WO2020042798A1 - 密码运算、创建工作密钥的方法、密码服务平台及设备 - Google Patents

密码运算、创建工作密钥的方法、密码服务平台及设备 Download PDF

Info

Publication number
WO2020042798A1
WO2020042798A1 PCT/CN2019/096309 CN2019096309W WO2020042798A1 WO 2020042798 A1 WO2020042798 A1 WO 2020042798A1 CN 2019096309 W CN2019096309 W CN 2019096309W WO 2020042798 A1 WO2020042798 A1 WO 2020042798A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
module
cryptographic
target
work
Prior art date
Application number
PCT/CN2019/096309
Other languages
English (en)
French (fr)
Inventor
肖淑婷
林孝旦
方海峰
谷胜才
Original Assignee
阿里巴巴集团控股有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 阿里巴巴集团控股有限公司 filed Critical 阿里巴巴集团控股有限公司
Priority to SG11202010745XA priority Critical patent/SG11202010745XA/en
Priority to EP19854452.0A priority patent/EP3780484B1/en
Publication of WO2020042798A1 publication Critical patent/WO2020042798A1/zh
Priority to US17/085,161 priority patent/US11025415B2/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0827Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving distinctive intermediate devices or communication paths
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/062Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying encryption of the keys

Definitions

  • This specification relates to the field of cryptographic technology, and in particular, to cryptographic operations, methods for creating work keys, cryptographic service platforms, and equipment.
  • Cryptography technology is an important technical means to protect business systems such as banks, securities, or transactions in data storage, transmission, and access control to ensure data confidentiality, integrity, non-repudiation, and availability.
  • an enterprise can configure a password service platform.
  • the password service platform is a system platform that provides key management and password calculation services based on a cryptographic module.
  • the platform can provide business systems with message verification, data encryption and decryption, Application-level cryptographic services, such as signature verification, ensure the security of data during storage, transmission, and application, and prevent data from being stolen or maliciously tampered with. How to provide a more stable password service platform has become an urgent technical problem.
  • this specification provides a method of cryptographic calculation, creation of a work key, a cryptographic service platform, and equipment.
  • a cryptographic service platform is provided.
  • the cryptographic service platform is connected to a primary cryptographic module and at least one secondary cryptographic module, the cryptographic module has a primary key; the cryptographic service platform includes:
  • a registration module configured to call the secondary cryptographic module to generate an asymmetric key pair including a target public key and a target private key, and obtain the target public key returned by the secondary cryptographic module and store it;
  • a work key creation module is configured to: receive a work key creation request of a business system, take the target public key of the secondary cryptographic module as an input, call the master cryptographic module to generate a work key for the business system, and obtain all
  • the master password module returns: the work key ciphertext encrypted by the master key of the master password module, and the work key ciphertext encrypted by the target public key of the secondary password module;
  • the public key-encrypted work key ciphertext is input, and the secondary password module is called to obtain the returned by the secondary password module: after decrypting the inputted work key ciphertext with the target private key, it is encrypted with its own master key Ciphertext of the work key;
  • the cryptographic operation calling module is configured to: receive a cryptographic operation request of a business system, the cryptographic operation request carrying data to be calculated; determine a target cryptographic module that responds to the cryptographic operation request; and use a working key secret corresponding to the target cryptographic module
  • the text and the data to be operated are used as input, and the target cryptographic module is called to obtain the operation result of the target cryptographic module.
  • the operation result is used by the target cryptographic module to encrypt the work key by using the stored master key. After decrypting the text to obtain the work key, the decrypted work key is used to encrypt the data to be calculated.
  • the registration module is further configured to: obtain target private key indication data encrypted by the primary key of the secondary cryptographic module;
  • the work key creation module invokes the secondary cryptographic module, it also takes the target private key instruction data as input for the secondary cryptographic module to use the primary key to decrypt the target private key to decrypt the input work.
  • Key ciphertext When the work key creation module invokes the secondary cryptographic module, it also takes the target private key instruction data as input for the secondary cryptographic module to use the primary key to decrypt the target private key to decrypt the input work. Key ciphertext.
  • the target private key indication data encrypted by the primary key of the secondary cryptographic module includes: the target private key ciphertext encrypted by the secondary cryptographic module's primary key to the target private key, or The target private key identifier of the primary key encryption of the secondary cryptographic module.
  • the registration module is further configured to:
  • the master public password module is called with the target public key as input, the master public password module authenticates the target public key, and obtains a key obtained by the master cryptographic module performing message authentication code value calculation on the target public key. Check value
  • the key verification value is used by the work key creation module as an input when calling the primary cryptographic module, so that the primary cryptographic module can verify the target public key of the input secondary cryptographic module.
  • a cryptographic calculation method including:
  • Target cryptographic module Determining a target cryptographic module that responds to the cryptographic operation request, the target cryptographic module being one of a primary cryptographic module or at least one secondary cryptographic module, the cryptographic module having a master key;
  • Obtain a working key ciphertext with the target cryptographic module which is obtained in advance by taking the target public key generated in advance by the secondary cryptographic module as input, and calling the primary cryptographic module as a service
  • the system generates a work key, and obtains the work key ciphertext encrypted by the master key of the master password module and the work key ciphertext encrypted by the target public key of the secondary password module, which are returned by the master password module;
  • the cryptographic module uses the stored master key to decrypt the work key ciphertext to obtain a work key, and then uses the decrypted work key to encrypt the data to be calculated.
  • the target private key stored by the registration module is encrypted with the primary key of the secondary cryptographic module.
  • the method further includes: obtaining target private key indication data encrypted by the primary key of the secondary cryptographic module;
  • the target private key indication data is also used as input for the secondary cryptographic module to decrypt the inputted work key ciphertext after obtaining the target private key using the primary key decryption.
  • the target private key indication data encrypted by the primary key of the secondary cryptographic module includes: the target private key ciphertext encrypted by the secondary cryptographic module's primary key to the target private key, or The target private key identifier of the primary key encryption of the secondary cryptographic module.
  • the method further includes:
  • the key verification value is also input for the master password module to verify the target public key of the entered secondary password module.
  • a cryptographic service device including a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the program when the program is executed.
  • Target cryptographic module Determining a target cryptographic module that responds to the cryptographic operation request, the target cryptographic module being one of a primary cryptographic module or at least one secondary cryptographic module, the cryptographic module having a master key;
  • Obtain a working key ciphertext with the target cryptographic module which is obtained in advance by taking the target public key generated in advance by the secondary cryptographic module as input, and calling the primary cryptographic module as a service
  • the system generates a work key, and obtains the work key ciphertext encrypted by the master key of the master password module and the work key ciphertext encrypted by the target public key of the secondary password module, which are returned by the master password module;
  • the cryptographic module uses the stored master key to decrypt the work key ciphertext to obtain a work key, and then uses the decrypted work key to encrypt the data to be calculated.
  • a method for creating a work key including:
  • a cryptographic service device including a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the program when the program is executed.
  • one of the password modules connected to the password service platform serves as the master password module.
  • the key management function of the password service platform is provided by the master password module.
  • the master password module is used to generate the work key and the master password. Both the module and the secondary password module can provide the cryptographic operation functions required by the cryptographic service platform.
  • each cryptographic module independently generates its own master key
  • the work key of the business system is generated by the master cryptographic module
  • the cryptographic service platform stores the work key ciphertext encrypted by the master key of the master cryptographic module
  • each The master key of the secondary cryptographic module is separately encrypted with the working key ciphertext. Therefore, in this embodiment, the master key is saved by the master cryptographic module.
  • the clear text of sensitive security parameters will not exceed the boundary of the cryptographic module, and the security of the key will not be lost. And therefore meet the security requirements of the key.
  • the cryptographic service platform can call any cryptographic module to respond to the cryptographic operation request of the business system. Therefore, the cryptographic service platform can be compatible with multiple cryptographic modules.
  • the cryptographic service platform will not be bound by a single cryptographic module vendor, which meets the requirements of using multiple cryptographic modules.
  • the demand also makes the password service platform able to provide more stable password services.
  • Fig. 1 is an application scenario diagram of a cryptographic service platform shown in this specification according to an exemplary embodiment.
  • Fig. 2A is a block diagram of a cryptographic service platform according to an exemplary embodiment of the present specification.
  • Fig. 2B is a schematic diagram illustrating a registration process of a secondary password module according to an exemplary embodiment of the present specification.
  • Fig. 2C is a schematic diagram illustrating a process of creating a work key according to an exemplary embodiment of the present specification.
  • Fig. 2D is a schematic diagram of a cryptographic operation according to an exemplary embodiment of the present specification.
  • FIG. 3 is a hardware structure diagram of a computer device where a cryptographic service platform according to an embodiment of the present specification is located.
  • Fig. 4 is a flow chart showing a cryptographic calculation method according to an exemplary embodiment of the present specification.
  • Fig. 5 is a flow chart showing a method for creating a work key according to an exemplary embodiment of the present specification.
  • first, second, third, etc. may be used in this specification to describe various information, the information should not be limited to these terms. These terms are only used to distinguish the same type of information from each other.
  • first information may also be referred to as the second information, and similarly, the second information may also be referred to as the first information.
  • word “if” as used herein can be interpreted as “at” or "when” or "in response to determination”.
  • FIG. 1 it is an application scenario diagram of a cryptographic service platform shown in this specification according to an exemplary embodiment.
  • the cryptographic service platform communicates with an application system host, and the application system host calls an interface provided by the cryptographic service platform.
  • the underlying password operation and other services are completed by the password service platform calling the password module.
  • a cryptographic module contains cryptographic algorithms, security functions, and is relatively independent software, hardware, firmware, or a combination thereof that can implement key management mechanisms, and is contained within cryptographic boundaries.
  • a cryptographic boundary refers to a clearly defined continuous edge that establishes the physical and / or logical boundaries of a cryptographic module and includes all hardware, software, and / or firmware components of the cryptographic module.
  • each manufacturer has introduced a cryptographic module, and the master key production algorithm is different.
  • the cryptographic service platform in the embodiments of this specification is based on a variety of passwords. Modules are built, so there are multiple password modules connected to the password service platform. In the case of access to multiple password modules, you need to consider how to be compatible with various password modules to provide unified password services for business systems, and also meet password services. Security.
  • the solution of the embodiment of the present specification is that one of the cryptographic modules connected to the cryptographic service platform serves as the master cryptographic module, and the key management function of the cryptographic service platform is mainly provided by the master cryptographic module.
  • the module, the embodiment of this specification is called a secondary password module, and the secondary password module can provide the password operation function required by the password service platform.
  • each cryptographic module independently generates its own master key
  • the work key of the business system is generated by the master cryptographic module
  • the cryptographic service platform stores the work key ciphertext encrypted by the master key of the master cryptographic module
  • each The primary key of the secondary cryptographic module is the encrypted work key ciphertext.
  • the master key is stored by each cryptographic module
  • the plaintext of the key which is a sensitive security parameter, does not exceed the boundary of the cryptographic module, so it meets the security requirements of the key without losing the security of the key.
  • the cryptographic service platform can call any cryptographic module to respond to the cryptographic operation request of the business system. Therefore, the cryptographic service platform can be compatible with multiple cryptographic modules.
  • the cryptographic service platform will not be bound by a single cryptographic module vendor, which meets the requirements of using multiple cryptographic modules.
  • the demand also makes the password service platform able to provide more stable password services.
  • the cryptographic service platform of the embodiment of the present specification may include a registration module 21, a work key creation module 22, and a cryptographic operation calling module 23, which are respectively used to register the secondary cryptographic module and create a business system. Key, and call the cryptographic module to respond to the cryptographic operation request of the business system.
  • a registration module configured to call the secondary cryptographic module to generate an asymmetric key pair including a target public key and a target private key, and obtain the target public key returned by the secondary cryptographic module and store it;
  • a work key creation module is configured to: receive a work key creation request of a business system, take the target public key of the secondary cryptographic module as an input, call the master cryptographic module to generate a work key for the business system, and obtain all
  • the master password module returns: the work key ciphertext encrypted by the master key of the master password module, and the work key ciphertext encrypted by the target public key of the secondary password module;
  • the public key-encrypted work key ciphertext is input, and the secondary password module is called to obtain the returned by the secondary password module: after decrypting the inputted work key ciphertext with the target private key, it is encrypted with its own master key Ciphertext of the work key;
  • the cryptographic operation calling module is configured to: receive a cryptographic operation request of a business system, the cryptographic operation request carrying data to be calculated; determine a target cryptographic module that responds to the cryptographic operation request; and use a working key secret corresponding to the target cryptographic module
  • the text and the data to be operated are used as input, and the target cryptographic module is called to obtain the operation result of the target cryptographic module.
  • the operation result is used by the target cryptographic module to encrypt the work key by using the stored master key. After decrypting the text to obtain the work key, the decrypted work key is used to encrypt the data to be calculated.
  • the password module uses the master key to encrypt the protection key.
  • the cryptographic module itself will have a key derivation algorithm to generate keys.
  • each cryptographic module generates its own master key. Due to the subsequent creation of the working key of the business system, in this embodiment, the secondary cryptographic module is required to generate an asymmetric key pair including the target public key and the target private key during registration, and at least provide it to the password service platform to save the target.
  • the public key enables the cryptographic service platform to securely transmit and save data when the work key is created by a subsequent master cryptographic module.
  • the key generation service interface of the secondary cryptographic module may be called, an asymmetric key pair including a target public key and a target private key is generated by the secondary cryptographic module, and the cryptographic service platform obtains the target returned by the secondary cryptographic module.
  • the target public key Stored after the public key.
  • the purpose of the target public key is that after the working key is created by the primary cryptographic module, it can be encrypted and transmitted securely to the secondary cryptographic module using the target public key (this process is described in detail later).
  • the secondary password module may also use the target private key indication data encrypted by the master key, and the indication data is used to correspond to the target private key; the target private key indication The data can be provided to the cryptographic service platform.
  • the cryptographic service platform can transmit the target private key instruction data to the secondary cryptographic module for the secondary cryptographic module to determine which private key should be obtained for subsequent follow-up. deal with.
  • the target private key indication data encrypted by the primary key of the secondary cryptographic module may include: the target private key ciphertext encrypted with the primary private key of the secondary cryptographic module for the target private key, or It is identified by the target private key encrypted with the primary key of the secondary cryptographic module.
  • the cryptographic service platform may also use the target public key of the secondary cryptographic module as input to call the A master password module that authenticates the target public key by the master password module, and obtains a key check value calculated by the master password module performing a message authentication code value on the target public key, and the key check value is used Perform verification on subsequent master password modules to prevent data from being tampered with.
  • FIG. 2B it is a registration process of the secondary password module shown in this specification according to an exemplary embodiment:
  • the password service platform administrator sends an operation instruction to the password service platform to register a secondary password module. After receiving the instruction, the password service platform performs the following operations:
  • the cryptographic service platform invokes the generated key pair service interface of the secondary cryptographic module
  • the secondary cryptographic module responds to the instructions, generates an asymmetric key pair including the target private key and the target public key within the module, and the secondary cryptographic module returns: the target private key ciphertext encrypted by the primary key of the secondary cryptographic module as the above Indication data (or target private key identification in other examples), and target public key in plain text.
  • the cryptographic service platform invokes the authentication public key service interface of the primary cryptographic module to allow the primary cryptographic module to authenticate the target public key generated by the secondary cryptographic module.
  • the master password module uses the internal master key to perform message authentication code calculation on the target public key, obtains a key check value, and returns.
  • the work key refers to a key that the cryptographic module provides a cryptographic operation function for the business system and is created for the business system.
  • the process of creating a work key can be:
  • Receiving a work key creation request of a business system taking the target public key of the secondary cryptographic module as an input, calling the master cryptographic module to generate a work key for the business system, and obtaining what the master cryptographic module returns: The working key ciphertext encrypted by the primary key of the primary cryptographic module and the working key ciphertext encrypted by the target public key of the secondary cryptographic module; the working key ciphertext encrypted by the target public key of the secondary cryptographic module For input, the secondary password module is called to obtain the work key ciphertext returned by the secondary password module: after decrypting the inputted work key ciphertext with the target private key, it is encrypted with its own master key.
  • the master password module uses its own master password to encrypt the work key ciphertext of the master password module;
  • Each secondary password module also needs to use its own primary password to encrypt the work key to obtain the work key ciphertext; and the work key needs the password service platform to transfer from the primary password module to the secondary password module, so this embodiment uses the target public key Implement the above-mentioned encrypted transmission process.
  • this embodiment can use an asymmetric key pair as the target key. Therefore, in this stage, the corresponding example is as follows, as shown in FIG. The process of creating a work key is shown in an exemplary embodiment:
  • the key administrator initiates an operation instruction to create a key. After the password service platform receives the operation instruction, it performs the following operations:
  • the cryptographic service platform calls the key creation interface of the main cryptographic module
  • the master password module After the master password module is called, use the key derivation algorithm to generate the corresponding work key, and use the master password module's master password to encrypt and return;
  • the work key may include multiple types, private and secret keys. It can be encrypted, and the public key can be returned in plain text without encryption.
  • the specific implementation can also encrypt the public key as needed, which is not limited in this embodiment.
  • the cryptographic service platform invokes the transfer encryption key interface of the primary cryptographic module, passing in the key ciphertext (the working key ciphertext encrypted by the primary key of the primary cryptographic module), the target public key of the secondary cryptographic module, and the aforementioned secret Key check value.
  • the master key is used to decrypt the work key; at the same time, the target public key is verified based on the message authentication code value, and the target public key is determined to be valid (indicating that the target public key is secure, has not been tampered, etc.) , Use the target public key of the secondary password module to encrypt the work key and return.
  • the cryptographic service platform invokes the transfer encryption key interface of the secondary password module, and passes in the working key ciphertext (encrypted by the target public key of the secondary password module), and the target private key ciphertext of the secondary password module (by the secondary password module's Target public key encryption).
  • the secondary password module uses its own master key to decrypt to obtain the target private key, and uses the decrypted target private key to decrypt the work key ciphertext to obtain the work key, and then uses its own master key to decrypt the work secret.
  • the key is encrypted to obtain the ciphertext of the work key and returned to the password service platform.
  • the cryptographic service platform After the execution is completed, the cryptographic service platform records multiple ciphertexts of the work key: the ciphertext encrypted by the master key of the primary cryptographic module, and the ciphertext content encrypted by the master key of each secondary cryptographic module.
  • the cryptographic service platform provides cryptographic operation services to the business system.
  • the cryptographic service platform may receive cryptographic operation requests from the business system, and the cryptographic operation request carries data to be calculated.
  • a cryptographic service platform may provide services to multiple business systems, and each business system may correspond to multiple working keys. Therefore, the cryptographic operation request also carries a key identifier for the cryptographic service platform to determine which working secret to use. Keys provide cryptographic computing services.
  • the cryptographic service platform may select any one of the cryptographic modules to respond to the cryptographic computation request.
  • the cryptographic module selected by the cryptographic service platform is referred to as the target cryptographic module.
  • the selection method of the password service platform can be flexibly configured according to needs, for example, it can be based on the current processing capacity of each cryptographic module, the number of tasks being processed, and the like.
  • the cryptographic service platform can obtain the working key ciphertext corresponding to the target cryptographic module from the stored multiple working key ciphertexts.
  • the cryptographic service platform may use the working key ciphertext as input to call the target cryptographic module.
  • the target cryptographic module After the target cryptographic module is called, it can use its own stored master key to decrypt the work key ciphertext to obtain a work key, and then use the work key to perform calculations on the data to be calculated, and the operation result can be returned to
  • the password service platform is returned to the business system by the password service platform.
  • FIG. 2D it is a schematic diagram of a cryptographic operation shown in this specification according to an exemplary embodiment:
  • the cryptographic service platform After the cryptographic service platform receives the cryptographic computation request, it determines which cryptographic module should be selected for this operation.
  • the specific selection logic is not limited. The logic can be formulated according to the cryptographic service platform's needs for traffic management of the cryptographic module.
  • the cryptographic service platform calls the cryptographic computing interface of the main cryptographic module, and the input data is the key content of the work key (encrypted by the main cryptographic module) and the data to be calculated.
  • the master cryptographic module uses the internal master key to decrypt to obtain the plaintext of the work key, perform cryptographic operations on the operation data, and return the operation results to the cryptographic service platform.
  • the cryptographic service platform invokes the cryptographic operation interface of the secondary password module, and the input data is the key content of the work key (encrypted by the secondary password module) and the data to be calculated.
  • the secondary cryptographic module uses the internal master key to decrypt to obtain the plaintext of the work key, performs cryptographic operations on the operation data, and returns the operation result to the cryptographic service platform.
  • this specification also provides embodiments of cryptographic computing methods and computer equipment applied to the cryptographic service platform.
  • the embodiments of the password service platform of this specification can be applied to computer equipment, such as a server and the like.
  • the device embodiments may be implemented by software, or by hardware or a combination of software and hardware. Taking software implementation as an example, as a device in a logical sense, it is formed by reading the corresponding computer program instructions in the non-volatile memory into the memory and running the processor. In terms of hardware, as shown in FIG.
  • the server on which the cryptographic service platform 331 is located in the embodiment may generally include other hardware according to the actual function of the computer device, and details are not described herein again.
  • FIG. 4 is a flowchart of a cryptographic calculation method according to an exemplary embodiment of the present specification, including the following steps:
  • step 402 a cryptographic operation request initiated by a service system is received, and the cryptographic operation request carries data to be calculated.
  • a target cryptographic module responding to the cryptographic operation request is determined, the target cryptographic module is one of a primary cryptographic module or at least one secondary cryptographic module, and the cryptographic module has a master key.
  • a working key ciphertext with the target cryptographic module is obtained, and the working key ciphertext is obtained in advance by using the target public key generated in advance by the secondary cryptographic module as an input to call the master
  • the cryptographic module generates a work key for the business system, and obtains the work key ciphertext encrypted by the master key of the master cryptographic module and the work secret encrypted by the target public key of the secondary cryptographic module.
  • Key ciphertext using the work key ciphertext encrypted by the target public key of the secondary cryptographic module as input, calling the secondary cryptographic module to obtain the secondary cryptographic module's return: decrypting the input job with the target private key After the key ciphertext, the work key ciphertext encrypted with its own master key;
  • step 408 taking the work key ciphertext and the data to be operated as input, the target password module is called, the operation result returned by the target password module is obtained and sent to the business system, and the operation result is obtained.
  • the target cryptographic module uses the stored master key to decrypt the work key ciphertext to obtain a work key, the decrypted work key is used to encrypt the data to be calculated.
  • the target private key stored by the registration module is encrypted with the primary key of the secondary cryptographic module.
  • the method further includes: obtaining target private key indication data encrypted by the primary key of the secondary cryptographic module;
  • the target private key indication data is also used as input for the secondary cryptographic module to decrypt the inputted work key ciphertext after obtaining the target private key using the primary key decryption.
  • the target private key indication data encrypted by the primary key of the secondary cryptographic module includes: the target private key ciphertext encrypted by the secondary cryptographic module's primary key to the target private key, or The target private key identifier of the primary key encryption of the secondary cryptographic module.
  • the method further includes:
  • the key verification value is also input for the master password module to verify the target public key of the entered secondary password module.
  • FIG. 5 is a method for creating a work key shown in this specification according to an exemplary embodiment, including:
  • step 502 a work key creation request of a service system is received
  • step 504 the target public key of the secondary cryptographic module is used as an input, the primary cryptographic module is called to generate a work key for the business system, and the returned by the primary cryptographic module is obtained: the primary key of the primary cryptographic module is encrypted.
  • step 506 the working key ciphertext encrypted by the target public key of the secondary cryptographic module is used as an input, and the secondary cryptographic module is called to obtain the return of the secondary cryptographic module: the input private key is decrypted with the target private key.
  • the work key ciphertext the work key ciphertext encrypted with its own master key; wherein the target public key and target private key are generated in advance by the secondary cryptographic module.
  • one of the password modules connected to the password service platform serves as the master password module.
  • the key management function of the password service platform is provided by the master password module.
  • the master password module is used to generate the work key and the master password. Both the module and the secondary password module can provide the cryptographic operation functions required by the cryptographic service platform.
  • each cryptographic module independently generates its own master key
  • the work key of the business system is generated by the master cryptographic module
  • the cryptographic service platform stores the work key ciphertext encrypted by the master key of the master cryptographic module
  • each The master key of the secondary cryptographic module is separately encrypted with the working key ciphertext. Therefore, in this embodiment, the master key is saved by the master cryptographic module.
  • the clear text of sensitive security parameters will not exceed the boundary of the cryptographic module, and the security of the key will not be lost. And therefore meet the security requirements of the key.
  • an embodiment of the present specification further provides a computer device including a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the following method when the program is executed:
  • Target cryptographic module Determining a target cryptographic module that responds to the cryptographic operation request, the target cryptographic module being one of a primary cryptographic module or at least one secondary cryptographic module, the cryptographic module having a master key;
  • Obtain a working key ciphertext with the target cryptographic module which is obtained in advance by taking the target public key generated in advance by the secondary cryptographic module as input, and calling the primary cryptographic module as a service
  • the system generates a work key, and obtains the work key ciphertext encrypted by the master key of the master password module and the work key ciphertext encrypted by the target public key of the secondary password module, which are returned by the master password module;
  • the cryptographic module uses the stored master key to decrypt the work key ciphertext to obtain a work key, and then uses the decrypted work key to encrypt the data to be calculated.
  • an embodiment of the present specification further provides a cryptographic service device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the following method when the program is executed :
  • the relevant part may refer to the description of the method embodiment.
  • the device embodiments described above are only schematic, and the modules described as separate components may or may not be physically separated, and the components displayed as modules may or may not be physical modules, which may be located in One place, or can be distributed to multiple network modules. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution in this specification. Those of ordinary skill in the art can understand and implement without creative efforts.

Abstract

本说明书提供一种密码运算、创建工作密钥的方法、密码服务平台及设备,密码服务平台所连接的密码模块中,密钥管理功能由主密码模块提供,主密码模块用于生成密钥,主密码模块和次密码模块都可提供密码服务平台所需要的密码运算功能。各个密码模块各自独立生成自身的主密钥,业务系统的工作密钥则由主密码模块生成,密码服务平台保存有主密码模块的主密钥加密的工作密钥密文,以及各个次密码模块的主密钥分别加密的工作密钥密文。作为敏感安全参数的主密钥、工作密钥明文均不会超出密码模块的边界,不会损失密钥的安全性,满足密钥的安全性要求。密码服务平台可调用任一密码模块响应业务系统的密码运算请求,密码服务平台能够兼容多种密码模块。

Description

密码运算、创建工作密钥的方法、密码服务平台及设备 技术领域
本说明书涉及密码技术领域,尤其涉及密码运算、创建工作密钥的方法、密码服务平台及设备。
背景技术
随着互联网技术的发展,各类业务系统层出不穷,给人们的工作、生活带来了极大的便利,也促进了经济的增长和社会的进步。密码技术是保护银行、证券或交易等业务系统在数据存储、传输、访问控制中确保数据机密性、完整性、抗抵赖及可用性的重要技术手段。
例如,企业可配置密码服务平台,密码服务平台是基于密码模块提供密钥管理、密码运算服务的系统平台,该平台作为业务系统的服务端,能够为业务系统提供消息验证、数据加密与解密、签名验签等应用层密码服务,保障数据在存储、传输及应用过程中的安全性,防止数据被窃取或恶意篡改。如何提供一个更为稳定的密码服务平台成为亟待解决的技术问题。
发明内容
为克服相关技术中存在的问题,本说明书提供了密码运算、创建工作密钥的方法、密码服务平台及设备。
根据本说明书实施例的第一方面,提供一种密码服务平台,所述密码服务平台连接有主密码模块和至少一个次密码模块,所述密码模块具有主密钥;所述密码服务平台包括:
注册模块,用于:调用所述次密码模块生成包括目标公钥和目标私钥的非对称密钥对,获取所述次密码模块返回的目标公钥后存储;
工作密钥创建模块,用于:接收业务系统的工作密钥创建请求,以所述次密码模块的目标公钥为输入,调用所述主密码模块为所述业务系统生成工作密钥,获取所述主密码模块返回的:所述主密码模块的主密钥加密的工作密钥密文,以及所述次密码模块的 目标公钥加密的工作密钥密文;以所述次密码模块的目标公钥加密的工作密钥密文为输入,调用所述次密码模块,获取所述次密码模块返回的:以所述目标私钥解密输入的工作密钥密文后,以自身主密钥加密的工作密钥密文;
密码运算调用模块,用于:接收业务系统的密码运算请求,所述密码运算请求携带有待运算数据;确定响应所述密码运算请求的目标密码模块;以所述目标密码模块对应的工作密钥密文和所述待运算数据作为输入,调用所述目标密码模块,获得所述目标密码模块的运算结果,所述运算结果由所述目标密码模块利用已存储主密钥对所述工作密钥密文解密得到工作密钥后,利用解密得到的工作密钥对所述待运算数据进行加密得到。
可选的,所述注册模块还用于:获取所述次密码模块的主密钥加密的目标私钥指示数据;
所述工作密钥创建模块在调用所述次密码模块时,还以所述目标私钥指示数据为输入,以供所述次密码模块利用主密钥解密获取目标私钥后,解密输入的工作密钥密文。
可选的,所述次密码模块的主密钥加密的目标私钥指示数据,包括:以所述次密码模块的主密钥对所述目标私钥加密的目标私钥密文,或以所述次密码模块的主密钥加密的目标私钥标识。
可选的,所述注册模块还用于:
以所述目标公钥为输入调用所述主密码模块,由所述主密码模块对所述目标公钥进行认证,获取主密码模块对所述目标公钥进行消息鉴别码值计算得到的密钥校验值;
所述密钥校验值由所述工作密钥创建模块在调用所述主密码模块时作为输入,以供所述主密码模块对输入的次密码模块的目标公钥进行校验。
根据本说明书实施例的第二方面,提供一种密码运算方法,包括:
接收业务系统发起的密码运算请求,所述密码运算请求携带有待运算数据;
确定响应所述密码运算请求的目标密码模块,所述目标密码模块为主密码模块或至少一个次密码模块中的一个,所述密码模块具有主密钥;
获取与所述目标密码模块的工作密钥密文,所述工作密钥密文预先通过如下方式获得:以所述次密码模块预先生成的目标公钥为输入,调用所述主密码模块为业务系统生成工作密钥,获取所述主密码模块返回的:所述主密码模块的主密钥加密的工作密钥密文,以及所述次密码模块的目标公钥加密的工作密钥密文;以所述次密码模块的目标公 钥加密的工作密钥密文为输入,调用所述次密码模块,获取所述次密码模块返回的:以所述目标私钥解密输入的工作密钥密文后,以自身主密钥加密的工作密钥密文;
以所述工作密钥密文和所述待运算数据为输入,调用所述目标密码模块,获取所述目标密码模块返回的运算结果并发送给所述业务系统,所述运算结果由所述目标密码模块利用已存储主密钥对所述工作密钥密文解密得到工作密钥后,利用解密得到的工作密钥对所述待运算数据进行加密得到。
可选的,所述注册模块存储的目标私钥以所述次密码模块的主密钥加密。
可选的,还包括:获取所述次密码模块的主密钥加密的目标私钥指示数据;
在调用所述次密码模块时,还以所述目标私钥指示数据为输入,以供所述次密码模块利用主密钥解密获取目标私钥后,解密输入的工作密钥密文。
可选的,所述次密码模块的主密钥加密的目标私钥指示数据,包括:以所述次密码模块的主密钥对所述目标私钥加密的目标私钥密文,或以所述次密码模块的主密钥加密的目标私钥标识。
可选的,所述方法还包括:
以所述目标公钥为输入调用主密码模块,获取主密码模块对所述目标公钥进行消息鉴别码值计算得到的密钥校验值;
在调用所述主密码模块为业务系统生成工作密钥时,还以所述密钥校验值为输入,以供所述主密码模块对输入的次密码模块的目标公钥进行校验。
根据本说明书实施例的第三方面,提供一种密码服务设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其中,所述处理器执行所述程序时实现如下方法:
接收业务系统发起的密码运算请求,所述密码运算请求携带有待运算数据;
确定响应所述密码运算请求的目标密码模块,所述目标密码模块为主密码模块或至少一个次密码模块中的一个,所述密码模块具有主密钥;
获取与所述目标密码模块的工作密钥密文,所述工作密钥密文预先通过如下方式获得:以所述次密码模块预先生成的目标公钥为输入,调用所述主密码模块为业务系统生成工作密钥,获取所述主密码模块返回的:所述主密码模块的主密钥加密的工作密钥密文,以及所述次密码模块的目标公钥加密的工作密钥密文;以所述次密码模块的目标公 钥加密的工作密钥密文为输入,调用所述次密码模块,获取所述次密码模块返回的:以所述目标私钥解密输入的工作密钥密文后,以自身主密钥加密的工作密钥密文;
以所述工作密钥密文和所述待运算数据为输入,调用所述目标密码模块,获取所述目标密码模块返回的运算结果并发送给所述业务系统,所述运算结果由所述目标密码模块利用已存储主密钥对所述工作密钥密文解密得到工作密钥后,利用解密得到的工作密钥对所述待运算数据进行加密得到。
根据本说明书实施例的第四方面,提供一种创建工作密钥的方法,包括:
接收业务系统的工作密钥创建请求;
以次密码模块的目标公钥为输入,调用主密码模块为所述业务系统生成工作密钥,获取所述主密码模块返回的:所述主密码模块的主密钥加密的工作密钥密文,以及所述次密码模块的目标公钥加密的工作密钥密文;
以所述次密码模块的目标公钥加密的工作密钥密文为输入,调用所述次密码模块,获取所述次密码模块返回的:以所述目标私钥解密输入的工作密钥密文后,以自身主密钥加密的工作密钥密文;其中,所述目标公钥和目标私钥由所述次密码模块预先生成。
根据本说明书实施例的第五方面,提供一种密码服务设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其中,所述处理器执行所述程序时实现如下方法:
接收业务系统的工作密钥创建请求;
以次密码模块的目标公钥为输入,调用主密码模块为所述业务系统生成工作密钥,获取所述主密码模块返回的:所述主密码模块的主密钥加密的工作密钥密文,以及所述次密码模块的目标公钥加密的工作密钥密文;
以所述次密码模块的目标公钥加密的工作密钥密文为输入,调用所述次密码模块,获取所述次密码模块返回的:以所述目标私钥解密输入的工作密钥密文后,以自身主密钥加密的工作密钥密文;其中,所述目标公钥和目标私钥由所述次密码模块预先生成。
本说明书的实施例提供的技术方案可以包括以下有益效果:
本说明书实施例中,密码服务平台所连接的密码模块中,其中一个作为主密码模块,密码服务平台的密钥管理功能中由主密码模块提供,主密码模块用于生成工作密钥,主密码模块和次密码模块都可提供密码服务平台所需要的密码运算功能。
其中,各个密码模块各自独立生成自身的主密钥,业务系统的工作密钥则由主密码模块生成,并且密码服务平台保存有主密码模块的主密钥加密的工作密钥密文,以及各个次密码模块的主密钥分别加密的工作密钥密文,因此,本实施例中主密钥由主密码模块保存,敏感安全参数明文不会超出密码模块的边界,不会损失密钥的安全性,因此满足密钥的安全性要求。而密码服务平台可调用任一密码模块响应业务系统的密码运算请求,因此密码服务平台能够兼容多种密码模块,密码服务平台不会被单一的密码模块厂商绑定,满足使用多种密码模块的需求,也使得密码服务平台能够提供更为稳定的密码服务。
应当理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制本说明书。
附图说明
此处的附图被并入说明书中并构成本说明书的一部分,示出了符合本说明书的实施例,并与说明书一起用于解释本说明书的原理。
图1是本说明书根据一示例性实施例示出的一种密码服务平台的应用场景图。
图2A是本说明书根据一示例性实施例示出的密码服务平台的框图。
图2B是本说明书根据一示例性实施例示出的次密码模块的注册过程示意图。
图2C是本说明书根据一示例性实施例示出的创建工作密钥的过程示意图。
图2D是本说明书根据一示例性实施例示出的密码运算示意图。
图3是本说明书实施例密码服务平台所在计算机设备的一种硬件结构图。
图4是本说明书根据一示例性实施例示出的一种密码运算方法的流程图。
图5是本说明书根据一示例性实施例示出的一种创建工作密钥的方法的流程图。
具体实施方式
这里将详细地对示例性实施例进行说明,其示例表示在附图中。下面的描述涉及附图时,除非另有表示,不同附图中的相同数字表示相同或相似的要素。以下示例性实施例中所描述的实施方式并不代表与本说明书相一致的所有实施方式。相反,它们仅是与如所附权利要求书中所详述的、本说明书的一些方面相一致的装置和方法的例子。
在本说明书使用的术语是仅仅出于描述特定实施例的目的,而非旨在限制本说明书。在本说明书和所附权利要求书中所使用的单数形式的“一种”、“所述”和“该”也旨在包括多数形式,除非上下文清楚地表示其他含义。还应当理解,本文中使用的术语“和/或”是指并包含一个或多个相关联的列出项目的任何或所有可能组合。
应当理解,尽管在本说明书可能采用术语第一、第二、第三等来描述各种信息,但这些信息不应限于这些术语。这些术语仅用来将同一类型的信息彼此区分开。例如,在不脱离本说明书范围的情况下,第一信息也可以被称为第二信息,类似地,第二信息也可以被称为第一信息。取决于语境,如在此所使用的词语“如果”可以被解释成为“在……时”或“当……时”或“响应于确定”。
如图1所示,是本说明书根据一示例性实施例示出的一种密码服务平台的应用场景图,图1中密码服务平台与应用系统主机通信,应用系统主机通过调用密码服务平台提供的接口来使用密码服务,底层的密码运算等服务由密码服务平台调用密码模块来完成。
密码模块(security module)含有密码算法、安全功能,是可实现密钥管理机制的相对独立的软件、硬件、固件或其组合,被包含在密码边界内。密码边界(cryptographic boundary)是指:明确定义的连续边线,该边线建立了密码模块的物理和/或逻辑边界,并包括了密码模块的所有硬件、软件、和/或固件部件。
目前,各家厂商都推出有密码模块,其主密钥的生产算法各不相同,为避免被单一厂商绑定、提高密码服务平台的健壮性,本说明书实施例的密码服务平台基于多种密码模块来建设,因此密码服务平台连接有多种密码模块,在接入有多种密码模块的情况下,需要考虑如何兼容各种密码模块以统一为业务系统提供密码服务,并且还要满足密码服务的安全性。
本说明书实施例的方案是,密码服务平台所连接的密码模块中,其中一个作为主密码模块,密码服务平台的密钥管理功能中主要由主密码模块提供,除了主密码模块之外的其他密码模块,本说明书实施例称为次密码模块,次密码模块可提供密码服务平台所需要的密码运算功能。
其中,各个密码模块各自独立生成自身的主密钥,业务系统的工作密钥则由主密码模块生成,并且密码服务平台保存有主密码模块的主密钥加密的工作密钥密文,以及各个次密码模块的主密钥分别加密的工作密钥密文。本实施例中主密钥由各密码模块各自保存,作为敏感安全参数的密钥明文不会超出密码模块的边界,因此满足密钥的安全性 要求,不会损失密钥的安全性。而密码服务平台可调用任一密码模块响应业务系统的密码运算请求,因此密码服务平台能够兼容多种密码模块,密码服务平台不会被单一的密码模块厂商绑定,满足使用多种密码模块的需求,也使得密码服务平台能够提供更为稳定的密码服务。
作为例子,如图2A所示,本说明书实施例的密码服务平台可包含有注册模块21、工作密钥创建模块22和密码运算调用模块23,分别用于注册次密码模块、创建业务系统的工作密钥,以及调用密码模块响应业务系统的密码运算请求。具体的,
注册模块,用于:调用所述次密码模块生成包括目标公钥和目标私钥的非对称密钥对,获取所述次密码模块返回的目标公钥后存储;
工作密钥创建模块,用于:接收业务系统的工作密钥创建请求,以所述次密码模块的目标公钥为输入,调用所述主密码模块为所述业务系统生成工作密钥,获取所述主密码模块返回的:所述主密码模块的主密钥加密的工作密钥密文,以及所述次密码模块的目标公钥加密的工作密钥密文;以所述次密码模块的目标公钥加密的工作密钥密文为输入,调用所述次密码模块,获取所述次密码模块返回的:以所述目标私钥解密输入的工作密钥密文后,以自身主密钥加密的工作密钥密文;
密码运算调用模块,用于:接收业务系统的密码运算请求,所述密码运算请求携带有待运算数据;确定响应所述密码运算请求的目标密码模块;以所述目标密码模块对应的工作密钥密文和所述待运算数据作为输入,调用所述目标密码模块,获得所述目标密码模块的运算结果,所述运算结果由所述目标密码模块利用已存储主密钥对所述工作密钥密文解密得到工作密钥后,利用解密得到的工作密钥对所述待运算数据进行加密得到。
接下来对上述模块进行详细说明。
(一)次密码模块的注册
密码模块在工作前需要设置工作用的主密钥,密码模块利用主密钥对待保护密钥进行加密。密码模块本身会有密钥派生算法生成密钥,本实施例中,各个密码模块生成自身所需的主密钥。由于后续涉及业务系统的工作密钥的创建过程,本实施例中,要求次密码模块在注册时生成包括目标公钥和目标私钥的非对称密钥对,并至少提供给密码服务平台保存目标公钥,在后续主密码模块创建工作密钥时,使密码服务平台能够安全地传输和保存数据。
具体的,可以是调用所述次密码模块的生成密钥服务接口,由次密码模块生成包括 目标公钥和目标私钥的非对称密钥对,密码服务平台获取所述次密码模块返回的目标公钥后存储。该目标公钥的用途是,在主密码模块创建工作密钥后,能够利用该目标公钥进行加密后安全地传输给次密码模块(此过程在后续进行详细说明)。
另外,由于次密码模块中可能存储有多种密钥,为了进行区分,次密码模块还可以利用主密钥加密的目标私钥指示数据,该指示数据用于对应目标私钥;目标私钥指示数据可以提供给密码服务平台,已在后续需要次密码模块使用目标私钥时,密码服务平台可以传输该目标私钥指示数据给次密码模块,以供次密码模块确定该获取那个私钥进行后续处理。可选的,所述次密码模块的主密钥加密的目标私钥指示数据,可以包括:以所述次密码模块的主密钥对所述目标私钥加密的目标私钥密文,也可以是以所述次密码模块的主密钥加密的目标私钥标识。
由于后续需要以目标公钥为输入调用主密码模块,为了进一步提高后续数据传输的安全性,本实施例中,密码服务平台还可以以所述次密码模块的目标公钥为输入,调用所述主密码模块,由所述主密码模块对所述目标公钥进行认证,获取主密码模块对所述目标公钥进行消息鉴别码值计算得到的密钥校验值,该密钥校验值用于后续主密码模块进行校验,以防止数据被篡改。
接下来结合图2B再次说明上述注册过程,如图2B所示,是本说明书根据一示例性实施例示出的次密码模块的注册过程:
1、密码服务平台管理员向密码服务平台发出注册一个次密码模块的操作指令,密码服务平台收到指令后,执行如下操作:
1.1、密码服务平台调用次密码模块的生成密钥对服务接口;
1.2、次密码模块响应指令,在模块内生成包括目标私钥和目标公钥的非对称密钥对,次密码模块返回:由次密码模块的主密钥加密的目标私钥密文作为上述的指示数据(在其他例子中也可以是目标私钥标识),以及明文形式的目标公钥。
1.3、密码服务平台调用主密码模块的认证公钥服务接口,让主密码模块对次密码模块生成的目标公钥进行认证。
1.4、主密码模块用内部主密钥对所述目标公钥进行消息鉴别码计算,获得密钥校验值并返回。
(二)为业务系统创建工作密钥
本实施例中,工作密钥是指密码模块为业务系统提供密码运算功能、针对业务系统创建的密钥。创建工作密钥的过程可以是:
接收业务系统的工作密钥创建请求,以所述次密码模块的目标公钥为输入,调用所述主密码模块为所述业务系统生成工作密钥,获取所述主密码模块返回的:所述主密码模块的主密钥加密的工作密钥密文,以及所述次密码模块的目标公钥加密的工作密钥密文;以所述次密码模块的目标公钥加密的工作密钥密文为输入,调用所述次密码模块,获取所述次密码模块返回的:以所述目标私钥解密输入的工作密钥密文后,以自身主密钥加密的工作密钥密文。
本实施例的过程可以理解为:
①先由主密码模块创建工作密钥后,主密码模块利用自身主密码加密后得到主密码模块的工作密钥密文;
②各个次密码模块也需要利用自身主密码加密该工作密钥得到工作密钥密文;而工作密钥需要密码服务平台从主密码模块传输至次密码模块中,因此本实施例采用目标公钥实现上述加密传输过程。
在前述第(一)阶段中提到,本实施例可以采用非对称密钥对作为目标密钥,因此,在本阶段中,相对应的例子如下,如图2C所示,是本说明书根据一示例性实施例示出的创建工作密钥的过程:
1、密钥管理员发起创建密钥的操作指令,密码服务平台收到操作指令后,执行如下操作:
1.1、密码服务平台调用主密码模块的创建密钥接口;
1.2、主密码模块被调用后,利用密钥派生算法产生对应的工作密钥,并使用主密码模块的主密码加密后返回;(其中,工作密钥可能包括多种,私钥和秘密密钥可进行加密,而公钥可以不加密直接明文返回,当然,具体实现也可以根据需要对公钥加密,本实施例对此不做限定)
1.3、密码服务平台调用主密码模块的转加密密钥接口,传入密钥密文(主密码模块的主密钥加密的工作密钥密文)、次密码模块的目标公钥和前述的密钥校验值。
1.4、主密码模块被调用后,利用主密钥解密得到工作密钥;同时,基于消息鉴别码值校验目标公钥,确定目标公钥合法(表示目标公钥安全,未被篡改等)后,使用次密 码模块的目标公钥加密工作密钥后返回。
1.5、密码服务平台调用次密码模块的转加密密钥接口,传入工作密钥密文(由次密码模块的目标公钥加密)、次密码模块的目标私钥密文(由次密码模块的目标公钥加密)。
1.6、次密码模块被调用后,使用自身主密钥解密得到目标私钥,利用解密得到的目标私钥解密工作密钥密文,从而获得工作密钥,然后再使用自身主密钥对工作密钥加密得到工作密钥密文,返回给密码服务平台。
执行完成后,密码服务平台记录下多份工作密钥密文:由主密码模块主密钥加密的密文,以及由各个次密码模块的主密钥加密的密文内容。
(三)密码运算
本实施例中,密码服务平台向业务系统提供密码运算服务,密码服务平台可接收业务系统的密码运算请求,所述密码运算请求携带有待运算数据。通常,密码服务平台可能面向多个业务系统提供服务,每个业务系统也可能对应多个工作密钥,因此密码运算请求中还携带有密钥标识,以供密码服务平台确定该利用哪个工作密钥提供密码运算服务。
由于接入有多种密码模块,密码服务平台可以从中选取其中任意一个密码模块响应密码运算请求,为了便于区分,本实施例将密码服务平台选取的密码模块称为目标密码模块。可选的,密码服务平台的选取方式可以根据需要灵活配置,例如可以基于各个密码模块当前的处理能力、正在处理的任务数量等等方式。
在确定响应密码运算请求的目标密码模块后,密码服务平台可以从已存储多份工作密钥密文中,获取目标密码模块对应的工作密钥密文。密码服务平台可以以该工作密钥密文作为输入,调用所述目标密码模块。目标密码模块在被调用后,可以利用自身已存储主密钥对所述工作密钥密文解密得到工作密钥,进而利用该工作密钥对所述待运算数据进行运算,运算结果可返回给密码服务平台,由密码服务平台返回给业务系统。
作为例子,如图2D所示,是本说明书根据一示例性实施例示出的密码运算示意图:
1.1、密码服务平台接收到密码运算请求后,确定选择本次运算该使用哪一个密码模块,具体的选择逻辑不限,可以根据密码服务平台对密码模块进行流量管理的需求等来制定该逻辑。
1.1.1、如果选择结果为主密码模块,密码服务平台调用主密码模块的密码运算接口, 输入数据为工作密钥的密钥内容(由主密码模块加密)和待运算数据。
1.1.2、主密码模块使用内部的主密钥解密得到工作密钥明文,对待运算数据进行密码运算,将运算结果返回给密码服务平台。
2.2.1、如果选择结果为次密码模块,密码服务平台调用次密码模块的密码运算接口,输入数据为工作密钥的密钥内容(由次密码模块加密)和待运算数据。
2.2.2、次密码模块使用内部的主密钥解密得到工作密钥明文,对待运算数据进行密码运算,将运算结果返回给密码服务平台。
与前述密码服务平台的实施例相对应,本说明书还提供了密码运算方法及密码服务平台所应用的计算机设备的实施例。
本说明书密码服务平台的实施例可以应用在计算机设备上,例如服务器等。装置实施例可以通过软件实现,也可以通过硬件或者软硬件结合的方式实现。以软件实现为例,作为一个逻辑意义上的装置,是通过其所在的处理器将非易失性存储器中对应的计算机程序指令读取到内存中运行形成的。从硬件层面而言,如图3所示,为本说明书实施例密码服务平台所在计算机设备的一种硬件结构图,除了图3所示的处理器310、内存330、网络接口320、以及非易失性存储器340之外,实施例中密码服务平台331所在的服务器,通常根据该计算机设备的实际功能,还可以包括其他硬件,对此不再赘述。
如图4所示,图4是本说明书根据一示例性实施例示出的一种密码运算方法的流程图,包括以下步骤:
在步骤402、接收业务系统发起的密码运算请求,所述密码运算请求携带有待运算数据。
在步骤404、确定响应所述密码运算请求的目标密码模块,所述目标密码模块为主密码模块或至少一个次密码模块中的一个,所述密码模块具有主密钥。
在步骤406、获取与所述目标密码模块的工作密钥密文,所述工作密钥密文预先通过如下方式获得:以所述次密码模块预先生成的目标公钥为输入,调用所述主密码模块为业务系统生成工作密钥,获取所述主密码模块返回的:所述主密码模块的主密钥加密的工作密钥密文,以及所述次密码模块的目标公钥加密的工作密钥密文;以所述次密码模块的目标公钥加密的工作密钥密文为输入,调用所述次密码模块,获取所述次密码模块返回的:以所述目标私钥解密输入的工作密钥密文后,以自身主密钥加密的工作密 钥密文;
在步骤408、以所述工作密钥密文和所述待运算数据为输入,调用所述目标密码模块,获取所述目标密码模块返回的运算结果并发送给所述业务系统,所述运算结果由所述目标密码模块利用已存储主密钥对所述工作密钥密文解密得到工作密钥后,利用解密得到的工作密钥对所述待运算数据进行加密得到。
可选的,所述注册模块存储的目标私钥以所述次密码模块的主密钥加密。
可选的,还包括:获取所述次密码模块的主密钥加密的目标私钥指示数据;
在调用所述次密码模块时,还以所述目标私钥指示数据为输入,以供所述次密码模块利用主密钥解密获取目标私钥后,解密输入的工作密钥密文。
可选的,所述次密码模块的主密钥加密的目标私钥指示数据,包括:以所述次密码模块的主密钥对所述目标私钥加密的目标私钥密文,或以所述次密码模块的主密钥加密的目标私钥标识。
可选的,所述方法还包括:
以所述目标公钥为输入调用主密码模块,获取主密码模块对所述目标公钥进行消息鉴别码值计算得到的密钥校验值;
在调用所述主密码模块为业务系统生成工作密钥时,还以所述密钥校验值为输入,以供所述主密码模块对输入的次密码模块的目标公钥进行校验。
上述密码运算方法中各个步骤的实现过程可详见上述密码服务平台中各个模块的功能和作用的实现过程,在此不再赘述。
如图5所示,图5是本说明书根据一示例性实施例示出的一种创建工作密钥的方法,包括:
在步骤502中,接收业务系统的工作密钥创建请求;
在步骤504中,以次密码模块的目标公钥为输入,调用主密码模块为所述业务系统生成工作密钥,获取所述主密码模块返回的:所述主密码模块的主密钥加密的工作密钥密文,以及所述次密码模块的目标公钥加密的工作密钥密文;
在步骤506中,以所述次密码模块的目标公钥加密的工作密钥密文为输入,调用所述次密码模块,获取所述次密码模块返回的:以所述目标私钥解密输入的工作密钥密文后,以自身主密钥加密的工作密钥密文;其中,所述目标公钥和目标私钥由所述次 密码模块预先生成。
本说明书实施例中,密码服务平台所连接的密码模块中,其中一个作为主密码模块,密码服务平台的密钥管理功能中由主密码模块提供,主密码模块用于生成工作密钥,主密码模块和次密码模块都可提供密码服务平台所需要的密码运算功能。
其中,各个密码模块各自独立生成自身的主密钥,业务系统的工作密钥则由主密码模块生成,并且密码服务平台保存有主密码模块的主密钥加密的工作密钥密文,以及各个次密码模块的主密钥分别加密的工作密钥密文,因此,本实施例中主密钥由主密码模块保存,敏感安全参数明文不会超出密码模块的边界,不会损失密钥的安全性,因此满足密钥的安全性要求。
上述创建工作密钥的方法中各个步骤的实现过程可详见上述密码服务平台中各个模块的功能和作用的实现过程,在此不再赘述。
相应的,本说明书实施例还提供一种计算机设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其中,所述处理器执行所述程序时实现如下方法:
接收业务系统发起的密码运算请求,所述密码运算请求携带有待运算数据;
确定响应所述密码运算请求的目标密码模块,所述目标密码模块为主密码模块或至少一个次密码模块中的一个,所述密码模块具有主密钥;
获取与所述目标密码模块的工作密钥密文,所述工作密钥密文预先通过如下方式获得:以所述次密码模块预先生成的目标公钥为输入,调用所述主密码模块为业务系统生成工作密钥,获取所述主密码模块返回的:所述主密码模块的主密钥加密的工作密钥密文,以及所述次密码模块的目标公钥加密的工作密钥密文;以所述次密码模块的目标公钥加密的工作密钥密文为输入,调用所述次密码模块,获取所述次密码模块返回的:以所述目标私钥解密输入的工作密钥密文后,以自身主密钥加密的工作密钥密文;
以所述工作密钥密文和所述待运算数据为输入,调用所述目标密码模块,获取所述目标密码模块返回的运算结果并发送给所述业务系统,所述运算结果由所述目标密码模块利用已存储主密钥对所述工作密钥密文解密得到工作密钥后,利用解密得到的工作密钥对所述待运算数据进行加密得到。
相应的,本说明书实施例还提供一种密码服务设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其中,所述处理器执行所述程序时实 现如下方法:
接收业务系统的工作密钥创建请求;
以次密码模块的目标公钥为输入,调用主密码模块为所述业务系统生成工作密钥,获取所述主密码模块返回的:所述主密码模块的主密钥加密的工作密钥密文,以及所述次密码模块的目标公钥加密的工作密钥密文;
以所述次密码模块的目标公钥加密的工作密钥密文为输入,调用所述次密码模块,获取所述次密码模块返回的:以目标私钥解密输入的工作密钥密文后,以自身主密钥加密的工作密钥密文;其中,所述目标公钥和目标私钥由所述次密码模块预先生成。
对于装置实施例而言,由于其基本对应于方法实施例,所以相关之处参见方法实施例的部分说明即可。以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的模块可以是或者也可以不是物理上分开的,作为模块显示的部件可以是或者也可以不是物理模块,即可以位于一个地方,或者也可以分布到多个网络模块上。可以根据实际的需要选择其中的部分或者全部模块来实现本说明书方案的目的。本领域普通技术人员在不付出创造性劳动的情况下,即可以理解并实施。
上述对本说明书特定实施例进行了描述。其它实施例在所附权利要求书的范围内。在一些情况下,在权利要求书中记载的动作或步骤可以按照不同于实施例中的顺序来执行并且仍然可以实现期望的结果。另外,在附图中描绘的过程不一定要求示出的特定顺序或者连续顺序才能实现期望的结果。在某些实施方式中,多任务处理和并行处理也是可以的或者可能是有利的。
本领域技术人员在考虑说明书及实践这里申请的发明后,将容易想到本说明书的其它实施方案。本说明书旨在涵盖本说明书的任何变型、用途或者适应性变化,这些变型、用途或者适应性变化遵循本说明书的一般性原理并包括本说明书未申请的本技术领域中的公知常识或惯用技术手段。说明书和实施例仅被视为示例性的,本说明书的真正范围和精神由下面的权利要求指出。
应当理解的是,本说明书并不局限于上面已经描述并在附图中示出的精确结构,并且可以在不脱离其范围进行各种修改和改变。本说明书的范围仅由所附的权利要求来限制。
以上所述仅为本说明书的较佳实施例而已,并不用以限制本说明书,凡在本说明书的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本说明书保 护的范围之内。

Claims (13)

  1. 一种密码服务平台,所述密码服务平台连接有主密码模块和至少一个次密码模块,各密码模块具有主密钥;所述密码服务平台包括:
    注册模块,用于:调用所述次密码模块生成包括目标公钥和目标私钥的非对称密钥对,获取所述次密码模块返回的目标公钥后存储;
    工作密钥创建模块,用于:接收业务系统的工作密钥创建请求,以所述次密码模块的目标公钥为输入,调用所述主密码模块为所述业务系统生成工作密钥,获取所述主密码模块返回的:所述主密码模块的主密钥加密的工作密钥密文,以及所述次密码模块的目标公钥加密的工作密钥密文;以所述次密码模块的目标公钥加密的工作密钥密文为输入,调用所述次密码模块,获取所述次密码模块返回的:以所述目标私钥解密输入的工作密钥密文后,以自身主密钥加密的工作密钥密文;
    密码运算调用模块,用于:接收业务系统的密码运算请求,所述密码运算请求携带有待运算数据;确定响应所述密码运算请求的目标密码模块;以所述目标密码模块对应的工作密钥密文和所述待运算数据作为输入,调用所述目标密码模块,获得所述目标密码模块的运算结果,所述运算结果由所述目标密码模块利用已存储主密钥对所述工作密钥密文解密得到工作密钥后,利用解密得到的工作密钥对所述待运算数据进行加密得到。
  2. 根据权利要求1所述的密码服务平台,所述注册模块存储的目标私钥以所述次密码模块的主密钥加密。
  3. 根据权利要求1所述的密码服务平台,所述注册模块还用于:获取所述次密码模块的主密钥加密的目标私钥指示数据;
    所述工作密钥创建模块在调用所述次密码模块时,还以所述目标私钥指示数据为输入,以供所述次密码模块利用主密钥解密获取目标私钥后,解密输入的工作密钥密文。
  4. 根据权利要求3所述的密码服务平台,所述次密码模块的主密钥加密的目标私钥指示数据,包括:以所述次密码模块的主密钥对所述目标私钥加密的目标私钥密文,或以所述次密码模块的主密钥加密的目标私钥标识。
  5. 根据权利要求1所述的密码服务平台,所述注册模块还用于:
    以所述目标公钥为输入调用所述主密码模块,由所述主密码模块对所述目标公钥进行认证,获取主密码模块对所述目标公钥进行消息鉴别码值计算得到的密钥校验值;
    所述密钥校验值由所述工作密钥创建模块在调用所述主密码模块时作为输入,以供所述主密码模块对输入的次密码模块的目标公钥进行校验。
  6. 一种密码运算方法,包括:
    接收业务系统发起的密码运算请求,所述密码运算请求携带有待运算数据;
    确定响应所述密码运算请求的目标密码模块,所述目标密码模块为主密码模块或至少一个次密码模块中的一个,所述密码模块具有主密钥;
    获取与所述目标密码模块的工作密钥密文,所述工作密钥密文预先通过如下方式获得:以所述次密码模块预先生成的目标公钥为输入,调用所述主密码模块为业务系统生成工作密钥,获取所述主密码模块返回的:所述主密码模块的主密钥加密的工作密钥密文,以及所述次密码模块的目标公钥加密的工作密钥密文;以所述次密码模块的目标公钥加密的工作密钥密文为输入,调用所述次密码模块,获取所述次密码模块返回的:以所述目标私钥解密输入的工作密钥密文后,以自身主密钥加密的工作密钥密文;
    以所述工作密钥密文和所述待运算数据为输入,调用所述目标密码模块,获取所述目标密码模块返回的运算结果并发送给所述业务系统,所述运算结果由所述目标密码模块利用已存储主密钥对所述工作密钥密文解密得到工作密钥后,利用解密得到的工作密钥对所述待运算数据进行加密得到。
  7. 根据权利要求6所述的方法,所述注册模块存储的目标私钥以所述次密码模块的主密钥加密。
  8. 根据权利要求6所述的方法,还包括:获取所述次密码模块的主密钥加密的目标私钥指示数据;
    在调用所述次密码模块时,还以所述目标私钥指示数据为输入,以供所述次密码模块利用主密钥解密获取目标私钥后,解密输入的工作密钥密文。
  9. 根据权利要求8所述的方法,所述次密码模块的主密钥加密的目标私钥指示数据,包括:以所述次密码模块的主密钥对所述目标私钥加密的目标私钥密文,或以所述次密码模块的主密钥加密的目标私钥标识。
  10. 根据权利要求7所述的方法,所述方法还包括:
    以所述目标公钥为输入调用主密码模块,获取主密码模块对所述目标公钥进行消息鉴别码值计算得到的密钥校验值;
    在调用所述主密码模块为业务系统生成工作密钥时,还以所述密钥校验值为输入,以供所述主密码模块对输入的次密码模块的目标公钥进行校验。
  11. 一种密码服务设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其中,所述处理器执行所述程序时实现如下方法:
    接收业务系统发起的密码运算请求,所述密码运算请求携带有待运算数据;
    确定响应所述密码运算请求的目标密码模块,所述目标密码模块为主密码模块或至 少一个次密码模块中的一个,所述密码模块具有主密钥;
    获取与所述目标密码模块的工作密钥密文,所述工作密钥密文预先通过如下方式获得:以所述次密码模块预先生成的目标公钥为输入,调用所述主密码模块为业务系统生成工作密钥,获取所述主密码模块返回的:所述主密码模块的主密钥加密的工作密钥密文,以及所述次密码模块的目标公钥加密的工作密钥密文;以所述次密码模块的目标公钥加密的工作密钥密文为输入,调用所述次密码模块,获取所述次密码模块返回的:以所述目标私钥解密输入的工作密钥密文后,以自身主密钥加密的工作密钥密文;
    以所述工作密钥密文和所述待运算数据为输入,调用所述目标密码模块,获取所述目标密码模块返回的运算结果并发送给所述业务系统,所述运算结果由所述目标密码模块利用已存储主密钥对所述工作密钥密文解密得到工作密钥后,利用解密得到的工作密钥对所述待运算数据进行加密得到。
  12. 一种创建工作密钥的方法,包括:
    接收业务系统的工作密钥创建请求;
    以次密码模块的目标公钥为输入,调用主密码模块为所述业务系统生成工作密钥,获取所述主密码模块返回的:所述主密码模块的主密钥加密的工作密钥密文,以及所述次密码模块的目标公钥加密的工作密钥密文;
    以所述次密码模块的目标公钥加密的工作密钥密文为输入,调用所述次密码模块,获取所述次密码模块返回的:以目标私钥解密输入的工作密钥密文后,以自身主密钥加密的工作密钥密文;其中,所述目标公钥和目标私钥由所述次密码模块预先生成。
  13. 一种密码服务设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其中,所述处理器执行所述程序时实现如下方法:
    接收业务系统的工作密钥创建请求;
    以次密码模块的目标公钥为输入,调用主密码模块为所述业务系统生成工作密钥,获取所述主密码模块返回的:所述主密码模块的主密钥加密的工作密钥密文,以及所述次密码模块的目标公钥加密的工作密钥密文;
    以所述次密码模块的目标公钥加密的工作密钥密文为输入,调用所述次密码模块,获取所述次密码模块返回的:以所述目标私钥解密输入的工作密钥密文后,以自身主密钥加密的工作密钥密文;其中,所述目标公钥和目标私钥由所述次密码模块预先生成。
PCT/CN2019/096309 2018-08-31 2019-07-17 密码运算、创建工作密钥的方法、密码服务平台及设备 WO2020042798A1 (zh)

Priority Applications (3)

Application Number Priority Date Filing Date Title
SG11202010745XA SG11202010745XA (en) 2018-08-31 2019-07-17 Cryptographic operation method, method for creating working key, cryptographic service platform, and cryptographic service device
EP19854452.0A EP3780484B1 (en) 2018-08-31 2019-07-17 Cryptographic operation and working key creation method and cryptographic service platform and device
US17/085,161 US11025415B2 (en) 2018-08-31 2020-10-30 Cryptographic operation method, method for creating working key, cryptographic service platform, and cryptographic service device

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201811010286.6 2018-08-31
CN201811010286.6A CN109347625B (zh) 2018-08-31 2018-08-31 密码运算、创建工作密钥的方法、密码服务平台及设备

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US17/085,161 Continuation US11025415B2 (en) 2018-08-31 2020-10-30 Cryptographic operation method, method for creating working key, cryptographic service platform, and cryptographic service device

Publications (1)

Publication Number Publication Date
WO2020042798A1 true WO2020042798A1 (zh) 2020-03-05

Family

ID=65292127

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/096309 WO2020042798A1 (zh) 2018-08-31 2019-07-17 密码运算、创建工作密钥的方法、密码服务平台及设备

Country Status (6)

Country Link
US (1) US11025415B2 (zh)
EP (1) EP3780484B1 (zh)
CN (1) CN109347625B (zh)
SG (1) SG11202010745XA (zh)
TW (1) TWI706658B (zh)
WO (1) WO2020042798A1 (zh)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112788005A (zh) * 2020-12-29 2021-05-11 福建正孚软件有限公司 一种软硬件结合的提高安全性的跨境传输方法和系统

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109347625B (zh) * 2018-08-31 2020-04-24 阿里巴巴集团控股有限公司 密码运算、创建工作密钥的方法、密码服务平台及设备
CN110166234A (zh) * 2019-05-21 2019-08-23 阿里巴巴集团控股有限公司 一种业务密钥创建与业务数据加密方法、装置及系统
CN111541723B (zh) * 2020-07-07 2020-10-13 飞天诚信科技股份有限公司 一种处理密钥数据的方法和终端
CN111935181B (zh) * 2020-09-25 2021-01-26 北京天御云安科技有限公司 一种全密态条件下密钥切换的业务无中断实现方法
CN114629642A (zh) * 2022-03-17 2022-06-14 浙江大华技术股份有限公司 目标数据的发送方法、装置、存储介质及电子装置
CN115801453B (zh) * 2023-01-30 2023-05-02 北京大数元科技发展有限公司 一种敏感数据互联网安全查询的系统
CN116232593B (zh) * 2023-05-05 2023-08-25 杭州海康威视数字技术股份有限公司 多密码模组敏感数据分类分级与保护方法、设备及系统

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101656007A (zh) * 2009-08-14 2010-02-24 通联支付网络服务股份有限公司 一种在pos机上实现一机多密的安全系统及方法
CN103825698A (zh) * 2014-01-20 2014-05-28 中国建设银行股份有限公司 一种密码安全管理系统和方法
US20140270179A1 (en) * 2011-07-21 2014-09-18 Huawei Technologies Co., Ltd. Method and system for key generation, backup, and migration based on trusted computing
CN107070642A (zh) * 2016-12-26 2017-08-18 贵州银行股份有限公司 多品牌密码机异构资源池复用技术
CN109067528A (zh) * 2018-08-31 2018-12-21 阿里巴巴集团控股有限公司 密码运算、创建工作密钥的方法、密码服务平台及设备
CN109347625A (zh) * 2018-08-31 2019-02-15 阿里巴巴集团控股有限公司 密码运算、创建工作密钥的方法、密码服务平台及设备

Family Cites Families (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7711122B2 (en) * 2001-03-09 2010-05-04 Arcot Systems, Inc. Method and apparatus for cryptographic key storage wherein key servers are authenticated by possession and secure distribution of stored keys
CA2568990C (en) * 2004-05-28 2011-09-27 International Business Machines Corporation Smart card data transaction system and methods for providing storage and transmission security
JP5018558B2 (ja) * 2008-02-29 2012-09-05 富士通株式会社 記憶領域割当方法および情報処理装置
US20090296926A1 (en) * 2008-06-02 2009-12-03 Sun Microsystems, Inc. Key management using derived keys
GB2471282B (en) * 2009-06-22 2015-02-18 Barclays Bank Plc Method and system for provision of cryptographic services
US9350536B2 (en) * 2012-08-16 2016-05-24 Digicert, Inc. Cloud key management system
CN102957541B (zh) * 2012-11-21 2016-11-16 浪潮集团有限公司 一种基于saas的密码加密方法
CN103237005A (zh) * 2013-03-15 2013-08-07 福建联迪商用设备有限公司 密钥管理方法及系统
CN103714637B (zh) * 2013-03-15 2016-03-16 福建联迪商用设备有限公司 一种传输密钥发送方法及系统、操作终端
GB201519612D0 (en) * 2015-11-06 2015-12-23 Nagravision Sa Key sequence generation for cryptographic operations
US9379890B1 (en) * 2015-12-07 2016-06-28 Workiva Inc. System and method for managing cryptographic keys
CN106059760B (zh) * 2016-07-12 2019-03-19 武汉理工大学 一种从用户端密码模块调用系统私钥的密码系统
CN106452771B (zh) * 2016-10-10 2018-09-18 山东渔翁信息技术股份有限公司 Jce调用密码卡实现内置rsa密钥运算的方法及装置
US10230525B2 (en) * 2016-12-23 2019-03-12 Amazon Technologies, Inc. Public key rollup for merkle tree signature scheme
CN108123800B (zh) * 2017-12-19 2021-06-15 腾讯科技(深圳)有限公司 密钥管理方法、装置、计算机设备及存储介质
CN108365950A (zh) * 2018-01-03 2018-08-03 深圳怡化电脑股份有限公司 金融自助设备密钥的生成方法及装置

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101656007A (zh) * 2009-08-14 2010-02-24 通联支付网络服务股份有限公司 一种在pos机上实现一机多密的安全系统及方法
US20140270179A1 (en) * 2011-07-21 2014-09-18 Huawei Technologies Co., Ltd. Method and system for key generation, backup, and migration based on trusted computing
CN103825698A (zh) * 2014-01-20 2014-05-28 中国建设银行股份有限公司 一种密码安全管理系统和方法
CN107070642A (zh) * 2016-12-26 2017-08-18 贵州银行股份有限公司 多品牌密码机异构资源池复用技术
CN109067528A (zh) * 2018-08-31 2018-12-21 阿里巴巴集团控股有限公司 密码运算、创建工作密钥的方法、密码服务平台及设备
CN109347625A (zh) * 2018-08-31 2019-02-15 阿里巴巴集团控股有限公司 密码运算、创建工作密钥的方法、密码服务平台及设备

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3780484A4 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112788005A (zh) * 2020-12-29 2021-05-11 福建正孚软件有限公司 一种软硬件结合的提高安全性的跨境传输方法和系统

Also Published As

Publication number Publication date
CN109347625B (zh) 2020-04-24
EP3780484B1 (en) 2023-06-07
CN109347625A (zh) 2019-02-15
SG11202010745XA (en) 2020-11-27
TW202011712A (zh) 2020-03-16
EP3780484C0 (en) 2023-06-07
US11025415B2 (en) 2021-06-01
US20210067326A1 (en) 2021-03-04
EP3780484A4 (en) 2021-09-29
TWI706658B (zh) 2020-10-01
EP3780484A1 (en) 2021-02-17

Similar Documents

Publication Publication Date Title
WO2020042822A1 (zh) 密码运算、创建工作密钥的方法、密码服务平台及设备
WO2020042798A1 (zh) 密码运算、创建工作密钥的方法、密码服务平台及设备
WO2021184975A1 (zh) 链上数据的链下隐私计算方法及装置
CN110580414B (zh) 基于区块链账户的隐私数据查询方法及装置
CN113221169B (zh) 区块链隐私数据的查询方法及装置
CN110580418B (zh) 基于区块链账户的隐私数据查询方法及装置
JP6151402B2 (ja) データセンタへのプラットフォームの内包検証
WO2021184970A1 (zh) 调用合约的方法及装置
US9846778B1 (en) Encrypted boot volume access in resource-on-demand environments
US20200220713A1 (en) Secure communication with a trusted execution environment
WO2021129003A1 (zh) 一种密码管理方法及相关装置
US10516655B1 (en) Encrypted boot volume access in resource-on-demand environments
CN111859379A (zh) 保护数据模型的处理方法和装置
TWM585941U (zh) 帳戶資料處理系統
CN114329574B (zh) 基于域管平台的加密分区访问控制方法、系统及计算设备
US20240048361A1 (en) Key Management for Cryptography-as-a-service and Data Governance Systems
US20240048380A1 (en) Cryptography-as-a-Service
CN117335963A (zh) 密码资源池的密钥管理方法、系统及电子设备

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19854452

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2019854452

Country of ref document: EP

Effective date: 20201030

NENP Non-entry into the national phase

Ref country code: DE