to connect to a user device; 1001 calls a key management program stored in the memory 1005, and executes the key management method provided in the embodiment of the present application.
基于上述硬件结构,提出本申请密钥管理方法的实施例。Based on the above hardware structure, an embodiment of the key management method of the present application is proposed.
参照图2,图2为本申请密钥管理方法第一实施例的流程示意图,提出本申请密钥管理方法第一实施例。Referring to FIG. 2, FIG. 2 is a schematic flowchart of a first embodiment of a key management method of the present application, and a first embodiment of a key management method of the present application is proposed.
在第一实施例中,所述密钥管理方法包括以下步骤:In a first embodiment, the key management method includes the following steps:
步骤S10:密钥管理设备接收第一服务器发送的明文和目标密钥标识。Step S10: The key management device receives the plain text and the target key identifier sent by the first server.
应理解的是,本实施例的执行主体是密钥管理设备,其中,所述密钥管理设备可为个人电脑、服务器等电子设备。所述密钥管理设备处于安全环境中,所述安全环境存在防火墙等安全措施防止密钥泄露,提高密钥管理的安全性,所述密钥管理设备中存储有密钥标识、加密密钥和解密密钥之间的对应关系,可通过所述目标密钥标识查找到对应的目标加密密钥对所述明文进行加密。所述目标加密密钥对应唯一的目标密钥标识,所述第一服务器发送的密钥标识可以是从密钥标识表中随意选取的。It should be understood that the execution subject of this embodiment is a key management device, where the key management device may be an electronic device such as a personal computer or a server. The key management device is in a secure environment, and there are security measures such as a firewall to prevent key leakage and improve the security of key management. The key management device stores a key identifier, an encryption key, and The corresponding relationship between the decryption keys can be obtained by using the target key identifier to find the corresponding target encryption key to encrypt the plaintext. The target encryption key corresponds to a unique target key identifier, and the key identifier sent by the first server may be randomly selected from a key identifier table.
需要说明的是,所述密钥管理设备中存储有多个加密密钥,并对各加密密钥分别设置一个对应的密钥标识,所述密钥标识可以为数字或字母,设置为对所述加密密钥进行编号,便于管理和区分各加密密钥。所述密钥管理设备可将其存储的所有的加密密钥对应的密钥标识存储为密钥标识表,并在所述第一服务器需要对所述明文进行加密时,向所述第一服务器发送所述密钥标识表,以使所述第一服务器从所述密钥标识表中随意选取一个密钥标识作为所述目标密钥标识。It should be noted that the key management device stores a plurality of encryption keys, and sets a corresponding key identifier for each encryption key. The key identifier may be a number or a letter, and is set to the The encryption keys are numbered to facilitate the management and differentiation of each encryption key. The key management device may store key identifiers corresponding to all encryption keys stored in the key management device as a key identifier table, and when the first server needs to encrypt the plain text, send the first server to the first server. Sending the key identification table, so that the first server randomly selects a key identification from the key identification table as the target key identification.
步骤S20:查找与所述目标密钥标识对应的目标加密密钥。Step S20: Find a target encryption key corresponding to the target key identifier.
可理解的是,所述密钥管理设备中存储有多个加密密钥,每个加密密钥对应一个密钥标识,则可根据密钥标识在所述密钥管理设备中查找对应的加密密钥,所述密钥管理设备中的各个加密密钥都是随机生成的,具体地,可以是一种或多种加密算法的组合生成的加密密钥。即所述目标加密密钥可以由一种或多种加密算法的组合而成,所述加密算法包括数据加密算法(Data Encryption Algorithm,DEA)加密算法、高级加密标准(Advanced Encryption Standard,AES)加密算法、RSA加密算法、六十四进制(Base64)加密算法、消息摘要算法第五版(Message Digest Algorithm MD5)、安全哈希算法(Secure Hash Algorithm,SHA1)、数学运算组合和字母运算组合等。所述密钥管理设备可通过将所述加密算法中的一种或任意几中进行随机组合,获得多个加密密钥。It is understandable that the encryption key is stored in the key management device, and each encryption key corresponds to a key identifier, and the corresponding encryption key can be found in the key management device according to the key identifier. Each encryption key in the key management device is randomly generated. Specifically, the encryption key may be an encryption key generated by a combination of one or more encryption algorithms. That is, the target encryption key may be a combination of one or more encryption algorithms, and the encryption algorithm includes a data encryption algorithm (Data Encryption Algorithm (DEA) encryption algorithm, Advanced Encryption Standard Standard (AES) encryption algorithm, RSA encryption algorithm, base64 encryption algorithm, Message Digest Algorithm fifth edition MD5), Secure Hash Algorithm Algorithm, SHA1), combinations of mathematical operations, combinations of alphabetical operations, etc. The key management device may obtain multiple encryption keys by randomly combining one or any of the encryption algorithms.
步骤S30:根据所述目标加密密钥对所述明文进行加密,获得密文,并将所述密文反馈至所述第一服务器,以使所述第一服务器将所述密文和所述目标密钥标识发送至第二服务器。Step S30: encrypt the plaintext according to the target encryption key to obtain a ciphertext, and feed the ciphertext back to the first server, so that the first server sends the ciphertext and the ciphertext The target key identifier is sent to the second server.
需要说明的是,所述密钥管理设备存储有密钥标识、加密密钥和解密密钥之间的对应关系,所述目标加密密钥为一种或多种算法的任意组合,通过所述目标加密密钥对所述明文进行加密,所述密钥管理设备处于安全环境中,使得加密过程的安全性更高。比如,所述明文为5678,所述目标密钥标识为001,对应的目标加密密钥为:(明文+1234)*2,目标解密密钥为:密文/2-1234,则获得密文为13824,则将密文13824和所述目标密钥标识001发送至所述第一服务器,所述第一服务器将所述密文13824和所述目标密钥标识001发送至所述第二服务器。通常所述第一服务器发送至所述第二服务器的数据量很大,但只有部分数据为需要进行加密的明文。It should be noted that the key management device stores a correspondence between a key identifier, an encryption key, and a decryption key, and the target encryption key is any combination of one or more algorithms. The target encryption key encrypts the plain text, and the key management device is in a secure environment, making the encryption process more secure. For example, if the plaintext is 5678, the target key identifier is 001, and the corresponding target encryption key is: (plaintext + 1234) * 2, and the target decryption key is: ciphertext / 2-1234, then the ciphertext is obtained. Is 13824, the ciphertext 13824 and the target key identifier 001 are sent to the first server, and the first server sends the ciphertext 13824 and the target key identifier 001 to the second server . Generally, the amount of data sent by the first server to the second server is large, but only part of the data is plain text that needs to be encrypted.
步骤S40:接收第二服务器发送的所述密文和所述目标密钥标识。Step S40: Receive the ciphertext and the target key identifier sent by the second server.
在具体实现中,在所述第二服务器接收到所述第一服务器发送的所述密文和所述目标密钥标识时,将所述密文和所述目标密钥标识发送至所述密钥管理设备,以使所述密钥管理设备中查找与所述目标密钥标识对应的目标解密密钥对所述密文进行解密。In specific implementation, when the second server receives the ciphertext and the target key identifier sent by the first server, the ciphertext and the target key identifier are sent to the ciphertext. A key management device, so that the key management device searches for a target decryption key corresponding to the target key identifier to decrypt the ciphertext.
步骤S50:查找与所述目标密钥标识对应的目标解密密钥。Step S50: Find a target decryption key corresponding to the target key identifier.
应理解的是,所述密钥管理设备中存储有密钥标识对应的加密密钥和解密密钥之间的对应关系,从所述对应关系中提取出与所述目标密钥标识对应的目标解密密钥。It should be understood that the key management device stores a correspondence between an encryption key corresponding to a key identifier and a decryption key, and extracts a target corresponding to the target key identifier from the correspondence. Decryption key.
步骤S60:根据所述目标解密密钥对所述密文进行解密,获得明文,并将所述明文发送至所述第二服务器。Step S60: Decrypt the ciphertext according to the target decryption key, obtain a plaintext, and send the plaintext to the second server.
可理解的是,通过查找到的所述目标解密密钥对所述密文进行解密,所述密钥管理设备处于安全环境中,使得解密处理过程的安全性更高。比如,所述第二服务器将所述密文13824和所述目标密钥标识001发送至所述密钥管理设备,所述密钥管理设备从存储的对应关系中查找与与所述密钥标识001对应的目标解密密钥:密文/2-1234,通过所述目标解密密钥:密文/2-1234对所述密文13824进行解密,从而获得明文为5678,则可将解密获得的明文5678发送至所述第二服务器,从而实现所述第一服务器与所述第二服务器之间的通信,提高了数据加密、解密的安全性。It can be understood that the ciphertext is decrypted by using the found target decryption key, and the key management device is in a secure environment, making the decryption process more secure. For example, the second server sends the ciphertext 13824 and the target key identifier 001 to the key management device, and the key management device searches for and associates the key identifier with the stored correspondence. The target decryption key corresponding to 001: ciphertext / 2-1234. The target decryption key: ciphertext / 2-1234 is used to decrypt the ciphertext 13824, so that the plaintext is 5678, and the decrypted The plain text 5678 is sent to the second server, thereby implementing communication between the first server and the second server, and improving the security of data encryption and decryption.
在第一实施例中,密钥管理设备接收第一服务器发送的明文和目标密钥标识,查找与所述目标密钥标识对应的目标加密密钥,根据所述目标加密密钥对所述明文进行加密,获得密文,通过所述密钥管理设备对所述明文进行加密,所述密钥管理设备通常处于安全环境中,提高了加密的安全性;并将所述密文反馈至所述第一服务器,以使所述第一服务器将所述密文和所述目标密钥标识发送至第二服务器,无需传输密钥,降低了密钥泄露风险;接收第二服务器发送的所述密文和所述目标密钥标识,查找与所述目标密钥标识对应的目标解密密钥,根据所述目标解密密钥对所述密文进行解密,获得明文,并将所述明文发送至所述第二服务器。通过密钥管理设备对所述密文解密,提高了解密的安全性,所述第一服务器和所述第二服务器无需存储密钥,降低了密钥存储过程中被盗用的风险。In a first embodiment, the key management device receives the plaintext and the target key identifier sent by the first server, finds a target encryption key corresponding to the target key identifier, and pairs the plaintext according to the target encryption key. Performing encryption to obtain a ciphertext, and encrypting the plaintext through the key management device, which is usually in a secure environment, which improves the security of encryption; and feeds back the ciphertext to the A first server, so that the first server sends the ciphertext and the target key identifier to a second server without transmitting a key, reducing the risk of key leakage; receiving the secret sent by the second server Text and the target key identifier, find a target decryption key corresponding to the target key identifier, decrypt the ciphertext according to the target decryption key, obtain a plaintext, and send the plaintext to all Mentioned second server. The key management device decrypts the ciphertext to improve the security of decryption. The first server and the second server do not need to store keys, which reduces the risk of theft in the key storage process.
参照图3,图3为本申请密钥管理方法第二实施例的流程示意图,基于上述图2所示的第一实施例,提出本申请密钥管理方法的第二实施例。Referring to FIG. 3, FIG. 3 is a schematic flowchart of a second embodiment of the key management method of the present application. Based on the first embodiment shown in FIG. 2 above, a second embodiment of the key management method of the present application is proposed.
在第二实施例中,所述步骤S10之前,包括:In a second embodiment, before step S10, the method includes:
步骤S01:接收第二服务器发送的加密要求。Step S01: Receive the encryption request sent by the second server.
可理解的是,通常为了满足特殊需求,所述加密要求可以是所述第二服务器要求密文必须是某种格式(比如可见字符或者数字等),或者为了混淆视听,让密文看上去与明文类似,例如明文为一串数字,可通过设置加密密钥为一系列的数学运算,使得通过所述加密密钥获得的密文是与明文位数相同的一串数字,在所述密文被恶意拦截时,拦截方会误将密文当成明文。Understandably, in order to meet special requirements, the encryption requirement may be that the second server requires that the ciphertext must be in a certain format (such as visible characters or numbers), or in order to confuse audiovisual, make the ciphertext appear The plaintext is similar. For example, the plaintext is a string of numbers. You can set the encryption key to a series of mathematical operations so that the ciphertext obtained by the encryption key is a string of digits with the same number of digits as When maliciously intercepted, the interceptor mistakes the ciphertext as plaintext.
步骤S02:根据所述加密要求查找目标加密密钥和对应的目标密钥标识。Step S02: Find a target encryption key and a corresponding target key identifier according to the encryption requirement.
应理解的是,为了提高加密效率,可预先收集各服务器的加密要求,根据收集的各服务器的加密要求设置对应的加密密钥,从而使得所述明文通过所述加密密钥进行加密获得的密文,能够符合所述加密要求。通常对于一个加密要求可能存在多个符合要求的加密密钥,并对各加密密钥分别设置对应的密钥标识,可将符合要求的多个加密密钥存储为加密密钥集,并建立所述加密密钥集与对应的加密要求之间的对应关系。从而可从上述对应关系中查找到符合所述加密要求的目标加密密钥和对应的目标密钥标识。It should be understood that, in order to improve the encryption efficiency, the encryption requirements of each server may be collected in advance, and a corresponding encryption key is set according to the collected encryption requirements of each server, so that the plaintext encryption obtained through the encryption key is used for encryption. Text can meet the encryption requirements. Generally, there may be multiple encryption keys that meet the requirements for an encryption requirement, and each encryption key is set with a corresponding key identifier. Multiple encryption keys that meet the requirements can be stored as an encryption key set, and all The correspondence between the encryption key set and the corresponding encryption requirements is described. Therefore, a target encryption key and a corresponding target key identifier that meet the encryption requirements can be found from the foregoing correspondence.
步骤S03:将所述目标密钥标识发送至所述第一服务器。Step S03: Send the target key identifier to the first server.
需要说明的是,为了使得所述第一服务器的明文通过所述密钥管理设备加密获得的密文符合所述第二服务器的加密要求,将符合所述加密要求的加密密钥对应的密钥标识发送至所述第一服务器。则所述第一服务器可通过将需要加密的明文和所述目标密钥标识发送至所述密钥管理设备对所述明文进行加密。It should be noted that, in order to make the ciphertext encrypted by the plaintext of the first server through the key management device comply with the encryption requirements of the second server, a key corresponding to the encryption key that meets the encryption requirements The identification is sent to the first server. Then, the first server may encrypt the plain text by sending the plain text to be encrypted and the target key identifier to the key management device.
在第二实施例中,所述密钥管理设备接收第二服务器发送的加密要求,根据所述加密要求查找目标加密密钥和对应的目标密钥标识,将所述目标密钥标识发送至所述第一服务器,使得所述第一服务器可通过将需要加密的明文和所述目标密钥标识发送至所述密钥管理设备对所述明文进行加密,获得符合所述第二服务器的加密要求的密文。In a second embodiment, the key management device receives an encryption request sent by a second server, finds a target encryption key and a corresponding target key identifier according to the encryption request, and sends the target key identifier to all The first server is described, so that the first server can encrypt the plain text by sending the plain text that needs to be encrypted and the target key identifier to the key management device to obtain encryption requirements that meet the requirements of the second server. Cipher text.
参照图4,图4为本申请密钥管理方法第三实施例的流程示意图,基于上述图3所示的第二实施例,提出本申请密钥管理方法的第三实施例。Referring to FIG. 4, FIG. 4 is a schematic flowchart of a third embodiment of the key management method of the present application. Based on the second embodiment shown in FIG. 3 described above, a third embodiment of the key management method of the present application is proposed.
在第三实施例中,所述步骤S02,包括:In a third embodiment, the step S02 includes:
步骤S021:从所述加密要求中提取出目标密文类型。Step S021: Extract the target ciphertext type from the encryption requirement.
应理解的是,所述加密要求可能是将明文加密成一串数字、字符或者数字与字符的组合等,即所述目标密文类型包括:一串数字、字符或者数字与字符的组合等。It should be understood that the encryption requirement may be to encrypt plain text into a series of numbers, characters, or a combination of numbers and characters, that is, the target cipher text type includes a series of numbers, characters, or a combination of numbers and characters.
步骤S022:从第一预设映射关系表中查找与所述目标密文类型对应的目标加密密钥集,所述第一预设映射关系表中包括密文类型和加密密钥集之间的对应关系。Step S022: Finding a target encryption key set corresponding to the target ciphertext type from a first preset mapping relationship table, where the first preset mapping relationship table includes information between the ciphertext type and the encryption key set. Correspondence.
需要说明的是,为了提高所述密钥管理设备的加密效率,可预先收集所述第二服务器的加密要求,根据收集的所述第二服务器的加密要求设置对应的加密密钥,从而使得所述明文通过所述加密密钥进行加密获得的密文,能够符合所述加密要求。通过从所述加密要求中提取出的密文类型,对不同的密文类型设置不同的加密密钥,通常对于一种密文类型可能存在多个符合要求的加密密钥,并对各加密密钥分别设置对应的密钥标识,可将符合要求的多个加密密钥存储为加密密钥集,并将所述加密密钥集与对应的密文类型之间的对应关系建立第一预设映射关系表。从而可从所述第一预设映射关系表中查找到符合所述加密要求的目标加密密钥集。It should be noted that, in order to improve the encryption efficiency of the key management device, the encryption requirements of the second server may be collected in advance, and corresponding encryption keys are set according to the collected encryption requirements of the second server, so that all The ciphertext obtained by encrypting the plaintext by using the encryption key can meet the encryption requirements. By using the cipher text type extracted from the encryption requirements, different encryption keys are set for different cipher text types. Generally, there may be multiple encryption keys that meet the requirements for a cipher text type. The keys are respectively set with corresponding key identifiers, and multiple encryption keys that meet the requirements can be stored as an encryption key set, and a first preset relationship is established between the encryption key set and the corresponding cipher text type. Mapping relationship table. Therefore, a target encryption key set that meets the encryption requirements can be found from the first preset mapping relationship table.
步骤S023:从所述目标加密密钥集中随机选取一个加密密钥作为目标加密密钥。Step S023: randomly select an encryption key from the target encryption key set as the target encryption key.
在具体实现中,由于所述目标加密密钥集中的加密密钥都符合所述加密要求,则从所述目标加密密钥集中随机选取一个加密密钥就能符合所述加密要求。In a specific implementation, since the encryption keys in the target encryption key set all meet the encryption requirements, randomly selecting an encryption key from the target encryption key set can meet the encryption requirements.
步骤S024:查找与所述目标加密密钥对应的目标密钥标识。Step S024: Find a target key identifier corresponding to the target encryption key.
可理解的是,每个加密密钥都设置有对应的密钥标识,则可查找与所述目标加密密钥对应的目标密钥标识,将所述目标密钥标识发送至所述第一服务器,以使所述第一服务器可通过将需要加密的明文和所述目标密钥标识发送至所述密钥管理设备对所述明文进行加密,获得符合所述加密要求的密文。Understandably, each encryption key is provided with a corresponding key identifier, and then a target key identifier corresponding to the target encryption key can be found, and the target key identifier is sent to the first server. So that the first server can encrypt the plaintext by sending the plaintext that needs to be encrypted and the target key identifier to the key management device to obtain a ciphertext that meets the encryption requirements.
需要说明的是,在所述明文通过所述目标加密密钥加密成所述密文之后,需要通过对应的目标解密密钥对所述密文进行解密,例如,所述目标加密密钥为一系列的数学运算,则所述目标解密密钥为与所述目标加密密钥对应的一系列逆向数学运算。所述密钥管理设备中存储有多个加密密钥,通常根据加密密钥生成对应的解密密钥,为了快速通过密钥标识找到对应的加密密钥和解密密钥,将加密密钥、解密密钥和密钥标识之间的对应关系建立成第二预设映射关系表,则可通过所述第二预设映射关系表快速查找到与所述目标密钥标识对应的目标解密密钥。在本实施例中,所述步骤S50,包括:从所述第二预设映射关系表中查找与所述目标密钥标识对应的目标解密密钥,所述第二预设映射关系表中包括密钥标识、加密密钥和解密密钥之间的对应关系。It should be noted that after the plaintext is encrypted into the ciphertext by the target encryption key, the ciphertext needs to be decrypted by the corresponding target decryption key. For example, the target encryption key is a For a series of mathematical operations, the target decryption key is a series of reverse mathematical operations corresponding to the target encryption key. The key management device stores multiple encryption keys, and generally generates corresponding decryption keys based on the encryption keys. In order to quickly find the corresponding encryption key and decryption key through the key identifier, the encryption key and the decryption key are decrypted. The correspondence between the key and the key identifier is established as a second preset mapping relationship table, and then the target decryption key corresponding to the target key identifier can be quickly found through the second preset mapping relationship table. In this embodiment, the step S50 includes: finding a target decryption key corresponding to the target key identifier from the second preset mapping relationship table, and the second preset mapping relationship table includes Correspondence between key identification, encryption key, and decryption key.
在第三实施例中,所述步骤S60之后,还包括:In a third embodiment, after step S60, the method further includes:
步骤S70:接收所述第一服务器发送的密钥更新指令,从所述密钥更新指令中提取出目标密钥标识。Step S70: Receive a key update instruction sent by the first server, and extract a target key identifier from the key update instruction.
应理解的是,所述密钥管理设备,无需在使用时进行密钥分配,直接在安全环境中分配和使用密钥,甚至可以一次一密,适用大部分系统与系统间的保密传输。所述第一服务器可发送密钥更新指令至所述密钥管理设备进行密钥更新,所述密钥更新指令通常包括目标密钥标识,所述密钥管理设备根据从所述密钥更新指令中提取出目标密钥标识可查找到原来的目标加密密钥,从而查找与原来的目标加密密钥不同的加密密钥作为新的目标加密密钥。It should be understood that the key management device does not need to perform key distribution at the time of use, and directly distributes and uses keys in a secure environment, and can even encrypt one key at a time, which is suitable for confidential transmission between most systems. The first server may send a key update instruction to the key management device for key update. The key update instruction usually includes a target key identifier, and the key management device may update the key according to the instruction from the key. The original target encryption key can be found by extracting the target key identifier from it, so as to find an encryption key different from the original target encryption key as the new target encryption key.
步骤S80:从所述加密密钥集中除了与所述目标密钥标识对应的所述目标加密密钥之外的加密密钥中随机选取一个加密密钥作为新的目标加密密钥。Step S80: randomly select an encryption key from the encryption keys in the encryption key set other than the target encryption key corresponding to the target key identifier as a new target encryption key.
可理解的是,所述加密密钥集中包括多个加密密钥,所述目标密钥标识对应的所述目标加密密钥为所述第一服务器和所述第二服务器原来使用的加密密钥,将其排除,在剩余的加密密钥中随机获取一个加密密钥作为新的目标加密密钥,即实现了加密密钥的更新。It can be understood that the encryption key set includes multiple encryption keys, and the target encryption key corresponding to the target key identifier is an encryption key originally used by the first server and the second server. , Exclude it, and randomly obtain an encryption key from the remaining encryption keys as the new target encryption key, that is, update the encryption key.
步骤S90:查找与所述新的目标加密密钥对应的新的目标密钥标识,并将所述新的目标密钥标识发送至所述第一服务器,以使所述第一服务器发送所述明文和新的目标密钥标识至所述密钥管理设备进行对所述明文的加密。Step S90: Find a new target key identifier corresponding to the new target encryption key, and send the new target key identifier to the first server, so that the first server sends the The plain text and the new target key are identified to the key management device to encrypt the plain text.
需要说明的是,获取到新的目标加密密钥,则可从所述第二预设映射关系中查找到与所述新的目标加密密钥对应的新的目标密钥标识,将所述新的目标密钥标识发送至所述第一服务器,从而所述第一服务器和所述第二服务器可通过所述新的密钥标识对应的新的目标加密密钥进行加密,通过所述新的密钥标识对应的新的目标解密密钥进行解密。所述新的目标密钥标识发送至所述第一服务器,以使所述第一服务器发送所述明文和新的目标密钥标识至所述密钥管理设备进行对所述明文的加密,具体为:密钥管理设备接收第一服务器发送的明文和新的目标密钥标识;查找与所述新的目标密钥标识对应的新的目标加密密钥;根据所述新的目标加密密钥对所述明文进行加密,获得密文,并将所述密文反馈至所述第一服务器,以使所述第一服务器将所述密文和所述新的目标密钥标识发送至第二服务器;接收第二服务器发送的所述密文和所述新的目标密钥标识;查找与所述新的目标密钥标识对应的新的目标解密密钥;根据所述新的目标解密密钥对所述密文进行解密,获得明文,并将所述明文发送至所述第二服务器。所述密钥管理设备可对其存储的加密密钥进行随时更新,由于所述密钥管理设备处于安全环境中,存在防火墙等安全措施防止加密密钥和解密密钥的泄露,提高更新加密密钥和解密密钥的安全性。It should be noted that when a new target encryption key is obtained, a new target key identifier corresponding to the new target encryption key can be found from the second preset mapping relationship, and the new target encryption key is Sending the target key identifier to the first server, so that the first server and the second server can be encrypted by using the new target encryption key corresponding to the new key identifier, and using the new The new target decryption key corresponding to the key ID is decrypted. Sending the new target key identifier to the first server, so that the first server sends the plain text and the new target key identifier to the key management device to encrypt the plain text, specifically The key management device receives the plain text and the new target key identifier sent by the first server; finds a new target encryption key corresponding to the new target key identifier; and according to the new target encryption key pair Encrypt the plaintext to obtain a ciphertext, and feed the ciphertext to the first server, so that the first server sends the ciphertext and the new target key identifier to a second server Receiving the ciphertext and the new target key identifier sent by the second server; finding a new target decryption key corresponding to the new target key identifier; and according to the new target decryption key pair The ciphertext is decrypted to obtain a plaintext, and the plaintext is sent to the second server. The key management device can update the stored encryption key at any time. Since the key management device is in a secure environment, there are security measures such as a firewall to prevent the leakage of encryption keys and decryption keys, and to improve the update of encryption keys. Key and decryption key security.
在本实施例中,由于所述目标加密密钥是随机从所述目标加密密钥集中选取的,从而提高了加密的安全性。所述第一服务器和所述第二服务器可通过所述新的密钥标识对应的新的目标加密密钥进行加密,通过所述新的密钥标识对应的新的目标解密密钥进行解密,通过所述第一服务器发送的密钥更新指令,甚至可以实现每传输一次数据都更新一次加密密钥,从而提高更新加密密钥和解密密钥的安全性。In this embodiment, since the target encryption key is randomly selected from the target encryption key set, the security of encryption is improved. The first server and the second server may perform encryption by using a new target encryption key corresponding to the new key identifier, and perform decryption by using a new target decryption key corresponding to the new key identifier, With the key update instruction sent by the first server, it is even possible to update the encryption key every time data is transmitted, thereby improving the security of updating the encryption key and the decryption key.
参照图5,图5为本申请密钥管理方法第四实施例的流程示意图,基于第一实施例、第二实施例以及第三实施例提出本申请密钥管理方法的第四实施例,在本实施例中,基于第一实施例进行说明。Referring to FIG. 5, FIG. 5 is a schematic flowchart of a fourth embodiment of the key management method of the present application. Based on the first embodiment, the second embodiment, and the third embodiment, a fourth embodiment of the key management method of the present application is proposed. In this embodiment, the description will be based on the first embodiment.
在第四实施例中,所述步骤S20之前,还包括:In the fourth embodiment, before step S20, the method further includes:
步骤S101:获取所述第一服务器的第一设备标识,根据所述第一设备标识判断所述第一服务器是否属于所述密钥管理设备的注册用户。Step S101: Obtain a first device identifier of the first server, and determine whether the first server belongs to a registered user of the key management device according to the first device identifier.
可理解的是,所述第一设备标识为设置为识别所述第一服务器的标识,所述第一服务器对应唯一的第一设备标识。所述密钥管理设备处于安全环境中,对所述第一服务器发送的明文进行加密之前,还需对所述第一服务器的身份进行审核,判断所述第一服务器是否为所述密钥管理设备的注册用户,若所述第一服务器为所述密钥管理设备的注册用户,则查找与所述目标密钥标识对应的目标加密密钥。It can be understood that the first device identifier is an identifier set to identify the first server, and the first server corresponds to a unique first device identifier. The key management device is in a secure environment. Before encrypting the plain text sent by the first server, the identity of the first server needs to be checked to determine whether the first server is the key management. A registered user of the device, if the first server is a registered user of the key management device, finds a target encryption key corresponding to the target key identifier.
若属于,则执行所述步骤S20。If so, step S20 is performed.
应理解的是,若所述第一服务器属于所述密钥管理设备的注册用户,则查找与所述目标密钥标识对应的目标加密密钥,则根据查找到的所述目标加密密钥对所述明文进行加密;若所述第一服务器不属于所述密钥管理设备的注册用户,则不执行所述查找与所述目标密钥标识对应的目标加密密钥的步骤。所述密钥管理设备处于安全环境中,只对其注册用户进行加密,进一步提高了密钥管理的安全性。It should be understood that if the first server belongs to a registered user of the key management device, it searches for a target encryption key corresponding to the target key identifier, and then according to the found target encryption key pair The plain text is encrypted; if the first server does not belong to a registered user of the key management device, the step of finding a target encryption key corresponding to the target key identifier is not performed. The key management device is in a secure environment and only encrypts its registered users, which further improves the security of key management.
在第四实施例中,所述步骤S50之前,还包括:In a fourth embodiment, before step S50, the method further includes:
步骤S401:获取所述第二服务器的第二设备标识,根据所述第二设备标识判断所述第二服务器是否属于所述密钥管理设备的注册用户。Step S401: Obtain a second device identifier of the second server, and determine whether the second server belongs to a registered user of the key management device according to the second device identifier.
需要说明的是,所述第二设备标识为设置为识别所述第二服务器的标识,所述第二服务器对应唯一的第二设备标识。所述密钥管理设备处于安全环境中,对所述第二服务器发送的密文进行解密之前,还需对所述第二服务器的身份进行审核,判断所述第二服务器是否为所述密钥管理设备的注册用户,若所述第二服务器为所述密钥管理设备的注册用户,则查找与所述目标密钥标识对应的目标解密密钥。It should be noted that the second device identifier is an identifier set to identify the second server, and the second server corresponds to a unique second device identifier. The key management device is in a secure environment. Before decrypting the ciphertext sent by the second server, the identity of the second server needs to be checked to determine whether the second server is the key. A registered user of the management device, if the second server is a registered user of the key management device, finds a target decryption key corresponding to the target key identifier.
若属于,则执行所述步骤S50。If so, step S50 is performed.
在具体实现中,若所述第二服务器属于所述密钥管理设备的注册用户,则查找与所述目标密钥标识对应的目标解密密钥,则根据查找到的所述目标解密密钥对所述密文进行解密;若所述第二服务器不属于所述密钥管理设备的注册用户,则不执行所述查找与所述目标密钥标识对应的目标解密密钥的步骤。所述密钥管理设备处于安全环境中,只对其注册用户进行解密,进一步提高了密钥管理的安全性。In specific implementation, if the second server belongs to a registered user of the key management device, find a target decryption key corresponding to the target key identifier, and then according to the found target decryption key pair, The ciphertext is decrypted; if the second server does not belong to a registered user of the key management device, the step of finding a target decryption key corresponding to the target key identifier is not performed. The key management device is in a secure environment and only decrypts its registered users, which further improves the security of key management.
本实施例中,根据所述第一设备标识判断所述第一服务器是否属于所述密钥管理设备的注册用户,只对其注册用户进行加密,进一步提高了密钥管理的安全性;获取所述第二服务器的第二设备标识,根据所述第二设备标识判断所述第二服务器是否属于所述密钥管理设备的注册用户,只对其注册用户进行解密,进一步提高了密钥管理的安全性。In this embodiment, whether the first server belongs to a registered user of the key management device is determined according to the first device identifier, and only the registered user is encrypted, which further improves the security of key management; The second device identifier of the second server is used to determine whether the second server belongs to a registered user of the key management device according to the second device identifier, and only the registered user is decrypted, which further improves the key management. safety.
此外,本申请实施例还提出一种存储介质,所述存储介质上存储有密钥管理程序,所述密钥管理程序被处理器执行时实现如上文所述的密钥管理方法的步骤。所述存储介质可以为非易失性可读存储介质。In addition, an embodiment of the present application further provides a storage medium, where a key management program is stored, and when the key management program is executed by a processor, implements the steps of the key management method described above. The storage medium may be a non-volatile readable storage medium.
此外,参照图6,本申请实施例还提出一种密钥管理装置,所述密钥管理装置包括:接收模块10、查找模块20、加密模块30和解密模块40;In addition, referring to FIG. 6, an embodiment of the present application further provides a key management apparatus. The key management apparatus includes: a receiving module 10, a searching module 20, an encryption module 30, and a decryption module 40;
所述接收模块10,设置为接收第一服务器发送的明文和目标密钥标识;The receiving module 10 is configured to receive a plain text and a target key identifier sent by the first server;
所述查找模块20,设置为查找与所述目标密钥标识对应的目标加密密钥;The search module 20 is configured to search for a target encryption key corresponding to the target key identifier;
所述加密模块30,设置为根据所述目标加密密钥对所述明文进行加密,获得密文,并将所述密文反馈至所述第一服务器,以使所述第一服务器将所述密文和所述目标密钥标识发送至第二服务器;The encryption module 30 is configured to encrypt the plaintext according to the target encryption key, obtain a ciphertext, and feed back the ciphertext to the first server, so that the first server sends the Sending the ciphertext and the target key identifier to a second server;
所述接收模块10,还设置为接收第二服务器发送的所述密文和所述目标密钥标识;The receiving module 10 is further configured to receive the ciphertext and the target key identifier sent by a second server;
所述查找模块20,还设置为查找与所述目标密钥标识对应的目标解密密钥;The search module 20 is further configured to search for a target decryption key corresponding to the target key identifier;
所述解密模块40,设置为根据所述目标解密密钥对所述密文进行解密,获得明文,并将所述明文发送至所述第二服务器。The decryption module 40 is configured to decrypt the ciphertext according to the target decryption key, obtain a plaintext, and send the plaintext to the second server.
本申请所述密钥管理装置的其他实施例或具体实现方式可参照上述各方法实施例,此处不再赘述。For other embodiments or specific implementations of the key management apparatus described in this application, reference may be made to the foregoing method embodiments, and details are not described herein again.
需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者系统不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者系统所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者系统中还存在另外的相同要素。It should be noted that in this article, the terms "including", "including" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, article or system including a series of elements includes not only those elements, It also includes other elements that are not explicitly listed, or elements that are inherent to such a process, method, article, or system. Without more restrictions, an element limited by the sentence "including a ..." does not exclude the existence of other identical elements in the process, method, article, or system that includes the element.
上述本申请实施例序号仅仅为了描述,不代表实施例的优劣。The above-mentioned serial numbers of the embodiments of the present application are merely for description, and do not represent the superiority or inferiority of the embodiments.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述 实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通 过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体 现出来,该计算机软件产品存储在一个存储介质(如只读存储器镜像(Read Only Memory image,ROM)/随机存取存储器(Random Access Memory,RAM)、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,空调器,或者网络设备等)执行本申请各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand the above. The method of the embodiment can be implemented by means of software plus a necessary universal hardware platform. Hardware, but in many cases the former is a better implementation. Based on such an understanding, the technical solution of the present application in essence or a part that contributes to the existing technology may be in the form of a software product. Now, the computer software product is stored in a storage medium (such as a Read Only Memory image (ROM) / Random Access Memory (Random Access Memory (RAM), magnetic disks, and optical disks) include a number of instructions for causing a terminal device (which may be a mobile phone, computer, server, air conditioner, or network device, etc.) to execute the methods described in the embodiments of this application.
以上仅为本申请的优选实施例,并非因此限制本申请的专利范围,凡是利用本申请说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本申请的专利保护范围内。 The above are only preferred embodiments of the present application, and thus do not limit the patent scope of the present application. Any equivalent structure or equivalent process transformation made using the contents of the description and drawings of the application, or directly or indirectly used in other related technical fields Are included in the scope of patent protection of this application. Ranch

Claims (20)

  1. 一种密钥管理方法,其中,所述密钥管理方法包括以下步骤: A key management method, wherein the key management method includes the following steps:
    密钥管理设备接收第一服务器发送的明文和目标密钥标识;The key management device receives the plain text and the target key identifier sent by the first server;
    查找与所述目标密钥标识对应的目标加密密钥;Find a target encryption key corresponding to the target key identifier;
    根据所述目标加密密钥对所述明文进行加密,获得密文,并将所述密文反馈至所述第一服务器,以使所述第一服务器将所述密文和所述目标密钥标识发送至第二服务器;Encrypt the plaintext according to the target encryption key to obtain a ciphertext, and feed back the ciphertext to the first server, so that the first server sends the ciphertext and the target key Sending the identification to the second server;
    接收第二服务器发送的所述密文和所述目标密钥标识;Receiving the ciphertext and the target key identifier sent by the second server;
    查找与所述目标密钥标识对应的目标解密密钥;Find a target decryption key corresponding to the target key identifier;
    根据所述目标解密密钥对所述密文进行解密,获得明文,并将所述明文发送至所述第二服务器。Decrypt the ciphertext according to the target decryption key, obtain a plaintext, and send the plaintext to the second server.
  2. 如权利要求1所述的密钥管理方法,其中,所述密钥管理设备接收第一服务器发送的明文和密钥标识之前,所述密钥管理方法还包括:The key management method according to claim 1, wherein before the key management device receives the plain text and the key identifier sent by the first server, the key management method further comprises:
    接收第二服务器发送的加密要求;Receiving the encryption request sent by the second server;
    根据所述加密要求查找目标加密密钥和对应的目标密钥标识;Searching for a target encryption key and a corresponding target key identifier according to the encryption requirement;
    将所述目标密钥标识发送至所述第一服务器。Sending the target key identifier to the first server.
  3. 如权利要求2所述的密钥管理方法,其中,所述根据所述加密要求查找目标加密密钥和对应的目标密钥标识,包括:The key management method according to claim 2, wherein the finding a target encryption key and a corresponding target key identifier according to the encryption requirement comprises:
    从所述加密要求中提取出目标密文类型;Extracting a target cipher text type from the encryption requirement;
    从第一预设映射关系表中查找与所述目标密文类型对应的目标加密密钥集,所述第一预设映射关系表中包括密文类型和加密密钥集之间的对应关系;Searching for a target encryption key set corresponding to the target ciphertext type from a first preset mapping relationship table, where the first preset mapping relationship table includes a correspondence between the ciphertext type and the encryption key set;
    从所述目标加密密钥集中随机选取一个加密密钥作为目标加密密钥;Randomly selecting an encryption key from the target encryption key set as the target encryption key;
    查找与所述目标加密密钥对应的目标密钥标识。Finding a target key identifier corresponding to the target encryption key.
  4. 如权利要求3所述的密钥管理方法,其中,所述根据所述目标解密密钥对所述密文进行解密,获得明文,并将所述明文发送至所述第二服务器之后,所述密钥管理方法还包括:The key management method according to claim 3, wherein after decrypting the ciphertext according to the target decryption key, obtaining a plaintext, and sending the plaintext to the second server, the The key management method also includes:
    接收所述第一服务器发送的密钥更新指令,从所述密钥更新指令中提取出目标密钥标识;Receiving a key update instruction sent by the first server, and extracting a target key identifier from the key update instruction;
    从所述加密密钥集中除了与所述目标密钥标识对应的所述目标加密密钥之外的加密密钥中随机选取一个加密密钥作为新的目标加密密钥;Randomly selecting an encryption key from the encryption keys in the encryption key set other than the target encryption key corresponding to the target key identifier as a new target encryption key;
    查找与所述新的目标加密密钥对应的新的目标密钥标识,并将所述新的目标密钥标识发送至所述第一服务器,以使所述第一服务器发送所述明文和新的目标密钥标识至所述密钥管理设备进行对所述明文的加密。Find a new target key identifier corresponding to the new target encryption key, and send the new target key identifier to the first server, so that the first server sends the plain text and new Identifying the target key to the key management device to encrypt the plaintext.
  5. 如权利要求4所述的密钥管理方法,其中,所述查找与所述目标密钥标识对应的目标加密密钥之前,所述密钥管理方法还包括:The key management method according to claim 4, wherein before the finding a target encryption key corresponding to the target key identifier, the key management method further comprises:
    获取所述第一服务器的第一设备标识,根据所述第一设备标识判断所述第一服务器是否属于所述密钥管理设备的注册用户;Acquiring a first device identifier of the first server, and determining whether the first server belongs to a registered user of the key management device according to the first device identifier;
    若属于,则执行所述查找与所述目标密钥标识对应的目标加密密钥的步骤。If it belongs, the step of finding a target encryption key corresponding to the target key identifier is performed.
  6. 如权利要求5所述的密钥管理方法,其中,所述查找与所述目标密钥标识对应的目标解密密钥之前,所述密钥管理方法还包括:The key management method according to claim 5, wherein before the finding a target decryption key corresponding to the target key identifier, the key management method further comprises:
    获取所述第二服务器的第二设备标识,根据所述第二设备标识判断所述第二服务器是否属于所述密钥管理设备的注册用户;Acquiring a second device identifier of the second server, and determining whether the second server belongs to a registered user of the key management device according to the second device identifier;
    若属于,则执行所述查找与所述目标密钥标识对应的目标解密密钥的步骤。If it belongs, the step of finding a target decryption key corresponding to the target key identifier is performed.
  7. 如权利要求4所述的密钥管理方法,其中,所述所述查找与所述目标密钥标识对应的目标解密密钥,包括:The key management method according to claim 4, wherein said searching for a target decryption key corresponding to the target key identifier comprises:
    从所述第二预设映射关系表中查找与所述目标密钥标识对应的目标解密密钥,所述第二预设映射关系表中包括密钥标识、加密密钥和解密密钥之间的对应关系。Find a target decryption key corresponding to the target key identifier from the second preset mapping relationship table, and the second preset mapping relationship table includes a key identifier, an encryption key, and a decryption key Corresponding relationship.
  8. 一种密钥管理设备,其中,所述密钥管理设备包括:存储器、处理器及存储在所述存储器上并可在所述处理器上运行的密钥管理程序,所述密钥管理程序配置为实现如下步骤:A key management device, wherein the key management device includes: a memory, a processor, and a key management program stored on the memory and operable on the processor, and the key management program is configured To achieve the following steps:
    密钥管理设备接收第一服务器发送的明文和目标密钥标识;The key management device receives the plain text and the target key identifier sent by the first server;
    查找与所述目标密钥标识对应的目标加密密钥;Find a target encryption key corresponding to the target key identifier;
    根据所述目标加密密钥对所述明文进行加密,获得密文,并将所述密文反馈至所述第一服务器,以使所述第一服务器将所述密文和所述目标密钥标识发送至第二服务器;Encrypt the plaintext according to the target encryption key to obtain a ciphertext, and feed back the ciphertext to the first server, so that the first server sends the ciphertext and the target key Sending the identification to the second server;
    接收第二服务器发送的所述密文和所述目标密钥标识;Receiving the ciphertext and the target key identifier sent by the second server;
    查找与所述目标密钥标识对应的目标解密密钥;Find a target decryption key corresponding to the target key identifier;
    根据所述目标解密密钥对所述密文进行解密,获得明文,并将所述明文发送至所述第二服务器。Decrypt the ciphertext according to the target decryption key, obtain a plaintext, and send the plaintext to the second server.
  9. 如权利要求8所述的密钥管理设备,其中,所述密钥管理程序配置为实现如下步骤:The key management device according to claim 8, wherein the key management program is configured to implement the following steps:
    接收第二服务器发送的加密要求;Receiving the encryption request sent by the second server;
    根据所述加密要求查找目标加密密钥和对应的目标密钥标识;Searching for a target encryption key and a corresponding target key identifier according to the encryption requirement;
    将所述目标密钥标识发送至所述第一服务器。Sending the target key identifier to the first server.
  10. 如权利要求9所述的密钥管理设备,其中,所述密钥管理程序配置为实现如下步骤:The key management device according to claim 9, wherein the key management program is configured to implement the following steps:
    从所述加密要求中提取出目标密文类型;Extracting a target cipher text type from the encryption requirement;
    从第一预设映射关系表中查找与所述目标密文类型对应的目标加密密钥集,所述第一预设映射关系表中包括密文类型和加密密钥集之间的对应关系;Searching for a target encryption key set corresponding to the target ciphertext type from a first preset mapping relationship table, where the first preset mapping relationship table includes a correspondence between the ciphertext type and the encryption key set;
    从所述目标加密密钥集中随机选取一个加密密钥作为目标加密密钥;Randomly selecting an encryption key from the target encryption key set as the target encryption key;
    查找与所述目标加密密钥对应的目标密钥标识。Finding a target key identifier corresponding to the target encryption key.
  11. 如权利要求10所述的密钥管理设备,其中,所述密钥管理程序配置为实现如下步骤:The key management device of claim 10, wherein the key management program is configured to implement the following steps:
    接收所述第一服务器发送的密钥更新指令,从所述密钥更新指令中提取出目标密钥标识;Receiving a key update instruction sent by the first server, and extracting a target key identifier from the key update instruction;
    从所述加密密钥集中除了与所述目标密钥标识对应的所述目标加密密钥之外的加密密钥中随机选取一个加密密钥作为新的目标加密密钥;Randomly selecting an encryption key from the encryption keys in the encryption key set other than the target encryption key corresponding to the target key identifier as a new target encryption key;
    查找与所述新的目标加密密钥对应的新的目标密钥标识,并将所述新的目标密钥标识发送至所述第一服务器,以使所述第一服务器发送所述明文和新的目标密钥标识至所述密钥管理设备进行对所述明文的加密。Find a new target key identifier corresponding to the new target encryption key, and send the new target key identifier to the first server, so that the first server sends the plain text and new Identifying the target key to the key management device to encrypt the plaintext.
  12. 如权利要求11所述的密钥管理设备,其中,所述密钥管理程序配置为实现如下步骤:The key management device according to claim 11, wherein the key management program is configured to implement the following steps:
    获取所述第一服务器的第一设备标识,根据所述第一设备标识判断所述第一服务器是否属于所述密钥管理设备的注册用户;Acquiring a first device identifier of the first server, and determining whether the first server belongs to a registered user of the key management device according to the first device identifier;
    若属于,则执行所述查找与所述目标密钥标识对应的目标加密密钥的步骤。If it belongs, the step of finding a target encryption key corresponding to the target key identifier is performed.
  13. 如权利要求12所述的密钥管理设备,其中,所述密钥管理程序配置为实现如下步骤:The key management device according to claim 12, wherein the key management program is configured to implement the following steps:
    获取所述第二服务器的第二设备标识,根据所述第二设备标识判断所述第二服务器是否属于所述密钥管理设备的注册用户;Acquiring a second device identifier of the second server, and determining whether the second server belongs to a registered user of the key management device according to the second device identifier;
    若属于,则执行所述查找与所述目标密钥标识对应的目标解密密钥的步骤。If it belongs, the step of finding a target decryption key corresponding to the target key identifier is performed.
  14. 一种存储介质,其中,所述存储介质上存储有密钥管理程序,所述密钥管理程序被处理器执行时实现如下步骤:A storage medium, wherein a key management program is stored on the storage medium, and when the key management program is executed by a processor, the following steps are implemented:
    密钥管理设备接收第一服务器发送的明文和目标密钥标识;The key management device receives the plain text and the target key identifier sent by the first server;
    查找与所述目标密钥标识对应的目标加密密钥;Find a target encryption key corresponding to the target key identifier;
    根据所述目标加密密钥对所述明文进行加密,获得密文,并将所述密文反馈至所述第一服务器,以使所述第一服务器将所述密文和所述目标密钥标识发送至第二服务器;Encrypt the plaintext according to the target encryption key to obtain a ciphertext, and feed back the ciphertext to the first server, so that the first server sends the ciphertext and the target key Sending the identification to the second server;
    接收第二服务器发送的所述密文和所述目标密钥标识;Receiving the ciphertext and the target key identifier sent by the second server;
    查找与所述目标密钥标识对应的目标解密密钥;Find a target decryption key corresponding to the target key identifier;
    根据所述目标解密密钥对所述密文进行解密,获得明文,并将所述明文发送至所述第二服务器。Decrypt the ciphertext according to the target decryption key, obtain a plaintext, and send the plaintext to the second server.
  15. 如权利要求14所述的存储介质,其中,所述密钥管理程序被处理器执行时实现如下步骤:The storage medium according to claim 14, wherein when the key management program is executed by a processor, the following steps are implemented:
    接收第二服务器发送的加密要求;Receiving the encryption request sent by the second server;
    根据所述加密要求查找目标加密密钥和对应的目标密钥标识;Searching for a target encryption key and a corresponding target key identifier according to the encryption requirement;
    将所述目标密钥标识发送至所述第一服务器。Sending the target key identifier to the first server.
  16. 如权利要求15所述的存储介质,其中,所述存储介质上存储有密钥管理程序,所述密钥管理程序被处理器执行时实现如下步骤:The storage medium according to claim 15, wherein a key management program is stored on the storage medium, and when the key management program is executed by a processor, the following steps are implemented:
    从所述加密要求中提取出目标密文类型;Extracting a target cipher text type from the encryption requirement;
    从第一预设映射关系表中查找与所述目标密文类型对应的目标加密密钥集,所述第一预设映射关系表中包括密文类型和加密密钥集之间的对应关系;Searching for a target encryption key set corresponding to the target ciphertext type from a first preset mapping relationship table, where the first preset mapping relationship table includes a correspondence between the ciphertext type and the encryption key set;
    从所述目标加密密钥集中随机选取一个加密密钥作为目标加密密钥;Randomly selecting an encryption key from the target encryption key set as the target encryption key;
    查找与所述目标加密密钥对应的目标密钥标识。Finding a target key identifier corresponding to the target encryption key.
  17. 如权利要求16所述的存储介质,其中,所述存储介质上存储有密钥管理程序,所述密钥管理程序被处理器执行时实现如下步骤:The storage medium according to claim 16, wherein a key management program is stored on the storage medium, and when the key management program is executed by a processor, the following steps are implemented:
    接收所述第一服务器发送的密钥更新指令,从所述密钥更新指令中提取出目标密钥标识;Receiving a key update instruction sent by the first server, and extracting a target key identifier from the key update instruction;
    从所述加密密钥集中除了与所述目标密钥标识对应的所述目标加密密钥之外的加密密钥中随机选取一个加密密钥作为新的目标加密密钥;Randomly selecting an encryption key from the encryption keys in the encryption key set other than the target encryption key corresponding to the target key identifier as a new target encryption key;
    查找与所述新的目标加密密钥对应的新的目标密钥标识,并将所述新的目标密钥标识发送至所述第一服务器,以使所述第一服务器发送所述明文和新的目标密钥标识至所述密钥管理设备进行对所述明文的加密。Find a new target key identifier corresponding to the new target encryption key, and send the new target key identifier to the first server, so that the first server sends the plain text and new Identifying the target key to the key management device to encrypt the plaintext.
  18. 如权利要求17所述的存储介质,其中,所述存储介质上存储有密钥管理程序,所述密钥管理程序被处理器执行时实现如下步骤:The storage medium according to claim 17, wherein a key management program is stored on the storage medium, and when the key management program is executed by a processor, the following steps are implemented:
    获取所述第一服务器的第一设备标识,根据所述第一设备标识判断所述第一服务器是否属于所述密钥管理设备的注册用户;Acquiring a first device identifier of the first server, and determining whether the first server belongs to a registered user of the key management device according to the first device identifier;
    若属于,则执行所述查找与所述目标密钥标识对应的目标加密密钥的步骤。If it belongs, the step of finding a target encryption key corresponding to the target key identifier is performed.
  19. 如权利要求18所述的存储介质,其中,所述存储介质上存储有密钥管理程序,所述密钥管理程序被处理器执行时实现如下步骤:The storage medium according to claim 18, wherein a key management program is stored on the storage medium, and when the key management program is executed by a processor, the following steps are implemented:
    获取所述第二服务器的第二设备标识,根据所述第二设备标识判断所述第二服务器是否属于所述密钥管理设备的注册用户;Acquiring a second device identifier of the second server, and determining whether the second server belongs to a registered user of the key management device according to the second device identifier;
    若属于,则执行所述查找与所述目标密钥标识对应的目标解密密钥的步骤。If it belongs, the step of finding a target decryption key corresponding to the target key identifier is performed.
  20. 一种密钥管理装置,其中,所述密钥管理装置包括:接收模块、查找模块、加密模块和解密模块;A key management device, wherein the key management device includes a receiving module, a searching module, an encryption module, and a decryption module;
    所述接收模块,设置为接收第一服务器发送的明文和目标密钥标识;The receiving module is configured to receive a plain text and a target key identifier sent by the first server;
    所述查找模块,设置为查找与所述目标密钥标识对应的目标加密密钥;The search module is configured to search for a target encryption key corresponding to the target key identifier;
    所述加密模块,设置为根据所述目标加密密钥对所述明文进行加密,获得密文,并将所述密文反馈至所述第一服务器,以使所述第一服务器将所述密文和所述目标密钥标识发送至第二服务器;The encryption module is configured to encrypt the plaintext according to the target encryption key, obtain a ciphertext, and feed back the ciphertext to the first server, so that the first server will encrypt the plaintext Sending the text and the target key identifier to a second server;
    所述接收模块,还设置为接收第二服务器发送的所述密文和所述目标密钥标识;The receiving module is further configured to receive the ciphertext and the target key identifier sent by a second server;
    所述查找模块,还设置为查找与所述目标密钥标识对应的目标解密密钥;The search module is further configured to search for a target decryption key corresponding to the target key identifier;
    所述解密模块,设置为根据所述目标解密密钥对所述密文进行解密,获得明文,并将所述明文发送至所述第二服务器。 The decryption module is configured to decrypt the ciphertext according to the target decryption key, obtain a plaintext, and send the plaintext to the second server. Ranch
PCT/CN2018/092987 2018-06-01 2018-06-27 Key management method, device, storage medium and apparatus WO2019227557A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810561050.5 2018-06-01
CN201810561050.5A CN109728902A (en) 2018-06-01 2018-06-01 Key management method, equipment, storage medium and device

Publications (1)

Publication Number Publication Date
WO2019227557A1 true WO2019227557A1 (en) 2019-12-05

Family

ID=66293889

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/092987 WO2019227557A1 (en) 2018-06-01 2018-06-27 Key management method, device, storage medium and apparatus

Country Status (2)

Country Link
CN (1) CN109728902A (en)
WO (1) WO2019227557A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111680326A (en) * 2020-06-09 2020-09-18 联想(北京)有限公司 Data processing method and device
CN112564901A (en) * 2020-12-08 2021-03-26 浙江三维万易联科技有限公司 Key generation method and system, storage medium and electronic device
CN113722741A (en) * 2021-09-07 2021-11-30 浙江大华技术股份有限公司 Data encryption method and device and data decryption method and device
CN114417073A (en) * 2022-03-28 2022-04-29 之江实验室 Neighbor node query method and device of encryption graph and electronic equipment
CN114424494A (en) * 2019-12-24 2022-04-29 深圳市欢太科技有限公司 Key management method and device, terminal and storage medium
CN114629644A (en) * 2022-03-29 2022-06-14 贝壳找房网(北京)信息技术有限公司 Data encryption method, storage medium, computer program product and electronic device
CN115348011A (en) * 2022-07-21 2022-11-15 中国电信股份有限公司 Key processing method and device, electronic equipment and readable storage medium

Families Citing this family (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111988260B (en) * 2019-05-21 2023-01-31 科大国盾量子技术股份有限公司 Symmetric key management system, transmission method and device
CN110266582B (en) * 2019-05-29 2022-08-26 深圳市梦网科技发展有限公司 Message pushing method, system, server and communication terminal
CN110443078B (en) * 2019-07-19 2021-05-28 南京芯驰半导体科技有限公司 Security storage system based on privilege hierarchy
CN110830243B (en) * 2019-10-18 2023-06-09 中国第一汽车股份有限公司 Symmetric key distribution method, device, vehicle and storage medium
CN111177739B (en) * 2019-10-28 2023-11-03 腾讯云计算(北京)有限责任公司 Data processing method, information interaction system and computer storage medium
CN111104691A (en) * 2019-11-28 2020-05-05 贝壳技术有限公司 Sensitive information processing method and device, storage medium and equipment
CN111092872A (en) * 2019-12-11 2020-05-01 支付宝(杭州)信息技术有限公司 Privacy protection method, device and equipment
CN111327637B (en) * 2020-03-10 2022-12-02 时时同云科技(成都)有限责任公司 Service key management method and system
CN111698229A (en) * 2020-05-29 2020-09-22 上海万位数字技术有限公司 GPS data transmission encryption method
CN113300833B (en) * 2020-06-09 2023-04-18 阿里巴巴集团控股有限公司 Key management method and device
CN112329026A (en) * 2020-06-29 2021-02-05 北京京东尚科信息技术有限公司 Data processing method, device, system, computing equipment and medium
CN114095152A (en) * 2020-08-03 2022-02-25 天翼电子商务有限公司 Method, system, medium and apparatus for updating key and encrypting and decrypting data
CN113922976A (en) * 2020-09-15 2022-01-11 京东科技控股股份有限公司 Equipment log transmission method and device, electronic equipment and storage medium
CN112398832B (en) * 2020-11-04 2022-02-01 四川长虹电器股份有限公司 Service end user data encryption method and decryption method
CN112671705A (en) * 2020-11-23 2021-04-16 中信银行股份有限公司 Message processing method and device, electronic equipment and computer readable storage medium
CN112740212B (en) * 2020-12-24 2022-08-09 华为技术有限公司 Key writing method and device
CN112953889A (en) * 2020-12-31 2021-06-11 上海移为通信技术股份有限公司 Message encryption and decryption method, system, server and readable storage medium
CN112887087B (en) * 2021-01-20 2023-04-18 成都质数斯达克科技有限公司 Data management method and device, electronic equipment and readable storage medium
CN112910891B (en) * 2021-01-29 2021-12-14 南京十方网络科技有限公司 Network security interconnection system based on FPGA high-speed encryption and decryption
CN113225336A (en) * 2021-05-06 2021-08-06 安谋科技(中国)有限公司 Information encryption transmission method, encryption and decryption device, readable medium and electronic equipment
CN114679324B (en) * 2021-12-15 2024-03-12 国机工业互联网研究院(河南)有限公司 Data exchange method, tool, system, equipment and medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101784045A (en) * 2009-01-20 2010-07-21 英华达(上海)电子有限公司 Method and device for generating secrete key and method and device for loading secrete key
US8495392B1 (en) * 2010-09-02 2013-07-23 Symantec Corporation Systems and methods for securely deduplicating data owned by multiple entities
CN104243149A (en) * 2013-06-19 2014-12-24 北京搜狗科技发展有限公司 Encrypting and decrypting method, device and server
CN107483383A (en) * 2016-06-07 2017-12-15 腾讯科技(深圳)有限公司 A kind of data processing method, terminal and background server

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106650482A (en) * 2015-11-04 2017-05-10 阿里巴巴集团控股有限公司 Electronic file encryption method and device, electronic file decryption method and device and electronic file encryption and decryption system
CN106888183A (en) * 2015-12-15 2017-06-23 阿里巴巴集团控股有限公司 Data encryption, decryption, the method and apparatus and system of key request treatment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101784045A (en) * 2009-01-20 2010-07-21 英华达(上海)电子有限公司 Method and device for generating secrete key and method and device for loading secrete key
US8495392B1 (en) * 2010-09-02 2013-07-23 Symantec Corporation Systems and methods for securely deduplicating data owned by multiple entities
CN104243149A (en) * 2013-06-19 2014-12-24 北京搜狗科技发展有限公司 Encrypting and decrypting method, device and server
CN107483383A (en) * 2016-06-07 2017-12-15 腾讯科技(深圳)有限公司 A kind of data processing method, terminal and background server

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114424494A (en) * 2019-12-24 2022-04-29 深圳市欢太科技有限公司 Key management method and device, terminal and storage medium
CN111680326A (en) * 2020-06-09 2020-09-18 联想(北京)有限公司 Data processing method and device
CN112564901A (en) * 2020-12-08 2021-03-26 浙江三维万易联科技有限公司 Key generation method and system, storage medium and electronic device
CN112564901B (en) * 2020-12-08 2023-08-25 三维通信股份有限公司 Method and system for generating secret key, storage medium and electronic device
CN113722741A (en) * 2021-09-07 2021-11-30 浙江大华技术股份有限公司 Data encryption method and device and data decryption method and device
CN114417073A (en) * 2022-03-28 2022-04-29 之江实验室 Neighbor node query method and device of encryption graph and electronic equipment
CN114417073B (en) * 2022-03-28 2022-08-05 之江实验室 Neighbor node query method and device of encryption graph and electronic equipment
CN114629644A (en) * 2022-03-29 2022-06-14 贝壳找房网(北京)信息技术有限公司 Data encryption method, storage medium, computer program product and electronic device
CN115348011A (en) * 2022-07-21 2022-11-15 中国电信股份有限公司 Key processing method and device, electronic equipment and readable storage medium
CN115348011B (en) * 2022-07-21 2024-04-30 中国电信股份有限公司 Key processing method and device, electronic equipment and readable storage medium

Also Published As

Publication number Publication date
CN109728902A (en) 2019-05-07

Similar Documents

Publication Publication Date Title
WO2019227557A1 (en) Key management method, device, storage medium and apparatus
WO2014139344A1 (en) Key download method, management method, download management method and device, and system
WO2014139342A1 (en) Key downloading method, management method, downloading management method, device and system
WO2014187168A1 (en) Information storage and management method and apparatus based on webkit browser
WO2021075867A1 (en) Method for storing and recovering key for blockchain-based system, and device therefor
WO2017171165A1 (en) System for issuing public certificate on basis of block chain, and method for issuing public certificate on basis of block chain by using same
WO2020147383A1 (en) Process examination and approval method, device and system employing blockchain system, and non-volatile storage medium
WO2014139408A1 (en) Method and system for securely downloading terminal master key (tmk)
WO2015157942A1 (en) Device and method for accessing wireless network
CN107113171A (en) Safe communication system, method and device
WO2010087567A1 (en) Method for installing rights object for content in memory card
WO2020189927A1 (en) Method and server for managing identity of user by using blockchain network, and method and terminal for authenticating user by using user identity on basis of blockchain network
WO2020050424A1 (en) BLOCK CHAIN-BASED SYSTEM AND METHOD FOR MULTIPLE SECURITY AUTHENTICATION BETWEEN MOBILE TERMINAL AND IoT DEVICE
WO2011126280A2 (en) Method for updating advertisement content using drm
WO2013075613A1 (en) Method and device for providing network service
WO2017071352A1 (en) Password push method, push system, and terminal device
WO2018098881A1 (en) Access processing method and device for application
WO2022060149A1 (en) Electronic device for managing right by using decentralized network, and operation method thereof
WO2019218441A1 (en) Request processing method and apparatus, device, and storage medium
WO2021071116A1 (en) Simple authentication method and system using web storage of browser
WO2019205272A1 (en) Virtual machine service providing method, device and equipment and computer readable storage medium
WO2019085301A1 (en) Missed call feedback method, apparatus and device for fixed phone, and readable storage medium
EP3472749A1 (en) A primary device, an accessory device, and methods for processing operations on the primary device and the accessory device
WO2020189993A1 (en) Method and system for preventing cryptocurrency loss
WO2017067284A1 (en) Fingerprint information secure call method, apparatus, and mobile terminal

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18921155

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 11/03/2021)

122 Ep: pct application non-entry in european phase

Ref document number: 18921155

Country of ref document: EP

Kind code of ref document: A1