WO2020181842A1 - 快速切换部署密钥的方法、装置、计算机设备和存储介质 - Google Patents

快速切换部署密钥的方法、装置、计算机设备和存储介质 Download PDF

Info

Publication number
WO2020181842A1
WO2020181842A1 PCT/CN2019/123026 CN2019123026W WO2020181842A1 WO 2020181842 A1 WO2020181842 A1 WO 2020181842A1 CN 2019123026 W CN2019123026 W CN 2019123026W WO 2020181842 A1 WO2020181842 A1 WO 2020181842A1
Authority
WO
WIPO (PCT)
Prior art keywords
private key
node
cryptographic
length
cryptographic module
Prior art date
Application number
PCT/CN2019/123026
Other languages
English (en)
French (fr)
Inventor
张小利
Original Assignee
深圳壹账通智能科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳壹账通智能科技有限公司 filed Critical 深圳壹账通智能科技有限公司
Publication of WO2020181842A1 publication Critical patent/WO2020181842A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)

Definitions

  • the present disclosure relates to the technical field of key management, in particular to methods, devices, computer equipment, and storage media for quickly switching and deploying keys.
  • the security of the private key affects the security of the entire encryption system.
  • the private key of the traditional method is stored in the encryption card, while the traditional encryption machine or encryption card needs to be purchased out and needs to be inserted into the device or connected to an external device.
  • the system administrator is responsible for unified maintenance. In this way, the encryption machine has a strong dependence on hardware equipment, which is not convenient for fast switching and deployment.
  • Some private keys are even stored locally in plaintext, which poses a great potential danger to system security.
  • the present disclosure provides a method, device, computer equipment and storage medium for quickly switching and deploying keys.
  • a method for quickly switching deployment keys is provided, which is applied to a blockchain network composed of at least two nodes, including:
  • the private key is synchronously deployed along with the cryptographic module to other nodes in the blockchain network except for the first node, where the private key can only be accessed by entering the cryptographic module through a specific interface.
  • a device for quickly switching deployment keys including:
  • a creation unit configured to create a cryptographic module in a node of the blockchain network, and the node where the cryptographic module is created is the first node;
  • a sealing unit for sealing the private key of the first node in the cryptographic module
  • the synchronization unit is used to synchronize the deployment of the private key along with the cryptographic module to other nodes in the blockchain network except the first node, wherein the private key can only enter the cryptographic module through a specific interface Make a visit.
  • a computer device including a memory and a processor, the memory stores computer-readable instructions, and when the computer-readable instructions are executed by the processor, the processor executes the foregoing Describe the steps of the method for quickly switching deployment keys.
  • a storage medium storing computer-readable instructions.
  • the computer-readable instructions are executed by one or more processors, the one or more processors execute the aforementioned fast switching deployment key. Steps of the method.
  • the storage medium may be a nonvolatile storage medium, or referred to as a nonvolatile computer readable storage medium.
  • the technical solutions provided by the embodiments of the present disclosure ensure that the private key will not be disclosed during the transmission process, ensure the security of the private key, and realize rapid switching deployment.
  • Fig. 1 is an implementation environment diagram of a method for quickly switching deployment keys provided in an embodiment.
  • Fig. 2 is a flow chart showing a method for quickly switching deployment keys according to an exemplary embodiment.
  • Fig. 3 is a specific implementation flow chart of step S200 in the method for quickly switching deployment keys according to the embodiment corresponding to Fig. 2.
  • FIG. 4 is a specific implementation flow chart of step S230 in the method for quickly switching deployment keys according to the embodiment corresponding to FIG. 3.
  • Fig. 5 is a specific implementation flow chart of step S210 in the method for quickly switching deployment keys according to the embodiment corresponding to Fig. 3.
  • Fig. 6 is a specific implementation flow chart of step S100 in the method for quickly switching deployment keys according to the embodiment corresponding to Fig. 2.
  • Fig. 7 is a specific implementation flow chart of step S100 in the method for quickly switching deployment keys shown according to the embodiment corresponding to Fig. 2.
  • Fig. 8 is a block diagram showing a device for quickly switching deployment keys according to an exemplary embodiment.
  • Fig. 9 schematically shows a block diagram of an example of an electronic device for implementing the above-mentioned method for rapidly switching deployment keys.
  • Fig. 10 schematically shows a computer-readable storage medium for implementing the above-mentioned method for rapidly switching deployment keys.
  • FIG. 1 is an implementation environment diagram of a method for quickly switching deployment keys provided in an embodiment. As shown in FIG. 1, the implementation environment includes multiple nodes 100 and private keys 200 that make up a blockchain network.
  • a cryptographic module can be established to isolate the external contact.
  • one of the nodes 100 of the blockchain network opens up a storage area on the top, and establishes a cryptographic module 101.
  • the cryptographic module 101 has a clear boundary to isolate the internal environment of the cryptographic module 101 from the external environment, and only part of the interface is reserved.
  • To connect with the outside world. Seal the private key 200 into the cryptographic module 101, and then synchronize the key 200 with the cryptographic module 101 to the blockchain network, so that each node 100 in the blockchain network is deployed with a private key 200, The rapid deployment of the private key 200 is realized. But to obtain the private key 200, the password module 101 must be cracked, so that the security of the private key 200 is guaranteed
  • the blockchain network node 100 may be a smart phone, a tablet computer, a notebook computer, a desktop computer, etc., but is not limited to this.
  • the blockchain network nodes 100 can be connected in pairs by Bluetooth, USB (Universal Serial Bus, Universal Serial Bus) or other communication connection methods, and the present disclosure is not limited here.
  • a method for quickly switching deployment keys is proposed.
  • the method for quickly switching deployment keys can be applied to the above and applied to a zone composed of at least two nodes.
  • the following steps can be specifically included:
  • Step S100 creating a cryptographic module in a node of the blockchain network, and the node where the cryptographic module is created is the first node;
  • the main purpose of the present disclosure is to provide an encryption method that can quickly switch deployment.
  • the specific method is to open up a storage area in a node of the blockchain network to store the private key. Since the private key cannot be disclosed, the present disclosure Create a new cryptographic module in the storage area to seal the private key in the cryptographic module to isolate the private key from the outside world.
  • the cryptographic module has a strict cryptographic boundary to block external and internal connections. If you want to read the private key inside the cryptographic module, you can only read it through a specific interface, which ensures the security of the private key.
  • the cryptographic boundary of the cryptographic module may be a boundary line of software components executed in a modifiable operating environment.
  • the specific interface includes a data input interface, a data output interface, a control input interface, and a status output interface.
  • Step S200 sealing the private key of the first node in the cryptographic module
  • the private key can be input into the cryptographic module through the specific interface to complete the sealing of the cryptographic module.
  • Step S300 Deploy the private key along with the cryptographic module to other nodes in the blockchain network except the first node, wherein the private key can only be accessed by entering the cryptographic module through a specific interface .
  • the private key When the private key is sealed in the cryptographic module, it will be synchronized with the cryptographic module to all nodes of the blockchain. All blockchains have the cryptographic module and the private key sealed in the cryptographic module, as long as there is a device to join In the blockchain, the cryptographic module and the private key sealed in the cryptographic module can be obtained, so that the private key is deployed along with the cryptographic module to all nodes of the blockchain network to prepare for the first node After the damage, select a node among other nodes in the blockchain network to continue using, which also realizes the rapid switch deployment of the private key. In addition, the private key is still sealed in the cryptographic module and still needs to be read through a specific interface, which also guarantees the privacy and security of the private key.
  • the present disclosure uses a blockchain network and a cryptographic module to seal the private key deployed in the first node of the blockchain network into the cryptographic module, and then deploy the cryptographic module to all nodes of the blockchain network. After the first node is damaged, one node among other nodes in the blockchain network is selected to continue using, and the rapid switching deployment of the private key is realized. At the same time, since the private key is sealed in the cryptographic module throughout the blockchain network, its privacy and security are also guaranteed. Moreover, due to the non-tamperability of the blockchain, it is also ensured that the private key and the cryptographic module will not be tampered with to other data.
  • FIG. 3 is a detailed description of step S200 in the method for quickly switching deployment keys according to the embodiment corresponding to FIG. 2.
  • Step S200 may include the following steps:
  • Step S210 Split the private key into a number of parts corresponding to the number of the cryptographic modules
  • a cryptographic module when a cryptographic module is created in a blockchain node, multiple cryptographic modules can be created, and then according to the number of the cryptographic modules, the private key is split into a corresponding number of parts and stored separately. It will make the private key stored in the cryptographic module more difficult to crack, which can effectively improve the security of the private key.
  • the splitting method may be random splitting or splitting according to a predetermined rule.
  • Step S220 storing different parts of the private key in different cryptographic modules, and each cryptographic module stores only one part of the private key;
  • each part of the private key can be separately stored in the cryptographic module.
  • the storage method may be random allocation or storage according to a predetermined rule, as long as it is ensured that each part of the private key has an independent cryptographic module for storage, and the present disclosure does not limit it here. In this way, if you want to crack the private key, you need to crack all the cryptographic modules storing each part of the private key, which increases the difficulty of cracking and improves the security of the private key.
  • step S230 the storage sequence of the private key is generated, and the storage sequence is dynamically encrypted and stored in the first node.
  • the storage sequence is the only credential for re-splicing the parts together to form a complete private key.
  • the storage sequence needs to be dynamically encrypted to ensure The security of the private key.
  • a cryptographic module when a cryptographic module is created in a blockchain node, multiple cryptographic modules are created, and then according to the number of the cryptographic modules, the private key is split into a corresponding number of parts, and then each password The module stores a part of the private key and generates a storage sequence. Finally, the storage sequence is dynamically encrypted and stored. If you want to get a complete private key, you need to read data from all cryptographic modules, get all the parts of the private key and splice these parts together in order to get the complete private key, which increases the security of private key storage Sex.
  • FIG. 4 is a detailed description of step S230 in the method for quickly switching deployment keys according to the embodiment corresponding to FIG. 3.
  • the storage sequence is a string of character strings
  • Step S230 may include the following steps:
  • Step S231 Obtain and store the storage sequence string to be encrypted
  • the storage sequence data can be regarded as a string of character strings stored in the local device. in.
  • Step S232 Perform a specified summary operation on the specified feature information of the storage sequence
  • the specified feature of the storage sequence can be digested, and the specified feature information may be the length of the string of the storage sequence, etc.
  • the summary calculation method is for example It is a hash operation, randomly generating a number divided by the length of the string in the storage order and taking the remainder, etc. This scheme is not limited. Taking the specified characteristic information as the length of the string in the storage sequence, the method of the summary operation is to randomly generate a number divided by the length of the string in the storage sequence and take the remainder as an example, assuming that the length of the string in the storage sequence is a , The randomly generated number is b, then the remainder of a divided by b can be obtained, and the remainder is the result of the specified digest operation.
  • Step S233 Determine the initial character for encrypting the storage sequence according to the result of the specified digest operation
  • a value is obtained after digest operation.
  • the value can be used as the number of digits of the encryption start character, or the first or last digits of the value can be used as the number of encryption start characters.
  • the storage sequence string can be encrypted.
  • the encryption method can be to start from the start character, extract every predetermined number of digits, and extract to a predetermined length to form an encrypted secret.
  • the predetermined number of digits can be 1 digit, 2 digits, prime digits, etc.
  • the predetermined length can be the length of the storage sequence string, or 20 digits, 304 digits, and the predetermined number of The predetermined length can be set according to the specific situation, and this scheme is not limited.
  • Step S235 Use the encryption key to encrypt the storage sequence character string according to a predetermined encryption algorithm
  • the encryption key After obtaining the encryption key, use the encryption key to encrypt the stored data string according to a predetermined algorithm, where the predetermined algorithm is an algorithm for generating the encryption key.
  • Step S236 Send the encrypted storage sequence character string.
  • the encrypted stored data string can be sent to other nodes of the blockchain network.
  • the specific method for dynamically encrypting the storage sequence by the dynamic encryption operation may be to first obtain the storage sequence to be encrypted, and then perform a summary operation on the specified feature information of the storage sequence, the specified feature
  • the information may be the length of the string in the storage sequence, etc.
  • the method of the digest operation is, for example, a hash operation, randomly generating a number divided by the length of the string in the storage sequence, and the remainder, which is not limited in this solution.
  • a numerical value is obtained.
  • the numerical value is used as the number of digits of the encryption start character, and the storage sequence string is encrypted.
  • the encryption method can be to start from the start character and extract every other digit. Get the predetermined length to form an encryption key.
  • the predetermined length can be set according to specific conditions. This solution is not limited.
  • the stored data string is encrypted according to a predetermined algorithm. After the encryption is completed, The encrypted stored data string is sent to other nodes of the blockchain network.
  • FIG. 5 is a detailed description of step S210 in the method for quickly switching deployment keys according to the embodiment corresponding to FIG. 3.
  • step S210 may include the following steps:
  • Step S211 read the length of the private key
  • the length of the private key needs to be measured first.
  • Step S212 Divide the private key into equal parts with the same length corresponding to the number of cryptographic modules.
  • the method of splitting the private key into a number of parts corresponding to the number of the cryptographic modules may be randomly splitting the private key into a number corresponding to the number of the cryptographic modules.
  • the number of modules is the same, and the length of each part is equally distributed, that is, the length of each part is equal. Since the length of each part of the private key is equal, the length of the private key part stored in each cryptographic module is the same during the storage process, which increases the difficulty of splicing cryptographic modules.
  • step S210 may further include the following steps:
  • the private key is split into a number of parts corresponding to the number of the cryptographic modules, and the length of each part does not exceed a predetermined threshold of the storage length of the cryptographic module.
  • the method of splitting the private key into a number of parts corresponding to the number of the cryptographic modules may also be to allocate the private key to the number of the cryptographic modules according to the number of the cryptographic modules.
  • the number of modules is the same part, and the length of each part does not exceed the predetermined threshold of the storage length of the cryptographic module. This ensures that some important data in some private keys will not be split into two parts.
  • the predetermined threshold is, for example, 32-bit, 64-bit, 128-bit, etc., which is not limited in the present disclosure.
  • FIG. 6 is a detailed description of step S100 in the method for quickly switching deployment keys according to the embodiment corresponding to FIG. 2.
  • each node of the blockchain network It also contains the corresponding relationship between the length of the private key and the number of cryptographic modules.
  • Step S100 may also include the following steps:
  • Step S110 read the length of the private key
  • the specific method for creating a cryptographic module in a node of the blockchain may be to query the length of the private key stored in the blockchain according to the length of the private key The corresponding relationship with the number of cryptographic modules determines the number of cryptographic modules to be created. So
  • Step S120 query the correspondence between the length of the private key and the number of cryptographic modules, and determine the number of cryptographic modules to be created;
  • the corresponding relationship between the length of the private key and the number of cryptographic modules can be set according to the specific situation. For example, when the password length is less than 32 bits, create one cryptographic module, create 2 cryptographic modules for 32 to 64 bits, and create for 96 to 128 bits. 4 cryptographic modules, etc., the creation of this disclosure is not limited here.
  • Step S130 creating a number of cryptographic modules corresponding to the length of the private key.
  • the number of cryptographic modules and the difficulty of re-splicing can be flexibly set according to the length of the private key.
  • the longer the length of the private key the more difficult it is to crack, and the more important it is to prove that the private key is also more important. Many parts.
  • FIG. 7 is a detailed description of step S100 in the method for quickly switching deployment keys according to the embodiment corresponding to FIG. 2.
  • each node of the blockchain network It also contains a predetermined threshold for the storage length of the cryptographic module.
  • Step S100 may also include the following steps:
  • Step S101 Determine whether the length of the private key exceeds a predetermined threshold of the storage length of the cryptographic module
  • the specific method for creating a cryptographic module in a node of the blockchain may also be to determine the privacy according to a predetermined threshold of the storage length of the cryptographic module stored in the blockchain.
  • the key is split into several parts, the length of each part does not exceed a predetermined threshold of the storage length of the cryptographic module, and then the number of cryptographic modules corresponding to the number of the private key parts is created.
  • the predetermined threshold is, for example, 32-bit, 64-bit, 128-bit, etc., which is not limited in the present disclosure.
  • Step S102 If the length of the private key exceeds the predetermined threshold of the storage length of the cryptographic module, split the private key into at least two parts, and the length of each part does not exceed the predetermined threshold of the storage length of the cryptographic module;
  • the number of cryptographic modules and the difficulty of re-splicing can be flexibly set according to the length of the private key, making the security of the private key more targeted.
  • Step S103 Create a number of cryptographic modules corresponding to the number of the private key part.
  • the number of cryptographic modules and the difficulty of re-splicing can be flexibly set according to the length of the private key.
  • the longer the length of the private key the more difficult it is to crack, and the more important it is to prove that the private key is also more important.
  • this method no longer saves the correspondence between the length of a private key and the number of cryptographic modules in the blockchain, but a predetermined threshold, which saves storage space.
  • a device for quickly switching deployment keys may be integrated into the above-mentioned computer equipment 100, and may specifically include a creation unit 110 and a storage device. Unit 120, synchronization unit 130.
  • the creation unit 110 is used to create a cryptographic module in a node of the blockchain
  • the sealing unit 120 is configured to store the private key of the node in the cryptographic module
  • the synchronization unit 130 is configured to synchronize the private key along with the cryptographic module to other blockchain nodes, and the private key can only be accessed by entering the cryptographic module through a specific interface.
  • modules or units of the device for action execution are mentioned in the above detailed description, this division is not mandatory.
  • the features and functions of two or more modules or units described above may be embodied in one module or unit.
  • the features and functions of a module or unit described above can be further divided into multiple modules or units to be embodied.
  • the exemplary embodiments described herein can be implemented by software, or can be implemented by combining software with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (can be a CD-ROM, U disk, mobile hard disk, etc.) or on the network , Including several instructions to make a computing device (which may be a personal computer, a server, a mobile terminal, or a network device, etc.) execute the method according to the embodiment of the present disclosure.
  • a computing device which may be a personal computer, a server, a mobile terminal, or a network device, etc.
  • an electronic device capable of implementing the above method is also provided.
  • the electronic device 500 according to this embodiment of the present disclosure will be described below with reference to FIG. 9.
  • the electronic device 500 shown in FIG. 9 is only an example, and should not bring any limitation to the function and scope of use of the embodiments of the present disclosure.
  • the electronic device 500 is represented in the form of a general-purpose computing device.
  • the components of the electronic device 500 may include, but are not limited to: the aforementioned at least one processing unit 510, the aforementioned at least one storage unit 520, and a bus 530 connecting different system components (including the storage unit 520 and the processing unit 510).
  • the storage unit stores program code, and the program code can be executed by the processing unit 510, so that the processing unit 510 executes the various exemplary methods described in the "Exemplary Method" section of this specification.
  • Implementation steps For example, the processing unit 510 may perform step S100 as shown in FIG. 2 to create a cryptographic module in a node of the blockchain; step S200, seal the private key of the node in the cryptographic module; step S300. Synchronize the private key along with the cryptographic module to other blockchain nodes, and the private key can only be accessed by entering the cryptographic module through a specific interface.
  • the storage unit 520 may include a readable medium in the form of a volatile storage unit, such as a random access storage unit (RAM) 5201 and/or a cache storage unit 5202, and may further include a read-only storage unit (ROM) 5203.
  • RAM random access storage unit
  • ROM read-only storage unit
  • the storage unit 520 may also include a program/utility tool 5204 having a set of (at least one) program module 5205.
  • program module 5205 includes but is not limited to: an operating system, one or more application programs, other program modules, and program data, Each of these examples or some combination may include the implementation of a network environment.
  • the bus 530 may represent one or more of several types of bus structures, including a storage unit bus or a storage unit controller, a peripheral bus, a graphics acceleration port, a processing unit, or a local area using any bus structure among multiple bus structures. bus.
  • the electronic device 500 may also communicate with one or more external devices 700 (such as keyboards, pointing devices, Bluetooth devices, etc.), and may also communicate with one or more devices that enable a user to interact with the electronic device 500, and/or communicate with Any device (such as a router, modem, etc.) that enables the electronic device 500 to communicate with one or more other computing devices. This communication can be performed through an input/output (I/O) interface 550.
  • the electronic device 500 may also communicate with one or more networks (for example, a local area network (LAN), a wide area network (WAN), and/or a public network, such as the Internet) through the network adapter 560.
  • networks for example, a local area network (LAN), a wide area network (WAN), and/or a public network, such as the Internet
  • the network adapter 560 communicates with other modules of the electronic device 500 through the bus 530.
  • other hardware and/or software modules can be used in conjunction with the electronic device 500, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives And data backup storage system, etc.
  • the exemplary embodiments described herein can be implemented by software, or can be implemented by combining software with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (can be a CD-ROM, U disk, mobile hard disk, etc.) or on the network , Including several instructions to make a computing device (which may be a personal computer, a server, a terminal device, or a network device, etc.) execute the method according to the embodiments of the present disclosure.
  • a computing device which may be a personal computer, a server, a terminal device, or a network device, etc.
  • a computer-readable storage medium on which is stored a program product capable of implementing the above method in this specification.
  • various aspects of the present disclosure may also be implemented in the form of a program product, which includes program code.
  • the program product runs on a terminal device, the program code is used to enable the The terminal device executes the steps according to various exemplary embodiments of the present disclosure described in the above "Exemplary Method" section of this specification.
  • a program product 600 for implementing the above method according to an embodiment of the present disclosure is described. It can adopt a portable compact disk read-only memory (CD-ROM) and include program code, and can be installed in a terminal device, For example, running on a personal computer.
  • CD-ROM compact disk read-only memory
  • the program product of the present disclosure is not limited thereto.
  • the readable storage medium can be any tangible medium that contains or stores a program, and the program can be used by or combined with an instruction execution system, device, or device.
  • the program product can use any combination of one or more readable media.
  • the readable medium may be a readable signal medium or a readable storage medium.
  • the readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or a combination of any of the above. More specific examples (non-exhaustive list) of readable storage media include: electrical connections with one or more wires, portable disks, hard disks, random access memory (RAM), read only memory (ROM), erasable Type programmable read only memory (EPROM or flash memory), optical fiber, portable compact disk read only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination of the above.
  • the computer-readable signal medium may include a data signal propagated in baseband or as a part of a carrier wave, and readable program code is carried therein. This propagated data signal can take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing.
  • the readable signal medium may also be any readable medium other than a readable storage medium, and the readable medium may send, propagate, or transmit a program for use by or in combination with the instruction execution system, apparatus, or device.
  • the program code contained on the readable medium can be transmitted by any suitable medium, including but not limited to wireless, wired, optical cable, RF, etc., or any suitable combination of the foregoing.
  • the program code used to perform the operations of the present disclosure can be written in any combination of one or more programming languages.
  • the programming languages include object-oriented programming languages—such as Java, C++, etc., as well as conventional procedural styles. Programming language-such as "C" language or similar programming language.
  • the program code can be executed entirely on the user's computing device, partly on the user's device, executed as an independent software package, partly on the user's computing device and partly executed on the remote computing device, or entirely on the remote computing device or server Executed on.
  • the remote computing device can be connected to a user computing device through any kind of network, including a local area network (LAN) or a wide area network (WAN), or can be connected to an external computing device (for example, using Internet service providers) Business to connect via the Internet).
  • LAN local area network
  • WAN wide area network
  • Internet service providers Internet service providers
  • a storage area is opened in a node of the blockchain network to store the private key.
  • the cryptographic module has a strict boundary to block the connection between the outside and the inside. If you want to read the private key inside the cryptographic module, you can only read it through a specific interface, ensuring the security of the private key.
  • the private key is sealed in the cryptographic module, it will be synchronized with the cryptographic module to all nodes of the blockchain. All blockchains have this environment. As long as a device is added to the blockchain, this environment can be obtained , In this way, rapid switch deployment is realized.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Storage Device Security (AREA)

Abstract

本公开揭示了一种快速切换部署密钥的方法、装置、计算机设备和存储介质,属于密钥管理技术领域,应用于由至少两个节点组成的区块链网络中,所述快速切换部署密钥的方法包括:在所述区块链网络的一个节点中创建密码模块,所述创建有所述密码模块的节点为第一节点;将所述第一节点的私钥封存在所述密码模块中;将所述私钥随所述密码模块同步部署到所述区块链网络中除所述第一节点外的其他节点,其中,所述私钥只能通过特定接口进入密码模块进行访问。这样在保证私钥安全不公开的前提下实现了私钥的快速切换部署。

Description

快速切换部署密钥的方法、装置、计算机设备和存储介质
本申请要求于2019年03月13日提交中国专利局、申请号为201910189512.X、申请名称为“快速切换部署密钥的方法、装置、计算机设备和存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
技术领域
本公开涉及密钥管理技术领域,特别是涉及快速切换部署密钥的方法、装置、计算机设备和存储介质。
背景技术
现有技术中,私钥的安全影响整个加密系统的安全,传统方法私钥保存在加密卡,而传统的加密机或者加密卡是需要外购的,并且需要插入到设备或者连接到外部设备,由系统管理员来统一维护,这样,加密机中对硬件设备依赖性较强,不便于快速切换及部署。有的私钥甚至明文保存在本地,这种方式对系统安全构成很大的潜在危险。
发明内容
基于此,为解决相关技术中在保证安全的前提下,私钥的切换部署不方便的技术问题,本公开提供了一种快速切换部署密钥的方法、装置、计算机设备和存储介质。
第一方面,提供了一种快速切换部署密钥的方法,应用于由至少两个节点组成的区块链网络中,包括:
在所述区块链网络的一个节点中创建密码模块,所述创建有所述密码模块的节点为第一节点;
将所述第一节点的私钥封存在所述密码模块中;
将所述私钥随所述密码模块同步部署到所述区块链网络中除所述第一节点外的其他节点,其中,所述私钥只能通过特定接口进入密码模块进行访问。
第二方面,提供了一种快速切换部署密钥的装置,包括:
创建单元,用于在所述区块链网络的一个节点中创建密码模块,所述创建 有所述密码模块的节点为第一节点;
封存单元,用于将所述第一节点的私钥封存在所述密码模块中;
同步单元,用于将所述私钥随所述密码模块同步部署到所述区块链网络中除所述第一节点外的其他节点,其中,所述私钥只能通过特定接口进入密码模块进行访问。
第三方面,提供了一种计算机设备,包括存储器和处理器,所述存储器中存储有计算机可读指令,所述计算机可读指令被所述处理器执行时,使得所述处理器执行上述所述快速切换部署密钥的方法的步骤。
第四方面,提供了一种存储有计算机可读指令的存储介质,所述计算机可读指令被一个或多个处理器执行时,使得一个或多个处理器执行上述所述快速切换部署密钥的方法的步骤。可选的,该存储介质可以为非易失性存储介质,或者称为计算机非易失性可读存储介质。
本公开的实施例提供的技术方案保证了私钥在传输过程中不会公开,保证了私钥的安全性,实现了快速切换部署。
附图说明
图1是一个实施例中提供的快速切换部署密钥的方法的实施环境图。
图2是根据一示例性实施例示出的一种快速切换部署密钥的方法的流程图。
图3是根据图2对应实施例示出的快速切换部署密钥的方法中步骤S200的一种具体实现流程图。
图4是根据图3对应实施例示出的快速切换部署密钥的方法中步骤S230的一种具体实现流程图。
图5是根据图3对应实施例示出的快速切换部署密钥的方法中步骤S210的一种具体实现流程图。
图6是根据图2对应实施例示出的快速切换部署密钥的方法中步骤S100的一种具体实现流程图。
图7是根据图2对应实施例示出的快速切换部署密钥的方法中步骤S100的一种具体实现流程图。
图8是根据一示例性实施例示出的一种快速切换部署密钥的装置的框图。
图9示意性示出一种用于实现上述快速切换部署密钥的方法的电子设备示例框图。
图10示意性示出一种用于实现上述快速切换部署密钥的方法的计算机可读存储介质。
具体实施方式
以下结合附图及实施例,对本公开进行进一步详细说明。
图1为一个实施例中提供的快速切换部署密钥的方法的实施环境图,如图1所示,在所述实施环境中,包括组成区块链网络的多个节点100和私钥200。
所述上可以建立密码模块隔绝外界联系。首先区块链网络的其中一个节点100在上开辟一个存储区域,建立密码模块101,所述密码模块101有明确的边界,使密码模块101内部的环境和外部环境隔绝开,仅保留部分接口用以与外界联系。将所述私钥200封存入密码模块101中,然后将所述密钥200随密码模块101同步到区块链网络中,这样区块链网络中的每一个节点100都部署有私钥200,实现了私钥200的快速部署。但是要获取私钥200,必须要破解密码模块101,这样就保证了私钥200的安全
需要说明的是,所述区块链网络节点100可为智能手机、平板电脑、笔记本电脑、台式计算机等,但并不局限于此。区块链网络节点100两两之间可以通过蓝牙、USB(Universal Serial Bus,通用串行总线)或者其他通讯连接方式进行连接,本公开在此不做限制。
如图2所示,在一个实施例中,提出了一种快速切换部署密钥的方法,所述快速切换部署密钥的方法可以应用于上述的中,应用于由至少两个节点组成的区块链网络中,具体可以包括以下步骤:
步骤S100,在所述区块链网络的一个节点中创建密码模块,所述创建有所述密码模块的节点为第一节点;
本公开的主要目的是提供一种能够快速切换部署的加密方法,其具体方法是,在区块链网络的一个节点中开辟一个存储区域用于存储私钥,由于私钥不能公开,所以本公开在存储区域中新建一个密码模块,用于将私钥封存在密码 模块中,以隔绝所述私钥与外界的联系。所述密码模块是有严格的密码边界阻隔外部与内部的联系,如果想要读取密码模块内部的私钥,只能通过特定的接口读取,保证了私钥的安全性。所述密码模块的密码边界可以是执行在可修改的运行环境中的软件部件划定界线。所述特定的接口包括数据输入接口、数据输出接口、控制输入接口以及状态输出接口。
步骤S200,将所述第一节点的私钥封存在所述密码模块中;
在建立好所述密码模块后,就可以通过所述特定接口,将私钥输入到密码模块中,完成密码模块的封存。
步骤S300,将所述私钥随所述密码模块同步部署到所述区块链网络中除所述第一节点外的其他节点,其中,所述私钥只能通过特定接口进入密码模块进行访问。
当私钥封存在密码模块后,就会随密码模块一起同步到区块链的所有节点中,所有的区块链都有了所述密码模块以及密码模块中封存的私钥,只要有设备加入区块链中,就可以获取所述密码模块以及密码模块中封存的私钥,这样就使得私钥随密码模块一起部署到所述区块链网络的所有节点中,以备所述第一节点损坏后,在区块链网络的其他节点中选择一个节点继续使用,也就实现了私钥的快速切换部署。而且所述私钥仍在封存在密码模块中,仍需要通过特定的接口去读取,也就同时保证了私钥的私密性和安全性。
本公开通过区块链网络和密码模块,将部署在所述区块链网络的第一节点中的私钥封存入密码模块后,随密码模块一起部署至所述区块链网络的所有节点中,在所述第一节点损坏后,在区块链网络的其他节点中选择一个节点继续使用,也就实现了私钥的快速切换部署。同时,由于私钥在区块链网络中至始至终被封存于密码模块中,所以其私密性和安全性也得到了保障。而且由于区块链有不可篡改的特性,也保证了所述私钥和所述密码模块不会被篡改为其他数据。
可选地,图3是根据图2对应实施例示出的快速切换部署密钥的方法中步骤S200的细节描述,所述快速切换部署密钥的方法中,所述密码模块数量有至少两个,步骤S200可以包括以下步骤:
步骤S210,拆分所述私钥为与所述密码模块数量对应的数量个部分;
本公开的一个实施例中,在区块链节点中创建密码模块时,可以创建多个密码模块,然后根据所述密码模块的数量,将私钥拆分成对应数量个部分,分开存储,这样会使得存储在密码模块中的私钥更加难以破解,可以有效提高所述私钥的安全性。所述拆分方式可以是随机拆分,也可以是按照预定规则拆分,本公开在此不做限定,具体实施方式后面的实施例会详细阐述。
步骤S220,将所述私钥的不同部分分别存储在不同的密码模块中,每个密码模块只存储一个部分的私钥;
在将私钥拆分完毕后,就可以将所述私钥的各个部分分别存储至所述密码模块中。所述存储方式可以是随机分配,也可以是按照预定规则存储,只要保证所述私钥的每一个部分都有一个独立的密码模块用以存储即可,本公开在此不做限定。这样,如果想要破解所述私钥,就需要将所有存储有所述私钥的各个部分的密码模块都破解掉,加大了破解的难度,提高了所述私钥的安全性。
步骤S230,生生成私钥的存储顺序,并将所述存储顺序动态加密,并存储在所述第一节点。
将所述私钥的各个部分存储在密码模块中后,还需要生成所述私钥的存储顺序,所述存储顺序是将所述个部分重新拼接在一起形成一个完整的私钥的唯一凭据,一般由所述私钥的所有人掌握,但是在区块链节点中,由于所有数据都是共享的,所以为了保证所述私钥的安全性,还需要对所述存储顺序进行动态加密,保证所述私钥的安全性。
本公开的一个实施例中,在区块链节点中创建密码模块时,会创建多个密码模块,然后根据所述密码模块的数量,将私钥拆分成对应数量个部分,然后每一个密码模块存储私钥的一个部分,并生成一个存储顺序。最后把这个存储顺序动态加密后存储起来。如果要获取完整的私钥,就需要从所有的密码模块中读取数据,获得私钥的所有部分并将这些部分按顺序拼接起来,才能获得完整的私钥,这样增加了私钥存储的安全性。
可选地,图4是根据图3对应实施例示出的快速切换部署密钥的方法中步骤S230的细节描述,所述快速切换部署密钥的方法中,所述存储顺序为一串字符串,步骤S230可以包括以下步骤:
步骤S231,获取需要加密的存储顺序字符串并进行存储;
在对所述存储顺序进行加密时,首先需要获取所述存储顺序并进行存储,以方便对所述存储顺序数据做处理,此时所述存储顺序数据可以看作为一串字符串存储在本地设备中。
步骤S232,对所述存储顺序的指定特征信息进行指定摘要运算;
在获取所述存储顺序并进行存储后,就可以对所述存储顺序的指定特征进行摘要运算了,所述指定特征信息可以是所述存储顺序的字符串长度等,所述摘要运算的方法例如是哈希运算、随机生成一个数字除存储顺序的字符串长度取余等,本方案不做限定。以所述指定特征信息是所述存储顺序的字符串长度,所述摘要运算的方法为随机生成一个数字除存储顺序的字符串长度取余为例,假设所述存储顺序的字符串长度为a,随机生成的数字为b,则可以得到a除b的余数,所述余数即为指定摘要运算的结果。
步骤S233,根据所述指定摘要运算的结果,确定对所述存储顺序进行加密的起始字符;
经过摘要运算后得到一个数值,可以将所述数值作为加密起始字符的位数,也可以将其前几位或者后几位作为加密起始字符的位数,这样就确定好了对所述存储顺序进行加密的起始字符。步骤S234,从所述起始字符开始,在所述的存储顺序字符串中获取加密密钥;
确定加密起始字符的位数后,就可以对所述存储顺序字符串进行加密,加密方法可以是从起始字符开始,每隔预定位数进行摘取,摘取到预定长度,组成加密密钥,所述预定位数可以是1位、2位、质数位等,所述预定长度可以是所述存储顺序字符串的长度,也可以是20位、304位,所述预定位数和所述预定长度均可以按照具体情况设置,本方案不做限定。
步骤S235,根据预定的加密算法,使用所述加密密钥对所述存储顺序字符串进行加密;
获取加密密钥后,按照预定算法,使用所述加密密钥对所述存储数据字符串进行加密,其中,所述预定算法即生成所述加密密钥的算法。
步骤S236,发送加密后的存储顺序字符串。
加密完成后,就可以将所述加密后的存储数据字符串发送至区块链网络的其他节点。
本公开的一个实施例中,动态加密运算将存储顺序动态加密的具体方法可以是,先获取所述要加密的存储顺序,然后对所述存储顺序的指定特征信息进行摘要运算,所述指定特征信息可以是所述存储顺序的字符串长度等,所述摘要运算的方法例如是哈希运算、随机生成一个数字除存储顺序的字符串长度取余等,本方案不做限定。经过摘要运算后得到一个数值,将所述数值作为加密起始字符的位数,对所述存储顺序字符串进行加密,加密方法可以是从起始字符开始,每隔1位进行摘取,摘取到预定长度,组成加密密钥,所述预定长度可以按照具体情况设置,本方案不做限定,获取加密密钥后,按照预定算法,对所述存储数据字符串进行加密,加密完成后,将所述加密后的存储数据字符串发送至区块链网络的其他节点。
可选的,图5是根据图3对应实施例示出的快速切换部署密钥的方法中步骤S210的细节描述,所述快速切换部署密钥的方法中,步骤S210可以包括以下步骤:
步骤S211,读取所述私钥的长度;
若需要拆分所述私钥,需要先测量所述私钥的长度。
步骤S212,将所述私钥平均分成长度一致的与所述密码模块数量对应的数量个部分。
本公开的一个实施例中,拆分所述私钥为与所述密码模块数量对应的数量个部分的方法可以是根据所述密码模块的数量将所述私钥随机拆分为与所述密码模块的数量相同部分个,所述每个部分的长度平均分配,即每个部分的长度均相等。由于私钥每个部分的长度均相等,所以在存储过程中每个密码模块内存储的私钥部分的长度是相同的,就增加了密码模块拼接的难度。
可选地,对应图3对应实施例示出的快速切换部署密钥的方法中步骤S210,所述快速切换部署密钥的方法中,所述区块链网络的各节点中还包含有密码模块存储长度的预定阈值,步骤S210还可以包括以下步骤:
拆分所述私钥为与所述密码模块数量对应的数量个部分,所述每个部分的长度均不超过密码模块存储长度的预定阈值。
本公开的另一个实施例中,拆分所述私钥为与所述密码模块数量对应的数量个部分的方法还可以是根据所述密码模块的数量将所述私钥分配为与所述 密码模块的数量相同部分个,所述每个部分的长度均不超过密码模块存储长度的预定阈值。这样可以保证部分私钥中部分重要的数据不会被分割为两部分。所述预定阈值例如是32位、64位、128位等,本公开在此不做限定。
可选地,图6是根据图2对应实施例示出的快速切换部署密钥的方法中步骤S100的细节描述,所述快速切换部署密钥的方法中,所述区块链网络的各节点中还包含有私钥长度与密码模块数量的对应关系,步骤S100还可以包括以下步骤:
步骤S110,读取所述私钥的长度;
本公开的另一个实施例中,密码模块有多个,在区块链的一个节点中创建密码模块的具体方法可以是,根据所述私钥长度,查询保存在区块链中的私钥长度与密码模块数量的对应关系,决定密码模块创建的数量。所
步骤S120,查询私钥长度与密码模块数量的对应关系,确定需要创建的密码模块的数量;
述私钥长度与密码模块数量的对应关系可以根据具体情况设置,例如密码长度为32位以下时创建1个密码模块、32位至64位时创建2个密码模块、96位至128位时创建4个密码模块等,创建本公开在此不做限定。
步骤S130,创建与所述私钥长度对应的数量个密码模块。
这样就可以根据私钥的长度灵活设置密码模块的数量和重新拼接的难度,一般而言,私钥长度越长,越难破解,证明所述私钥也越重要,也就需要拆分为更多的部分。
可选的,图7是根据图2对应实施例示出的快速切换部署密钥的方法中步骤S100的细节描述,所述快速切换部署密钥的方法中,所述区块链网络的各节点中还包含有密码模块存储长度的预定阈值,步骤S100还可以包括以下步骤:
步骤S101,判断所述私钥的长度是否超过密码模块存储长度的预定阈值;
本公开的另一个实施例中,密码模块有多个,在区块链的一个节点中创建密码模块的具体方法还可以是,根据区块链中存储的密码模块存储长度的预定阈值,决定私钥被拆分为几个部分,所述每个部分的长度都不超过密码模块存储长度的预定阈值,然后创建与所述私钥部分的数量对应的数量个密码模块。 所述预定阈值例如是32位、64位、128位等,本公开在此不做限定。
步骤S102,若所述私钥的长度超过密码模块存储长度的预定阈值,拆分所述私钥为至少两个部分,所述每个部分的长度都不超过密码模块存储长度的预定阈值;
这样存储,可以据私钥的长度灵活设置密码模块的数量和重新拼接的难度,使得私钥的安全保障更有针对性。
步骤S103,创建与所述私钥部分的数量对应的数量个密码模块。
这样也可以根据私钥的长度灵活设置密码模块的数量和重新拼接的难度,一般而言,私钥长度越长,越难破解,证明所述私钥也越重要,也就需要拆分为更多的部分,而这种方法相对于图6示出的方法,区块链中不再用保存一个私钥长度与密码模块数量的对应关系,而是一个预定阈值,节约了存储的空间。
如图8所示,在一个实施例中,提供了一种快速切换部署密钥的装置,该快速切换部署密钥的装置可以集成于上述的计算机设备100中,具体可以包括创建单元110、封存单元120、同步单元130。
创建单元110,用于在区块链的一个节点中创建密码模块;
封存单元120,用于将所述节点的私钥封存在所述密码模块中;
同步单元130,用于将所述私钥随所述密码模块同步到其他区块链节点,所述私钥只能通过特定接口进入密码模块进行访问。
上述装置中各个模块的功能和作用的实现过程具体详见上述快速切换部署密钥的方法中对应步骤的实现过程,在此不再赘述。
应当注意,尽管在上文详细描述中提及了用于动作执行的设备的若干模块或者单元,但是这种划分并非强制性的。实际上,根据本公开的实施方式,上文描述的两个或更多模块或者单元的特征和功能可以在一个模块或者单元中具体化。反之,上文描述的一个模块或者单元的特征和功能可以进一步划分为由多个模块或者单元来具体化。
此外,尽管在附图中以特定顺序描述了本公开中方法的各个步骤,但是,这并非要求或者暗示必须按照该特定顺序来执行这些步骤,或是必须执行全部所示的步骤才能实现期望的结果。附加的或备选的,可以省略某些步骤,将多个步骤合并为一个步骤执行,以及/或者将一个步骤分解为多个步骤执行等。
通过以上的实施方式的描述,本领域的技术人员易于理解,这里描述的示例实施方式可以通过软件实现,也可以通过软件结合必要的硬件的方式来实现。因此,根据本公开实施方式的技术方案可以以软件产品的形式体现出来,该软件产品可以存储在一个非易失性存储介质(可以是CD-ROM,U盘,移动硬盘等)中或网络上,包括若干指令以使得一台计算设备(可以是个人计算机、服务器、移动终端、或者网络设备等)执行根据本公开实施方式的方法。
在本公开的示例性实施例中,还提供了一种能够实现上述方法的电子设备。
所属技术领域的技术人员能够理解,本公开的各个方面可以实现为系统、方法或程序产品。因此,本公开的各个方面可以具体实现为以下形式,即:完全的硬件实施方式、完全的软件实施方式(包括固件、微代码等),或硬件和软件方面结合的实施方式,这里可以统称为“电路”、“模块”或“系统”。
下面参照图9来描述根据本公开的这种实施方式的电子设备500。图9显示的电子设备500仅仅是一个示例,不应对本公开实施例的功能和使用范围带来任何限制。
如图9所示,电子设备500以通用计算设备的形式表现。电子设备500的组件可以包括但不限于:上述至少一个处理单元510、上述至少一个存储单元520、连接不同系统组件(包括存储单元520和处理单元510)的总线530。
其中,所述存储单元存储有程序代码,所述程序代码可以被所述处理单元510执行,使得所述处理单元510执行本说明书上述“示例性方法”部分中描述的根据本公开各种示例性实施方式的步骤。例如,所述处理单元510可以执行如图2中所示的步骤S100,在区块链的一个节点中创建密码模块;步骤S200,将所述节点的私钥封存在所述密码模块中;步骤S300,将所述私钥随所述密码模块同步到其他区块链节点,所述私钥只能通过特定接口进入密码模块进行访问。
存储单元520可以包括易失性存储单元形式的可读介质,例如随机存取存储单元(RAM)5201和/或高速缓存存储单元5202,还可以进一步包括只读存储单元(ROM)5203。
存储单元520还可以包括具有一组(至少一个)程序模块5205的程序/实用工具5204,这样的程序模块5205包括但不限于:操作系统、一个或者多 个应用程序、其它程序模块以及程序数据,这些示例中的每一个或某种组合中可能包括网络环境的实现。
总线530可以为表示几类总线结构中的一种或多种,包括存储单元总线或者存储单元控制器、外围总线、图形加速端口、处理单元或者使用多种总线结构中的任意总线结构的局域总线。
电子设备500也可以与一个或多个外部设备700(例如键盘、指向设备、蓝牙设备等)通信,还可与一个或者多个使得用户能与该电子设备500交互的设备通信,和/或与使得该电子设备500能与一个或多个其它计算设备进行通信的任何设备(例如路由器、调制解调器等等)通信。这种通信可以通过输入/输出(I/O)接口550进行。并且,电子设备500还可以通过网络适配器560与一个或者多个网络(例如局域网(LAN),广域网(WAN)和/或公共网络,例如因特网)通信。如图所示,网络适配器560通过总线530与电子设备500的其它模块通信。应当明白,尽管图中未示出,可以结合电子设备500使用其它硬件和/或软件模块,包括但不限于:微代码、设备驱动器、冗余处理单元、外部磁盘驱动阵列、RAID系统、磁带驱动器以及数据备份存储系统等。
通过以上的实施方式的描述,本领域的技术人员易于理解,这里描述的示例实施方式可以通过软件实现,也可以通过软件结合必要的硬件的方式来实现。因此,根据本公开实施方式的技术方案可以以软件产品的形式体现出来,该软件产品可以存储在一个非易失性存储介质(可以是CD-ROM,U盘,移动硬盘等)中或网络上,包括若干指令以使得一台计算设备(可以是个人计算机、服务器、终端装置、或者网络设备等)执行根据本公开实施方式的方法。
在本公开的示例性实施例中,还提供了一种计算机可读存储介质,其上存储有能够实现本说明书上述方法的程序产品。在一些可能的实施方式中,本公开的各个方面还可以实现为一种程序产品的形式,其包括程序代码,当所述程序产品在终端设备上运行时,所述程序代码用于使所述终端设备执行本说明书上述“示例性方法”部分中描述的根据本公开各种示例性实施方式的步骤。
参考图10所示,描述了根据本公开的实施方式的用于实现上述方法的程序产品600,其可以采用便携式紧凑盘只读存储器(CD-ROM)并包括程序代码,并可以在终端设备,例如个人电脑上运行。然而,本公开的程序产品不限于此, 在本文件中,可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装置或者器件使用或者与其结合使用。
所述程序产品可以采用一个或多个可读介质的任意组合。可读介质可以是可读信号介质或者可读存储介质。可读存储介质例如可以为但不限于电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。可读存储介质的更具体的例子(非穷举的列表)包括:具有一个或多个导线的电连接、便携式盘、硬盘、随机存取存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、光纤、便携式紧凑盘只读存储器(CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。
计算机可读信号介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了可读程序代码。这种传播的数据信号可以采用多种形式,包括但不限于电磁信号、光信号或上述的任意合适的组合。可读信号介质还可以是可读存储介质以外的任何可读介质,该可读介质可以发送、传播或者传输用于由指令执行系统、装置或者器件使用或者与其结合使用的程序。
可读介质上包含的程序代码可以用任何适当的介质传输,包括但不限于无线、有线、光缆、RF等等,或者上述的任意合适的组合。
可以以一种或多种程序设计语言的任意组合来编写用于执行本公开操作的程序代码,所述程序设计语言包括面向对象的程序设计语言—诸如Java、C++等,还包括常规的过程式程序设计语言—诸如“C”语言或类似的程序设计语言。程序代码可以完全地在用户计算设备上执行、部分地在用户设备上执行、作为一个独立的软件包执行、部分在用户计算设备上部分在远程计算设备上执行、或者完全在远程计算设备或服务器上执行。在涉及远程计算设备的情形中,远程计算设备可以通过任意种类的网络,包括局域网(LAN)或广域网(WAN),连接到用户计算设备,或者,可以连接到外部计算设备(例如利用因特网服务提供商来通过因特网连接)。
本申请通过在区块链网络的一个节点中开辟一个存储区域用于存储私钥,先在存储区域中新建一个密码模块,然后将私钥封存在密码模块中,以隔绝所述私钥与外界的联系,保证了私钥在传输过程中不会公开。所述密码模块是有严格的边界阻隔外部与内部的联系,如果想要读取密码模块内部的私钥,只能 通过特定的接口读取,保证了私钥的安全性。当私钥封存在密码模块后,就会随密码模块一起同步到区块链的所有节点中,所有的区块链都有了这个环境,只要有设备加入区块链中,就可以获取这个环境,这样就实现了快速切换部署。
上述附图所示的处理并不表明或限制这些处理的时间顺序。另外,这些处理可以是例如在多个模块中同步或异步执行的。
本申请旨在涵盖本公开的任何变型、用途或者适应性变化,这些变型、用途或者适应性变化遵循本公开的一般性原理并包括本公开未公开的本技术领域中的公知常识或惯用技术手段。

Claims (20)

  1. 一种快速切换部署密钥的方法,其特征在于,应用于由至少两个节点组成的区块链网络中,所述方法包括:
    在所述区块链网络的一个节点中创建密码模块,所述创建有所述密码模块的节点为第一节点;
    将所述第一节点的私钥封存在所述密码模块中;
    将所述私钥随所述密码模块同步部署到所述区块链网络中除所述第一节点外的其他节点,其中,所述私钥只能通过特定接口进入密码模块进行访问。
  2. 如权利要求1所述的方法,其特征在于,所述密码模块数量有至少两个,所述将所述第一节点的私钥封存在所述密码模块中的步骤包括:
    拆分所述私钥为与所述密码模块数量对应的数量个部分;
    将所述私钥的不同部分分别存储在不同的密码模块中,每个密码模块只存储一个部分的私钥;
    生成私钥的存储顺序,并将所述存储顺序动态加密,并存储在所述第一节点。
  3. 如权利要求2所述的方法,其特征在于,所述存储顺序为一串字符串,将所述存储顺序动态加密,并存储在所述第一节点,具体包括:
    获取需要加密的存储顺序字符串并进行存储;
    对所述存储顺序的指定特征信息进行指定摘要运算;
    根据所述指定摘要运算的结果,确定对所述存储顺序进行加密的起始字符;
    从所述起始字符开始,在所述的存储顺序字符串中获取加密密钥;
    根据预定的加密算法,使用所述加密密钥对所述存储顺序字符串进行加密;
    发送加密后的存储顺序字符串。
  4. 如权利要求2所述的方法,其特征在于,所述拆分所述私钥为与所述密码模块数量对应的数量个部分的步骤包括:
    读取所述私钥的长度;
    将所述私钥平均分成长度一致的与所述密码模块数量对应的数量个部分。
  5. 如权利要求2所述的方法,其特征在于,所述区块链网络的各节点中还包含有密码模块存储长度的预定阈值,所述拆分所述私钥为与所述密码模块 数量对应的数量个部分的步骤包括:
    拆分所述私钥为与所述密码模块数量对应的数量个部分,所述每个部分的长度均不超过密码模块存储长度的预定阈值。
  6. 如权利要求1所述的方法,其特征在于,所述区块链网络的各节点中还包含有私钥长度与密码模块数量的对应关系,所述在所述区块链网络的一个节点中创建密码模块的步骤包括:
    读取所述私钥的长度;
    查询私钥长度与密码模块数量的对应关系,确定需要创建的密码模块的数量;
    创建与所述私钥长度对应的数量个密码模块。
  7. 如权利要求1所述的方法,其特征在于,所述区块链网络的各节点中还包含有密码模块存储长度的预定阈值,所述在所述区块链网络的一个节点中创建密码模块的方法包括:
    判断所述私钥的长度是否超过密码模块存储长度的预定阈值;
    若所述私钥的长度超过密码模块存储长度的预定阈值,拆分所述私钥为至少两个部分,且所述每个部分的长度都不超过密码模块存储长度的预定阈值;
    创建与所述私钥部分的数量对应的数量个密码模块。
  8. 一种快速切换部署密钥的装置,其特征在于,所述装置包括:
    创建单元,用于在区块链网络的一个节点中创建密码模块,所述创建有所述密码模块的节点为第一节点;
    封存单元,用于将所述第一节点的私钥封存在所述密码模块中;
    同步单元,用于将所述私钥随所述密码模块同步部署到所述区块链网络中除所述第一节点外的其他节点,其中,所述私钥只能通过特定接口进入密码模块进行访问。
  9. 如权利要求8所述的装置,其特征在于,所述密码模块数量有至少两个,所述封存单元具体用于:
    拆分所述私钥为与所述密码模块数量对应的数量个部分;
    将所述私钥的不同部分分别存储在不同的密码模块中,每个密码模块只存储一个部分的私钥;
    生成私钥的存储顺序,并将所述存储顺序动态加密,并存储在所述第一节点。
  10. 如权利要求9所述的装置,其特征在于,所述封存单元在存储顺序为一串字符串,将所述存储顺序动态加密,并存储在所述第一节点时,具体用于:
    获取需要加密的存储顺序字符串并进行存储;
    对所述存储顺序的指定特征信息进行指定摘要运算;
    根据所述指定摘要运算的结果,确定对所述存储顺序进行加密的起始字符;
    从所述起始字符开始,在所述的存储顺序字符串中获取加密密钥;
    根据预定的加密算法,使用所述加密密钥对所述存储顺序字符串进行加密;
    发送加密后的存储顺序字符串。
  11. 如权利要求9所述的装置,其特征在于,所述封存单元在拆分所述私钥为与所述密码模块数量对应的数量个部分时,具体用于:
    读取所述私钥的长度;
    将所述私钥平均分成长度一致的与所述密码模块数量对应的数量个部分。
  12. 如权利要求9所述的装置,其特征在于,所述区块链网络的各节点中还包含有密码模块存储长度的预定阈值,所述封存单元在拆分所述私钥为与所述密码模块数量对应的数量个部分时,具体用于:
    拆分所述私钥为与所述密码模块数量对应的数量个部分,所述每个部分的长度均不超过密码模块存储长度的预定阈值。
  13. 如权利要求8所述的装置,其特征在于,所述区块链网络的各节点中还包含有私钥长度与密码模块数量的对应关系,所述创建单元具体用于:
    读取所述私钥的长度;
    查询私钥长度与密码模块数量的对应关系,确定需要创建的密码模块的数量;
    创建与所述私钥长度对应的数量个密码模块。
  14. 如权利要求8所述的装置,其特征在于,所述区块链网络的各节点中还包含有密码模块存储长度的预定阈值,所述创建单元具体用于:
    判断所述私钥的长度是否超过密码模块存储长度的预定阈值;
    若所述私钥的长度超过密码模块存储长度的预定阈值,拆分所述私钥为至 少两个部分,且所述每个部分的长度都不超过密码模块存储长度的预定阈值;
    创建与所述私钥部分的数量对应的数量个密码模块。
  15. 一种计算机设备,包括存储器和处理器,所述存储器中存储有计算机可读指令,所述计算机可读指令被所述处理器执行时,使得所述处理器执行以下步骤:
    在区块链网络的一个节点中创建密码模块,所述创建有所述密码模块的节点为第一节点;
    将所述第一节点的私钥封存在所述密码模块中;
    将所述私钥随所述密码模块同步部署到所述区块链网络中除所述第一节点外的其他节点,其中,所述私钥只能通过特定接口进入密码模块进行访问。
  16. 如权利要求15所述的计算机设备,其特征在于,所述密码模块数量有至少两个,所述处理器在执行所述将所述第一节点的私钥封存在所述密码模块中时,具体执行以下步骤:
    拆分所述私钥为与所述密码模块数量对应的数量个部分;
    将所述私钥的不同部分分别存储在不同的密码模块中,每个密码模块只存储一个部分的私钥;
    生成私钥的存储顺序,并将所述存储顺序动态加密,并存储在所述第一节点。
  17. 如权利要求16所述的计算机设备,其特征在于,所述存储顺序为一串字符串,所述处理器在执行将所述存储顺序动态加密,并存储在所述第一节点时,具体执行以下步骤:
    获取需要加密的存储顺序字符串并进行存储;
    对所述存储顺序的指定特征信息进行指定摘要运算;
    根据所述指定摘要运算的结果,确定对所述存储顺序进行加密的起始字符;
    从所述起始字符开始,在所述的存储顺序字符串中获取加密密钥;
    根据预定的加密算法,使用所述加密密钥对所述存储顺序字符串进行加密;
    发送加密后的存储顺序字符串。
  18. 如权利要求16所述的计算机设备,其特征在于,所述区块链网络的各节点中还包含有密码模块存储长度的预定阈值,所述处理器在执行所述拆分 所述私钥为与所述密码模块数量对应的数量个部分时,具体执行以下步骤:
    拆分所述私钥为与所述密码模块数量对应的数量个部分,所述每个部分的长度均不超过密码模块存储长度的预定阈值。
  19. 如权利要求15所述的计算机设备,其特征在于,所述区块链网络的各节点中还包含有私钥长度与密码模块数量的对应关系,所述处理器在执行所述在所述区块链网络的一个节点中创建密码模块时,具体执行以下步骤:
    读取所述私钥的长度;
    查询私钥长度与密码模块数量的对应关系,确定需要创建的密码模块的数量;
    创建与所述私钥长度对应的数量个密码模块。
  20. 一种存储有计算机可读指令的存储介质,所述计算机可读指令被一个或多个处理器执行时,使得一个或多个处理器执行如权利要求1至7中任一项所述的方法。
PCT/CN2019/123026 2019-03-13 2019-12-04 快速切换部署密钥的方法、装置、计算机设备和存储介质 WO2020181842A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910189512.X 2019-03-13
CN201910189512.XA CN110086607B (zh) 2019-03-13 2019-03-13 快速切换部署密钥的方法、装置、计算机设备和存储介质

Publications (1)

Publication Number Publication Date
WO2020181842A1 true WO2020181842A1 (zh) 2020-09-17

Family

ID=67413280

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/123026 WO2020181842A1 (zh) 2019-03-13 2019-12-04 快速切换部署密钥的方法、装置、计算机设备和存储介质

Country Status (2)

Country Link
CN (1) CN110086607B (zh)
WO (1) WO2020181842A1 (zh)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110086607B (zh) * 2019-03-13 2021-08-17 深圳壹账通智能科技有限公司 快速切换部署密钥的方法、装置、计算机设备和存储介质
CN114139221B (zh) * 2022-02-07 2022-04-29 浪潮(山东)计算机科技有限公司 密钥状态检测方法、装置、设备及介质
CN116707803B (zh) * 2023-08-07 2023-10-31 北京奇立软件技术有限公司 基于数据加密的隐私数据粉碎方法

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107483446A (zh) * 2017-08-23 2017-12-15 上海点融信息科技有限责任公司 用于区块链的加密方法、设备以及系统
US20180083932A1 (en) * 2016-09-16 2018-03-22 Bank Of America Corporation Systems and devices for hardened remote storage of private cryptography keys used for authentication
CN109345386A (zh) * 2018-08-31 2019-02-15 阿里巴巴集团控股有限公司 基于区块链的交易共识处理方法及装置、电子设备
CN110086607A (zh) * 2019-03-13 2019-08-02 深圳壹账通智能科技有限公司 快速切换部署密钥的方法、装置、计算机设备和存储介质

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11055707B2 (en) * 2014-06-24 2021-07-06 Visa International Service Association Cryptocurrency infrastructure system
US10013573B2 (en) * 2015-12-16 2018-07-03 International Business Machines Corporation Personal ledger blockchain
CN106548345B (zh) * 2016-12-07 2020-08-21 北京信任度科技有限公司 基于密钥分割实现区块链私钥保护的方法及系统
US10498541B2 (en) * 2017-02-06 2019-12-03 ShocCard, Inc. Electronic identification verification methods and systems
CN107273410B (zh) * 2017-05-03 2020-07-07 上海点融信息科技有限责任公司 基于区块链的分布式存储
CN107294709A (zh) * 2017-06-27 2017-10-24 阿里巴巴集团控股有限公司 一种区块链数据处理方法、装置及系统
CN108628745A (zh) * 2018-05-03 2018-10-09 深圳市牛鼎丰科技有限公司 应用程序的跟踪记录系统、方法、计算机设备和存储介质
CN108768633B (zh) * 2018-05-30 2022-03-25 腾讯科技(深圳)有限公司 实现区块链中信息共享的方法及装置
CN109150539A (zh) * 2018-07-24 2019-01-04 深圳前海益链网络科技有限公司 一种基于区块链的分布式ca认证系统、方法及装置
CN108989048A (zh) * 2018-08-02 2018-12-11 中国联合网络通信集团有限公司 密钥分发方法、装置、设备及存储介质
CN109146481B (zh) * 2018-08-23 2020-09-08 泰链(厦门)科技有限公司 区块链钱包的账户私钥自动导入方法、介质、装置及区块链系统
CN109101830A (zh) * 2018-09-03 2018-12-28 安徽太阳石科技有限公司 基于区块链的实时数据安全防护方法和系统

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180083932A1 (en) * 2016-09-16 2018-03-22 Bank Of America Corporation Systems and devices for hardened remote storage of private cryptography keys used for authentication
CN107483446A (zh) * 2017-08-23 2017-12-15 上海点融信息科技有限责任公司 用于区块链的加密方法、设备以及系统
CN109345386A (zh) * 2018-08-31 2019-02-15 阿里巴巴集团控股有限公司 基于区块链的交易共识处理方法及装置、电子设备
CN110086607A (zh) * 2019-03-13 2019-08-02 深圳壹账通智能科技有限公司 快速切换部署密钥的方法、装置、计算机设备和存储介质

Also Published As

Publication number Publication date
CN110086607B (zh) 2021-08-17
CN110086607A (zh) 2019-08-02

Similar Documents

Publication Publication Date Title
EP3916604B1 (en) Method and apparatus for processing privacy data of block chain, device, storage medium and computer program product
CN109150499B (zh) 动态加密数据的方法、装置、计算机设备和存储介质
WO2018024056A1 (zh) 用户口令管理的方法和服务器
JP6482526B2 (ja) コンピュータアプリケーションのオブジェクトコードを変更することによるコンピュータアプリケーションのためのセキュリティサービス管理
US9503433B2 (en) Method and apparatus for cloud-assisted cryptography
US20180176222A1 (en) User friendly two factor authentication
US9942032B1 (en) Systems and methods for securely detecting data similarities
WO2020181842A1 (zh) 快速切换部署密钥的方法、装置、计算机设备和存储介质
WO2019024230A1 (zh) 信息加密解密方法、装置、计算机设备和存储介质
US10867046B2 (en) Methods and apparatus for authenticating a firmware settings input file
JP7486530B2 (ja) 管理されたコンテナ環境における共有機密情報へのアクセス方法、システム、プログラム
WO2023010727A1 (zh) 密钥更新及文件共享方法、装置、设备、计算机存储介质
WO2021208906A1 (zh) 数据传输、处理、授权
US10045212B2 (en) Method and apparatus for providing provably secure user input/output
WO2021027827A1 (zh) 生成和使用根密钥的方法,芯片及电子设备
WO2022161182A1 (zh) 基于数据流的可信计算的方法及装置
WO2019120038A1 (zh) 数据加密存储
CN114372245A (zh) 基于区块链的物联网终端认证方法、系统、设备及介质
CN116011590A (zh) 联邦学习方法、装置和系统
CN117786726A (zh) 一种源码文件处理方法、装置、电子设备和存储介质
WO2021057273A1 (zh) 在fpga上实现高效合约调用的方法及装置
WO2020093290A1 (zh) 一种存储控制器、文件处理方法、装置及系统
WO2020073314A1 (zh) 密钥生成方法、获取方法、私钥更新方法、芯片和服务器
CN114817957A (zh) 基于域管平台的加密分区访问控制方法、系统及计算设备
US11196762B2 (en) Vulnerability scanner based on network profile

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19919261

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 20.01.2022)

122 Ep: pct application non-entry in european phase

Ref document number: 19919261

Country of ref document: EP

Kind code of ref document: A1