WO2022105113A1 - Key-update-based encryption method, apparatus and device, and storage medium - Google Patents

Key-update-based encryption method, apparatus and device, and storage medium Download PDF

Info

Publication number
WO2022105113A1
WO2022105113A1 PCT/CN2021/090175 CN2021090175W WO2022105113A1 WO 2022105113 A1 WO2022105113 A1 WO 2022105113A1 CN 2021090175 W CN2021090175 W CN 2021090175W WO 2022105113 A1 WO2022105113 A1 WO 2022105113A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
information
update
new
asymmetric
Prior art date
Application number
PCT/CN2021/090175
Other languages
French (fr)
Chinese (zh)
Inventor
盘兵
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2022105113A1 publication Critical patent/WO2022105113A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/302Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the integer factorization problem, e.g. RSA or quadratic sieve [QS] schemes
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Definitions

  • the present application relates to the field of information encryption and decryption of information security, and in particular, to an encryption method, device, device and storage medium based on key update.
  • the present application provides an encryption method, device, device and storage medium based on key update, which are used to improve the security and reliability of a communication encryption mechanism.
  • the Advanced Encryption Standard key after the key update is completed is obtained, and the preset AESS-based message is called.
  • the encryption mechanism encrypts the sent message through the Advanced Encryption Standard key to obtain the first encrypted sent message; when the sent message is a key update message, the old asymmetric key expiration information of the sent message is obtained, and according to the old asymmetric key Key expiration information, generate first key information, the first key information includes the new asymmetric key and the effective time of the new asymmetric key; obtain the effective asymmetric public key of the receiver, and pass the receiver
  • the asymmetric public key encrypts the first key information to obtain the second key information; through the preset new key confirmation interface, the second key information and the key update request are sent to the receiving end, so that the receiving end can receive the second key information.
  • FIG. 4 is a schematic diagram of another embodiment of an encryption device based on key update in an embodiment of the present application.
  • the message encryption mechanism based on the advanced encryption standard is installed, and the message information is converted into a JS object notation (JavaScript object notation, JSON) string, the initial string is obtained, and the initial string is converted into 8-bit (universal character set/unicode) transform format, UTF-8) string to obtain the target string, encrypt the target string with the Advanced Encryption Standard key to obtain the encrypted sending information, encode the encrypted sending information through the Base64 encoding algorithm, and obtain the first encrypted sending information .
  • JSON JavaScript object notation
  • JSON JavaScript object notation
  • 8-bit transform format UTF-8
  • the key update message is a message that changes the business relationship, resulting in the update of the service password or the need to update the key periodically.
  • the old asymmetric key expiration information is the old (ron rivest, adi shamir, leonard adleman, RSA) key expiration information.
  • the new asymmetric key is the new (ron rivest, adi shamir, leonard adleman, RSA) key.
  • step 201 The execution process of step 201 is similar to the execution process of the foregoing step 101, and details are not repeated here.
  • the server obtains the old asymmetric key expiration information and the asymmetric key update time of the sent message, and the Advanced Encryption Standard key based on the key update completion instruction to initiate the update time, the old asymmetric key expiration information includes the preset trigger date; determine whether the asymmetric key update time is the same as the advanced encryption standard key update time; if the asymmetric key update time is the same as the advanced encryption standard key update time If the update time is inconsistent, a new key generation rule is obtained, and the first key information is generated by using the new key generation rule and the preset trigger date.
  • the validity period and batch number are obtained, and the new asymmetric key information is obtained.
  • the preset business low-peak period is 02:00-06:00, and the update date of the asymmetric key update time is October 20, then the new asymmetric key
  • the effective time of the new asymmetric key in the key information is set to the period of 02:00-06:00 later than October 23 (that is, the effective time is greater than the update date when the asymmetric key initiates the update time + 3), so as to obtain the first a key information.
  • step 203 The execution process of step 203 is similar to the execution process of the foregoing step 103, and details are not repeated here.
  • the server sends the second key information and the key update request to the receiving end through the KeyExchange interface of the new key confirmation interface, so that the receiving end decrypts the second key information through the currently valid RSA private key of the receiver , obtain the decryption new key information, and generate the new key encryption agreement information confirmMsg by the batch number and the preset field "CONFIRMED" in the decryption new key information in the form of "batch number + CONFIRMED", through the hypertext transmission protocol (Hyper text transfer protocol, HTTP), assemble the new key encryption protocol information into a response message, so as to obtain the key confirmation update information.
  • the hypertext transmission protocol Hypertext transfer protocol, HTTP
  • the server parses the key confirmation update information to obtain the parsing information, and decrypts the parsing information through the new asymmetric key to obtain a new key encryption agreement information; determine whether the new key encryption agreement information is consistent with the preset value; if the new key encryption agreement information is consistent with the preset value, generate the new key update completion information of the second key information; if the new key encryption agreement information is consistent with the preset value If the information is inconsistent with the preset value, the target new key encryption agreement information is iteratively obtained until the target new key encryption agreement information is consistent with the preset value, and the new key update completion information is obtained.
  • Key confirmation update information when receiving the new key confirmation update information sent by the receiver, parse the new key confirmation update information in turn to obtain new parsing information, and use the new asymmetric key to pair the new key confirmation update information.
  • the server when the server receives the new key update completion information, it calls the preset timer to execute the timing task based on the effective time.
  • the timing task counts to October-February 03:00
  • the new key validating instruction is triggered, and the sent message is encrypted by the new key validating instruction and the new asymmetric key, and the second encrypted sending message is obtained.
  • the sending module 304 is configured to send the second key information and the key update request to the receiving end through the preset new key confirmation interface, so that the receiving end encrypts the second key information based on the key update request. Key confirmation and key update, get key confirmation update information;
  • the sent message information is encrypted by using the advanced encryption standard key, and the first key information is generated according to the old asymmetric key expiration information, so as to realize the privacy protection processing of communication messages of various sending message types.
  • the update encryption module 301 is used to obtain the sent message information, when the sent message information is a business sent message and the key update completion instruction is received, obtain the advanced encryption standard key after the key update is completed, and call the preset based on the advanced encryption standard
  • the message encryption mechanism of the device encrypts the message sent by the Advanced Encryption Standard Key to obtain the first encrypted message sent;
  • the trigger encryption unit 3052 is used to trigger the new key validation instruction through the new key update completion information and valid time, and perform trigger encryption processing on the sent message according to the new key validation instruction and the new asymmetric key to obtain the second key. Encrypted message.
  • the effective time of the new asymmetric key in the new asymmetric key information is configured according to the time when the asymmetric key is initiated and updated and the preset service low-peak period, to obtain the first key information.
  • the trigger encryption unit 3052 can also be specifically used for:
  • the sent message information is encrypted by using the advanced encryption standard key, and the first key information is generated according to the old asymmetric key expiration information, so as to realize the privacy protection processing of communication messages of various sending message types.

Abstract

The present application relates to the field of information security, and provides a key-update-based encryption method, apparatus and device, and a storage medium, which are used for improving the security and reliability of a communication encryption mechanism. The key-update-based encryption method comprises: by means of an advanced encryption standard key, encrypting post information that is a service post, so as to obtain first encrypted post information; generating first key information according to old asymmetric key expiration information; encrypting the first key information by means of an effective asymmetric public key of a receiver to obtain second key information; sending the second key information to a receiving end, such that the receiving end obtains key confirmation and update information on the basis of a key update request; and when the key confirmation and update information sent by the receiving end is received, according to a new asymmetric key and the effective time, performing encryption triggering processing on the post information that is a key update post, so as to obtain second encrypted post information. In addition, the present application further relates to blockchain technology, and post information can be stored in a blockchain.

Description

基于密钥更新的加密方法、装置、设备及存储介质Encryption method, device, device and storage medium based on key update
本申请要求于2020年11月17日提交中国专利局、申请号为202011284393.5、发明名称为“基于密钥更新分发的加密方法、装置、设备及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在申请中。This application claims the priority of the Chinese patent application filed on November 17, 2020 with the application number 202011284393.5 and the invention titled "Encryption method, device, device and storage medium based on key update distribution", all of which are The contents are incorporated by reference in the application.
技术领域technical field
本申请涉及信息安全的信息加解密领域,尤其涉及一种基于密钥更新的加密方法、装置、设备及存储介质。The present application relates to the field of information encryption and decryption of information security, and in particular, to an encryption method, device, device and storage medium based on key update.
背景技术Background technique
随着物联网技术和计算机技术的发展,信息的通信安全成为了备受关注的方向,通信安全也成为了信息安全的重要领域,特别是对于金融行业而言,客户信息、交易信息或其他敏感信息的泄露可能造成更为直接、重大的经济损失,由此可得,安全可靠的合作通信机制是业务顺利开展的基石。With the development of Internet of Things technology and computer technology, the communication security of information has become the direction of much attention, and communication security has also become an important field of information security, especially for the financial industry, customer information, transaction information or other sensitive information The leakage may cause more direct and significant economic losses. From this, it can be seen that a safe and reliable cooperative communication mechanism is the cornerstone of the smooth development of the business.
目前,在金融行业的合作方通信中,各个专业机构都会在国家通信安全标准的基础上结合自身业务场景和需求,采用各种类的加密机制对通信报文进行加密处理以及密钥的更新和分发,以保证通信报文在泄露的情况下,入侵者也不能轻易破解密码获取信息。At present, in the communication of partners in the financial industry, various professional institutions will use various types of encryption mechanisms to encrypt communication messages, update and To ensure that in the case of leakage of communication packets, intruders cannot easily crack the password to obtain information.
发明人意识到由于各个专业机构所采用的加密机制在运用多种加密算法进行时,未能对各中加密算法之间的不足之处进行协调,未考虑到对于多种发文类型的通信报文的私密性保护处理,以及密钥在可信环境下的更新和分发,因而,导致了现有的通信加密机制的安全可靠性较低。The inventor realizes that due to the fact that the encryption mechanisms adopted by various professional institutions fail to coordinate the deficiencies among the encryption algorithms when they use multiple encryption algorithms, they have not considered the need for communication messages of various types. Therefore, the security reliability of the existing communication encryption mechanism is low.
发明内容SUMMARY OF THE INVENTION
本申请提供了一种基于密钥更新的加密方法、装置、设备及存储介质,用于提高通信加密机制的安全可靠性。The present application provides an encryption method, device, device and storage medium based on key update, which are used to improve the security and reliability of a communication encryption mechanism.
本申请第一方面提供了一种基于密钥更新的加密方法,包括:获取发文信息,当所述发文信息为业务发文,且接收到密钥更新完成指令时,获取密钥更新完成后的高级加密标准密钥,并调用预置的基于高级加密标准的报文加密机制,通过所述高级加密标准密钥,对所述发文信息进行加密,得到第一加密发文信息;当所述发文信息为密钥更新发文时,获取所述发文信息的旧非对称密钥到期信息,根据所述旧非对称密钥到期信息,生成第一密钥信息,所述第一密钥信息包括新非对称密钥,以及所述新非对称密钥的生效时间;获取已生效的接收方非对称公钥,并通过所述接收方非对称公钥,对所述第一密钥信息进行加密,得到第二密钥信息;通过预置的新密钥确认接口,将所述第二密钥信息和密钥更新请求发送给接收端,以使得所述接收端基于所述密钥更新请求,对所述第二密钥信息进行密钥确认和密钥更新,得到密钥确认更新信息;当接收到所述接收端发送的密钥确认更新信息时,根据所述新非对称密钥和所述生效时间,对所述发文信息进行触发加密处理,得到第二加密发文信息。A first aspect of the present application provides an encryption method based on key update, which includes: acquiring sent message information, and when the sent message information is a service message and a key update completion instruction is received, obtaining a high-level key update completed encrypting the standard key, and calling the preset message encryption mechanism based on the advanced encryption standard, and encrypting the sent message information through the advanced encryption standard key to obtain the first encrypted sent message information; when the sent message information is When the key update is sent, the old asymmetric key expiration information of the sending information is obtained, and first key information is generated according to the old asymmetric key expiration information, and the first key information includes new non-symmetric key information. Symmetric key, and the effective time of the new asymmetric key; obtain the recipient's asymmetric public key that has taken effect, and encrypt the first key information with the recipient's asymmetric public key to obtain second key information; send the second key information and the key update request to the receiving end through the preset new key confirmation interface, so that the receiving end, based on the key update request, perform key confirmation and key update on the second key information, and obtain key confirmation update information; when receiving the key confirmation update information sent by the receiving end, according to the new asymmetric key and the valid time, and perform trigger encryption processing on the sent message information to obtain second encrypted sent message information.
本申请第二方面提供了一种基于密钥更新的加密设备,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机可读指令,所述处理器执行所述计算机可读指令时实现如下步骤:获取发文信息,当所述发文信息为业务发文,且接收到密钥更新完成指令时,获取密钥更新完成后的高级加密标准密钥,并调用预置的基于高级加密标准的报文加密机制,通过所述高级加密标准密钥,对所述发文信息进行加密,得到第一加密发文信息;当所述发文信息为密钥更新发文时,获取所述发文信息的旧非对称密钥到期信息,根据所述旧非对称密钥到期信息,生成第一密钥信息,所述第一密钥信息包括新非对 称密钥,以及所述新非对称密钥的生效时间;获取已生效的接收方非对称公钥,并通过所述接收方非对称公钥,对所述第一密钥信息进行加密,得到第二密钥信息;通过预置的新密钥确认接口,将所述第二密钥信息和密钥更新请求发送给接收端,以使得所述接收端基于所述密钥更新请求,对所述第二密钥信息进行密钥确认和密钥更新,得到密钥确认更新信息;当接收到所述接收端发送的密钥确认更新信息时,根据所述新非对称密钥和所述生效时间,对所述发文信息进行触发加密处理,得到第二加密发文信息。A second aspect of the present application provides an encryption device based on key update, comprising a memory, a processor, and computer-readable instructions stored on the memory and executable on the processor, the processor executing the When the computer-readable instruction is described, the following steps are implemented: obtaining the sending message, when the sending message is a business sending message, and receiving the key update completion instruction, obtaining the advanced encryption standard key after the key update is completed, and calling the preset The message encryption mechanism based on the Advanced Encryption Standard, encrypts the sent message information through the Advanced Encryption Standard key, and obtains the first encrypted message message; when the message message is a key update message, obtain the message Expiration information of the old asymmetric key of the sent message, first key information is generated according to the expiry information of the old asymmetric key, and the first key information includes the new asymmetric key and the new asymmetric key. The effective time of the symmetric key; obtain the effective asymmetric public key of the receiver, and encrypt the first key information through the receiver asymmetric public key to obtain the second key information; The new key confirmation interface, sends the second key information and the key update request to the receiving end, so that the receiving end performs the keying of the second key information based on the key update request. Confirmation and key update to obtain key confirmation update information; when receiving the key confirmation update information sent by the receiving end, trigger the sent message according to the new asymmetric key and the effective time Encryption processing is performed to obtain second encrypted sent message information.
本申请第三方面提供了一种计算机可读存储介质,所述计算机可读存储介质中存储计算机指令,当所述计算机指令在计算机上运行时,使得计算机执行如下步骤:获取发文信息,当所述发文信息为业务发文,且接收到密钥更新完成指令时,获取密钥更新完成后的高级加密标准密钥,并调用预置的基于高级加密标准的报文加密机制,通过所述高级加密标准密钥,对所述发文信息进行加密,得到第一加密发文信息;当所述发文信息为密钥更新发文时,获取所述发文信息的旧非对称密钥到期信息,根据所述旧非对称密钥到期信息,生成第一密钥信息,所述第一密钥信息包括新非对称密钥,以及所述新非对称密钥的生效时间;获取已生效的接收方非对称公钥,并通过所述接收方非对称公钥,对所述第一密钥信息进行加密,得到第二密钥信息;通过预置的新密钥确认接口,将所述第二密钥信息和密钥更新请求发送给接收端,以使得所述接收端基于所述密钥更新请求,对所述第二密钥信息进行密钥确认和密钥更新,得到密钥确认更新信息;当接收到所述接收端发送的密钥确认更新信息时,根据所述新非对称密钥和所述生效时间,对所述发文信息进行触发加密处理,得到第二加密发文信息。A third aspect of the present application provides a computer-readable storage medium, where computer instructions are stored in the computer-readable storage medium, and when the computer instructions are executed on the computer, the computer is caused to perform the following steps: acquiring the sent message, The sent message information is a business message, and when receiving the key update completion instruction, obtain the advanced encryption standard key after the key update is completed, and call the preset message encryption mechanism based on the advanced encryption standard, through the advanced encryption standard key, encrypt the sent message information to obtain the first encrypted message sent message; when the sent message information is a key update message, obtain the old asymmetric key expiration information of the sent message information, according to the old Asymmetric key expiration information, generate first key information, the first key information includes a new asymmetric key, and the effective time of the new asymmetric key; obtain the effective recipient asymmetric public key and encrypt the first key information through the receiver's asymmetric public key to obtain the second key information; through the preset new key confirmation interface, the second key information and The key update request is sent to the receiving end, so that the receiving end performs key confirmation and key update on the second key information based on the key update request, and obtains key confirmation update information; When the key confirmation update information sent by the receiving end is performed, according to the new asymmetric key and the effective time, trigger encryption processing is performed on the sent message information to obtain second encrypted sent message information.
本申请第四方面提供了一种基于密钥更新的加密装置,包括:更新加密模块,用于获取发文信息,当所述发文信息为业务发文,且接收到密钥更新完成指令时,获取密钥更新完成后的高级加密标准密钥,并调用预置的基于高级加密标准的报文加密机制,通过所述高级加密标准密钥,对所述发文信息进行加密,得到第一加密发文信息;生成模块,用于当所述发文信息为密钥更新发文时,获取所述发文信息的旧非对称密钥到期信息,根据所述旧非对称密钥到期信息,生成第一密钥信息,所述第一密钥信息包括新非对称密钥,以及所述新非对称密钥的生效时间;加密模块,用于获取已生效的接收方非对称公钥,并通过所述接收方非对称公钥,对所述第一密钥信息进行加密,得到第二密钥信息;发送模块,用于通过预置的新密钥确认接口,将所述第二密钥信息和密钥更新请求发送给接收端,以使得所述接收端基于所述密钥更新请求,对所述第二密钥信息进行密钥确认和密钥更新,得到密钥确认更新信息;触发加密模块,用于当接收到所述接收端发送的密钥确认更新信息时,根据所述新非对称密钥和所述生效时间,对所述发文信息进行触发加密处理,得到第二加密发文信息。A fourth aspect of the present application provides an encryption device based on key update, including: an update encryption module for acquiring sent message information, and when the sent message information is a business message and a key update completion instruction is received, obtain the encryption The Advanced Encryption Standard key after the key update is completed, and call the preset message encryption mechanism based on the Advanced Encryption Standard to encrypt the sent message information through the Advanced Encryption Standard key to obtain the first encrypted sent message information; A generating module, configured to obtain the old asymmetric key expiration information of the sent message when the sent message is a key update message, and generate first key information according to the old asymmetric key expiration information , the first key information includes the new asymmetric key and the effective time of the new asymmetric key; the encryption module is used to obtain the effective asymmetric public key of the recipient, and through the recipient's non-symmetric key a symmetric public key, for encrypting the first key information to obtain second key information; a sending module for sending the second key information and the key update request through a preset new key confirmation interface Send it to the receiving end, so that the receiving end performs key confirmation and key update on the second key information based on the key update request, and obtains key confirmation update information; triggering the encryption module for when When receiving the key confirmation update information sent by the receiving end, according to the new asymmetric key and the effective time, trigger encryption processing on the sent message to obtain second encrypted sent message.
本申请提供的技术方案中,当发文信息为业务发文,且接收到密钥更新完成指令时,获取密钥更新完成后的高级加密标准密钥,并调用预置的基于高级加密标准的报文加密机制,通过高级加密标准密钥,对发文信息进行加密,得到第一加密发文信息;当发文信息为密钥更新发文时,获取发文信息的旧非对称密钥到期信息,根据旧非对称密钥到期信息,生成第一密钥信息,第一密钥信息包括新非对称密钥,以及新非对称密钥的生效时间;获取已生效的接收方非对称公钥,并通过接收方非对称公钥,对第一密钥信息进行加密,得到第二密钥信息;通过预置的新密钥确认接口,将第二密钥信息和密钥更新请求发送给接收端,以使得接收端基于密钥更新请求,对第二密钥信息进行密钥确认和密钥更新,得到密钥确认更新信息;当接收到接收端发送的密钥确认更新信息时,根据新非对称密钥和生效时间,对发文信息进行触发加密处理,得到第二加密发文信息。本申请实施例中,通过高级加密标准密钥对发文信息进行加密,根据旧非对称密钥到期信息生成第一密钥信息,实现了对于多种发文类型的通信报文的私密性保护处理,通过预置的新密钥确认接口,将 第二密钥信息和密钥更新请求发送给接收端,以使得接收端基于密钥更新请求对第二密钥信息进行密钥确认和密钥更新,实现了密钥的自动安全更新和易分发,根据生效时间和新非对称密钥对发文信息进行触发加密处理,避免了因密钥更新交互过程的异常对业务正常处理的影响,实现了在保障新非对称密钥同步更新成功的情况下减少通信次数,操作简便,进而提高了通信加密机制的安全可靠性。In the technical solution provided by the present application, when the sent message is a business message and the key update completion instruction is received, the Advanced Encryption Standard key after the key update is completed is obtained, and the preset AESS-based message is called. The encryption mechanism encrypts the sent message through the Advanced Encryption Standard key to obtain the first encrypted sent message; when the sent message is a key update message, the old asymmetric key expiration information of the sent message is obtained, and according to the old asymmetric key Key expiration information, generate first key information, the first key information includes the new asymmetric key and the effective time of the new asymmetric key; obtain the effective asymmetric public key of the receiver, and pass the receiver The asymmetric public key encrypts the first key information to obtain the second key information; through the preset new key confirmation interface, the second key information and the key update request are sent to the receiving end, so that the receiving end can receive the second key information. Based on the key update request, the terminal performs key confirmation and key update on the second key information, and obtains key confirmation update information; when receiving the key confirmation update information sent by the receiving end, it performs key confirmation and update information according to the new asymmetric key and At the effective time, trigger encryption processing on the sent message to obtain the second encrypted sent message. In the embodiment of the present application, the sent message information is encrypted by using the advanced encryption standard key, and the first key information is generated according to the old asymmetric key expiration information, so as to realize the privacy protection processing of communication messages of various sending message types. , send the second key information and the key update request to the receiving end through the preset new key confirmation interface, so that the receiving end performs key confirmation and key update on the second key information based on the key update request , realizes the automatic security update and easy distribution of the key, and triggers the encryption processing of the sent message according to the effective time and the new asymmetric key, which avoids the influence of the abnormal key update interaction process on the normal processing of the business. In the case of ensuring that the new asymmetric key is updated successfully synchronously, the number of communications is reduced, and the operation is simple, thereby improving the security and reliability of the communication encryption mechanism.
附图说明Description of drawings
图1为本申请实施例中基于密钥更新的加密方法的一个实施例示意图;1 is a schematic diagram of an embodiment of an encryption method based on key update in an embodiment of the present application;
图2为本申请实施例中基于密钥更新的加密方法的另一个实施例示意图;2 is a schematic diagram of another embodiment of an encryption method based on key update in an embodiment of the present application;
图3为本申请实施例中基于密钥更新的加密装置的一个实施例示意图;3 is a schematic diagram of an embodiment of an encryption device based on key update in an embodiment of the present application;
图4为本申请实施例中基于密钥更新的加密装置的另一个实施例示意图;4 is a schematic diagram of another embodiment of an encryption device based on key update in an embodiment of the present application;
图5为本申请实施例中基于密钥更新的加密设备的一个实施例示意图。FIG. 5 is a schematic diagram of an embodiment of an encryption device based on key update in an embodiment of the present application.
具体实施方式Detailed ways
本申请提供了一种基于密钥更新的加密方法、装置、设备及存储介质,提高了通信加密机制的安全可靠性。The present application provides an encryption method, device, device and storage medium based on key update, which improves the security and reliability of the communication encryption mechanism.
为了使本技术领域的人员更好地理解本申请方案,下面将结合本申请实施例中的附图,对本申请实施例进行描述。In order to make those skilled in the art better understand the solutions of the present application, the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application.
本申请的说明书和权利要求书及上述附图中的术语“第一”、“第二”、“第三”、“第四”等(如果存在)是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的实施例能够以除了在这里图示或描述的内容以外的顺序实施。此外,术语“包括”或“具有”及其任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。The terms "first", "second", "third", "fourth", etc. (if any) in the description and claims of this application and the above-mentioned drawings are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It is to be understood that data so used may be interchanged under appropriate circumstances so that the embodiments described herein can be practiced in sequences other than those illustrated or described herein. Furthermore, the terms "comprising" or "having" and any variations thereof are intended to cover non-exclusive inclusion, for example, a process, method, system, product or device comprising a series of steps or units is not necessarily limited to those expressly listed steps or units, but may include other steps or units not expressly listed or inherent to these processes, methods, products or devices.
请参阅图1,本申请实施例提供的基于密钥更新的加密方法的流程图,具体包括:Referring to FIG. 1, a flowchart of an encryption method based on key update provided by an embodiment of the present application specifically includes:
101、获取发文信息,当发文信息为业务发文,且接收到密钥更新完成指令时,获取密钥更新完成后的高级加密标准密钥,并调用预置的基于高级加密标准的报文加密机制,通过高级加密标准密钥,对发文信息进行加密,得到第一加密发文信息。101. Acquire the sent message information. When the sent message information is a business message, and the key update completion instruction is received, obtain the Advanced Encryption Standard key after the key update is completed, and call the preset Advanced Encryption Standard-based message encryption mechanism , encrypting the sent message by using the Advanced Encryption Standard key to obtain the first encrypted sent message.
可以理解的是,本申请的执行主体可以为基于密钥更新的加密装置,还可以是终端或者服务器,具体此处不做限定。本申请实施例以发送方的服务器为执行主体为例进行说明。It can be understood that the execution body of the present application may be an encryption device based on key update, and may also be a terminal or a server, which is not specifically limited here. The embodiments of the present application are described by taking the server of the sender as an execution subject as an example.
其中,业务发文用于指示业务数据的发文。高级加密标准密钥为(advanced encryption standard,AES)密钥。当服务器接收到并接受AES密钥更新请求时,将接收的AES密钥更新请求的时间确定为高级加密标准密钥发起更新时间,或者将AES密钥更新请求中的密钥更新日期确定为高级加密标准密钥发起更新时间,高级加密标准密钥发起更新时间中的更新时段需为预设业务低峰期,高级加密标准密钥发起更新时间包括高级加密标准密钥发起的更新日期和更新时段。Among them, the business sending message is used to indicate the sending of business data. The Advanced Encryption Standard key is an (advanced encryption standard, AES) key. When the server receives and accepts the AES key update request, it determines the time of the received AES key update request as the Advanced Encryption Standard key update time, or determines the key update date in the AES key update request as the Advanced Encryption Standard key update time. The time when the encryption standard key is initiated and updated. The update period in the time when the advanced encryption standard key is initiated must be the preset low-peak business period. The time when the advanced encryption standard key is initiated and updated includes the update date and update period initiated by the advanced encryption standard key. .
服务器在高级加密标准密钥发起更新时间中,生成新的AES密钥,生成新的AES密钥后触发密钥更新完成指令,即更新后的高级加密标准密钥。服务器接收到发文信息加密请求时,对发文信息加密请求进行解析,得到发文信息,并对发文信息的类型进行识别,当该发文信息为业务发文,且接收到密钥更新完成指令时,调用预置的基于高级加密标准的报文加密机制,将发文信息转换为JS对象简谱(javascript object notation,JSON)字符串,得到初始字符串,将初始字符串转换为8位元(universal character set/unicode transformation format,UTF-8)字符串,得到目标字符串,通过高级加密标准密钥对目 标字符串进行加密,得到加密发文信息,通过Base64编码算法对加密发文信息进行编码,得到第一加密发文信息。The server generates a new AES key during the time when the Advanced Encryption Standard key is initiated and updated, and after generating the new AES key, triggers a key update completion instruction, that is, the updated Advanced Encryption Standard key. When the server receives the encrypted request of the sent message, it parses the encrypted request of the sent message, obtains the sent message, and identifies the type of the sent message. The message encryption mechanism based on the advanced encryption standard is installed, and the message information is converted into a JS object notation (JavaScript object notation, JSON) string, the initial string is obtained, and the initial string is converted into 8-bit (universal character set/unicode) transform format, UTF-8) string to obtain the target string, encrypt the target string with the Advanced Encryption Standard key to obtain the encrypted sending information, encode the encrypted sending information through the Base64 encoding algorithm, and obtain the first encrypted sending information .
102、当发文信息为密钥更新发文时,获取发文信息的旧非对称密钥到期信息,根据旧非对称密钥到期信息,生成第一密钥信息,第一密钥信息包括新非对称密钥,以及新非对称密钥的生效时间。102. When the sent message is a key update message, obtain the old asymmetric key expiration information of the sent message, and generate first key information according to the old asymmetric key expiration information, where the first key information includes the new asymmetric key. Symmetric key, and the effective time of the new asymmetric key.
其中,密钥更新发文为业务关系发生变化导致业务密码更新或者需要进行定时密钥更新的发文。旧非对称密钥到期信息为旧的(ron rivest、adi shamir、leonard adleman,RSA)密钥到期信息。新非对称密钥为新的(ron rivest、adi shamir、leonard adleman,RSA)密钥。Wherein, the key update message is a message that changes the business relationship, resulting in the update of the service password or the need to update the key periodically. The old asymmetric key expiration information is the old (ron rivest, adi shamir, leonard adleman, RSA) key expiration information. The new asymmetric key is the new (ron rivest, adi shamir, leonard adleman, RSA) key.
当服务器接收到并接受非对称密钥更新请求时,对非对称密钥更新请求进行解析,得到发文信息的旧非对称密钥到期信息以及非对称密钥发起更新时间,非对称密钥发起更新时间中的更新时段需为预设业务低峰期,非对称密钥发起更新时间包括非对称密钥发起的更新日期和更新时段,或者将接受非对称密钥更新请求的日期确定为非对称密钥发起的更新日期,当发文信息为密钥更新发文时,通过预置的RSA密钥生成算法或RSA密钥生成工具,生成新非对称密钥,并将新非对称密钥的有效期、生效时间和批次号进行设置,得到第一密钥信息,其中,生效时间晚于非对称密钥发起更新时间中的更新日期。When the server receives and accepts the asymmetric key update request, it parses the asymmetric key update request, and obtains the old asymmetric key expiration information of the sent message and the asymmetric key update time. The update period in the update time must be the preset low-peak period of business, and the asymmetric key update time includes the update date and update period initiated by the asymmetric key, or the date on which the asymmetric key update request is accepted is determined as the asymmetric key. The update date when the key is initiated. When the message is a key update message, a new asymmetric key is generated by the preset RSA key generation algorithm or RSA key generation tool, and the validity period of the new asymmetric key, The effective time and the batch number are set to obtain the first key information, wherein the effective time is later than the update date in the asymmetric key initiation update time.
服务器得到第一密钥信息后,将第一密钥信息落地存储至预置存储空间中和容灾中心,并将当前的密钥流程节点状态更新为待同步。After the server obtains the first key information, it stores the first key information in the preset storage space and the disaster recovery center, and updates the current state of the key process node to be synchronized.
103、获取已生效的接收方非对称公钥,并通过接收方非对称公钥,对第一密钥信息进行加密,得到第二密钥信息。103. Obtain the valid asymmetric public key of the recipient, and encrypt the first key information by using the recipient's asymmetric public key to obtain the second key information.
服务器获取当前已生效的接收方非对称公钥,通过接收方非对称公钥对第一密钥信息进行加密,得到第二密钥信息,服务器得到第二密钥信息之后,可将该第二密钥信息存储至预置存储空间,或者将该第二密钥信息进行分片处理后,按照预设的存储策略将经过分片处理后的第二密钥信息存储至预置区块链中,该存储策略包括存储比例和存储区,提高了第二密钥信息存取的安全性。其中,服务器得到第二密钥信息之后,也可对第二密钥信息的完整性进行检测,以提高第二密钥信息的加密完整性。The server obtains the currently valid asymmetric public key of the recipient, encrypts the first key information with the recipient's asymmetric public key, and obtains the second key information. After the server obtains the second key information, it can The key information is stored in the preset storage space, or after the second key information is fragmented, the fragmented second key information is stored in the preset blockchain according to the preset storage strategy , the storage strategy includes storage ratio and storage area, which improves the security of accessing the second key information. Wherein, after obtaining the second key information, the server may also check the integrity of the second key information, so as to improve the encryption integrity of the second key information.
104、通过预置的新密钥确认接口,将第二密钥信息和密钥更新请求发送给接收端,以使得接收端基于密钥更新请求,对第二密钥信息进行密钥确认和密钥更新,得到密钥确认更新信息。104. Send the second key information and the key update request to the receiving end through the preset new key confirmation interface, so that the receiving end performs key confirmation and encryption on the second key information based on the key update request. The key is updated, and the key confirmation update information is obtained.
服务器通过新密钥确认接口KeyExchang接口,将第二密钥信息和密钥更新请求发送给接收端,以使得接收端基于密钥更新请求,通过当前已生效的接收方RSA私钥对第二密钥信息进行解密,得到解密结果,判断该解密结果是否为成功,若是,则得到第二密钥信息解密后的新非对称密钥信息,并将该新非对称密钥信息进行落地存储,以实现对第二密钥信息的密钥确认和密钥更新,并将当前的密钥状态更新为待生效;若否,则生成密钥确认更新失败信息,并将该密钥确认更新失败信息发送至服务器。其中,关于接收端对新非对称密钥信息的落地存储,可将新非对称密钥信息中的有效期、生效时间和批次号分别存储至不同的存储区,以提高存取的安全性。The server sends the second key information and the key update request to the receiving end through the KeyExchange interface of the new key confirmation interface, so that the receiving end uses the currently valid RSA private key of the receiving party to pair the second key with the receiving end based on the key update request. decrypt the key information, obtain the decryption result, and determine whether the decryption result is successful; if so, obtain the new asymmetric key information decrypted by the second key information, and store the new asymmetric key information on the ground to Implement key confirmation and key update for the second key information, and update the current key state to be valid; if not, generate key confirmation update failure information, and send the key confirmation update failure information to the server. Among them, regarding the ground storage of the new asymmetric key information by the receiving end, the validity period, effective time and batch number of the new asymmetric key information can be stored in different storage areas to improve the security of access.
105、当接收到接收端发送的密钥确认更新信息时,根据新非对称密钥和生效时间,对发文信息进行触发加密处理,得到第二加密发文信息。105. When receiving the key confirmation update information sent by the receiving end, perform trigger encryption processing on the sent message according to the new asymmetric key and the effective time to obtain the second encrypted sent message.
当服务器接收到接收端发送的密钥确认更新信息时,判断当前时间是否为生效时间,若是,则触发生效指令,以使得服务器基于生效指令,通过新非对称密钥对发文信息进行加密处理,得到第二加密发文信息,若否,则继续对生效时间进行监测,直到生效时间,触发生效指令,以使得服务器基于生效指令,通过新非对称密钥对发文信息进行加密处理,得到第二加密发文信息。When the server receives the key confirmation update information sent by the receiver, it determines whether the current time is the effective time, and if so, triggers the effective instruction, so that the server encrypts the sent message with the new asymmetric key based on the effective instruction. Obtain the second encrypted sent message information, if not, continue to monitor the effective time until the effective time, trigger the effective instruction, so that the server encrypts the sent message with the new asymmetric key based on the effective instruction, and obtains the second encrypted message Post information.
服务器根据新非对称密钥和生效时间,对发文信息进行触发加密处理,得到第二加密发文信息之后,还可以:将第一加密发文信息和/或第二加密发文信息发送至接收端,并监测是否在预设时间接收到接收端发送的已解密信息,若未收到,则通过第一加密发文信息和/或第二加密发文信息中更新的新密码之前的原密码,对第一加密发文信息和/或第二加密发文信息进行加密,得到第一重加密发文信息和/或第二重加密发文信息,将该第一重加密发文信息和/或第二重加密发文信息,以提高现有的通信加密机制加密的灵活性。According to the new asymmetric key and the effective time, the server performs trigger encryption processing on the sent message, and after obtaining the second encrypted sent message, it can also: send the first encrypted sent message and/or the second encrypted sent message to the receiving end, and Monitor whether the decrypted information sent by the receiver is received at the preset time, and if not received, encrypt the first encrypted message with the original password before the new password updated in the first encrypted message and/or the second encrypted message. The sending information and/or the second encrypted sending information are encrypted to obtain the first re-encrypted sending information and/or the second re-encrypted sending information, and the first re-encrypted sending information and/or the second re-encrypted sending information can improve the Flexibility of encryption with existing communication encryption mechanisms.
其中,在另一实施例中,服务器通过Base64编码算法对加密发文信息进行编码之后,还可以通过上述步骤102-105的新非对称密钥和加密方式,对经过编码之后的加密发文信息进行加密,得到第一加密发文信息。Wherein, in another embodiment, after the server encodes the encrypted sent message information through the Base64 encoding algorithm, the server can also encrypt the encoded encrypted sent message information through the new asymmetric key and encryption method in the above steps 102-105. , and obtain the first encrypted message information.
本申请实施例中,通过高级加密标准密钥对发文信息进行加密,根据旧非对称密钥到期信息生成第一密钥信息,实现了对于多种发文类型的通信报文的私密性保护处理,通过预置的新密钥确认接口,将第二密钥信息和密钥更新请求发送给接收端,以使得接收端基于密钥更新请求对第二密钥信息进行密钥确认和密钥更新,实现了密钥的自动安全更新和易分发,根据生效时间和新非对称密钥对发文信息进行触发加密处理,避免了因密钥更新交互过程的异常对业务正常处理的影响,为密钥交互异常的处理提供了足够的响应处理时间,提高了安全加密的可用性,实现了在保障新非对称密钥同步更新成功的情况下减少通信次数,操作简便,进而提高了通信加密机制的安全可靠性。In the embodiment of the present application, the sent message information is encrypted by using the advanced encryption standard key, and the first key information is generated according to the old asymmetric key expiration information, so as to realize the privacy protection processing of communication messages of various sending message types. , send the second key information and the key update request to the receiving end through the preset new key confirmation interface, so that the receiving end performs key confirmation and key update on the second key information based on the key update request , realizes the automatic security update and easy distribution of the key, and triggers the encryption processing of the sent message according to the effective time and the new asymmetric key, avoiding the influence of the abnormal key update interaction process on the normal processing of the business. The handling of interaction exceptions provides sufficient response processing time, improves the availability of security encryption, reduces the number of communications while ensuring the successful synchronization of the new asymmetric key update, and is easy to operate, thereby improving the security and reliability of the communication encryption mechanism. sex.
请参阅图2,本申请实施例提供的基于密钥更新的加密方法的另一个流程图,具体包括:Referring to FIG. 2, another flowchart of the encryption method based on key update provided by the embodiment of the present application specifically includes:
201、获取发文信息,当发文信息为业务发文,且接收到密钥更新完成指令时,获取密钥更新完成后的高级加密标准密钥,并调用预置的基于高级加密标准的报文加密机制,通过高级加密标准密钥,对发文信息进行加密,得到第一加密发文信息。201. Obtain the message sent, when the message sent is a business message, and the key update completion instruction is received, obtain the Advanced Encryption Standard key after the key update is completed, and invoke a preset Advanced Encryption Standard-based message encryption mechanism , encrypting the sent message by using the Advanced Encryption Standard key to obtain the first encrypted sent message.
步骤201的执行过程与上述步骤101的执行过程类似,在此不再赘述。The execution process of step 201 is similar to the execution process of the foregoing step 101, and details are not repeated here.
202、当发文信息为密钥更新发文时,获取发文信息的旧非对称密钥到期信息,根据旧非对称密钥到期信息,生成第一密钥信息,第一密钥信息包括新非对称密钥,以及新非对称密钥的生效时间。202. When the sent message is a key update message, obtain the old asymmetric key expiration information of the sent message, and generate first key information according to the old asymmetric key expiration information, where the first key information includes the new asymmetric key. Symmetric key, and the effective time of the new asymmetric key.
具体地,服务器当发文信息为密钥更新发文时,获取发文信息的旧非对称密钥到期信息和非对称密钥发起更新时间,以及基于密钥更新完成指令的高级加密标准密钥发起更新时间,旧非对称密钥到期信息包括预设触发日期;判断非对称密钥发起更新时间是否与高级加密标准密钥发起更新时间一致;若非对称密钥发起更新时间与高级加密标准密钥发起更新时间不一致,则获取新密钥生成规则,并通过新密钥生成规则和预设触发日期,生成第一密钥信息。Specifically, when the sent message is a key update message, the server obtains the old asymmetric key expiration information and the asymmetric key update time of the sent message, and the Advanced Encryption Standard key based on the key update completion instruction to initiate the update time, the old asymmetric key expiration information includes the preset trigger date; determine whether the asymmetric key update time is the same as the advanced encryption standard key update time; if the asymmetric key update time is the same as the advanced encryption standard key update time If the update time is inconsistent, a new key generation rule is obtained, and the first key information is generated by using the new key generation rule and the preset trigger date.
例如,其中,预设触发日期为旧非对称密钥到期前n日,例如,旧非对称密钥到期信息中旧非对称密钥到期日期为10月20日,n为3,则预设触发日期为10月17日,服务器获得发文信息的旧非对称密钥到期信息和非对称密钥发起更新时间A(A包括更新日期A1和更新时间A2),以及基于密钥更新完成指令的高级加密标准密钥发起更新时间B(B包括更新日期B1和更新时间B2)后,判断A是否等于B,若是(A=B,即A1=B1,A2=B2),则停止对新非对称密钥生成、更新的执行,若否(A≠B,即A1≠B1,A2≠B2或A1=B1,A2≠B2或A1≠B1,A2=B2),根据新密钥生成规则和预设触发日期,生成第一密钥信息,该新密钥生成规则为在预设触发日期触发新密钥生成更新指令,方可以生成新非对称密钥,并按照预设规则对新非对称密钥有效期、生效时间和批次号进行设置,实现了非对称密钥与高级加密标准密钥更新的错开,避免了多种类型密钥更新的冲突和混乱,提高了密钥更新的效率和准确性。For example, the preset trigger date is n days before the expiration of the old asymmetric key. For example, the expiration date of the old asymmetric key in the old asymmetric key expiration information is October 20, and n is 3, then The preset trigger date is October 17th, and the server obtains the old asymmetric key expiration information of the sent message and the asymmetric key update time A (A includes the update date A1 and update time A2), and based on the key update completion After the advanced encryption standard key of the instruction initiates the update time B (B includes the update date B1 and the update time B2), judge whether A is equal to B, and if (A=B, that is, A1=B1, A2=B2), stop updating the new The execution of asymmetric key generation and update, if not (A≠B, that is, A1≠B1, A2≠B2 or A1=B1, A2≠B2 or A1≠B1, A2=B2), according to the new key generation rules and Preset the trigger date, generate the first key information, and the new key generation rule is to trigger the new key generation and update instruction on the preset trigger date, so that a new asymmetric key can be generated, and the new asymmetric key can be generated according to the preset rules. The key validity period, effective time and batch number are set, which realizes the staggering of asymmetric key and Advanced Encryption Standard key update, avoids the conflict and confusion of various types of key updates, and improves the efficiency and efficiency of key update. accuracy.
具体地,服务器若非对称密钥发起更新时间与高级加密标准密钥发起更新时间不一致,则获取新密钥生成规则,并通过预设触发日期触发新密钥生成更新指令;通过新密钥生成更新指令和新密钥生成规则,生成发文信息的新非对称密钥,以及新非对称密钥的有效期和批次号,得到新非对称密钥信息;根据非对称密钥发起更新时间和预设业务低峰期,对新非对称密钥信息中新非对称密钥的生效时间进行配置,得到第一密钥信息。Specifically, if the time when the asymmetric key is initiated and updated is inconsistent with the time when the advanced encryption standard key is initiated and updated, the server obtains a new key generation rule, and triggers a new key generation and update instruction through the preset trigger date; Instructions and new key generation rules, generate a new asymmetric key for the message sent, as well as the validity period and batch number of the new asymmetric key, and obtain the new asymmetric key information; initiate the update time and preset according to the asymmetric key During the off-peak period of business, the effective time of the new asymmetric key in the new asymmetric key information is configured to obtain the first key information.
例如,若非对称密钥发起更新时间A(A包括更新日期A1和更新时间A2)与高级加密标准密钥发起更新时间B(B包括更新日期B1和更新时间B2)不一致(A≠B,即A1≠B1,A2≠B2或A1=B1,A2≠B2或A1≠B1,A2=B2),则服务器调用预置计时器对预设触发日期的触发时间进行计时,当计时到触发时间时,触发新密钥生成更新指令,根据新密钥生成更新指令,通过非对称密钥生成算法或非对称密钥生成工具(脚本)生成发文信息的新非对称密钥,并配置新非对称密钥的有效期和批次号,得到新非对称密钥信息,预设业务低峰期为02:00-06:00,非对称密钥发起更新时间的更新日期为10月20日,则新非对称密钥信息中新非对称密钥的生效时间设置为晚于10月23日(即生效时间大于非对称密钥发起更新时间的更新日期+3)的02:00-06:00时段,从而得到第一密钥信息。For example, if the asymmetric key-initiated update time A (A includes the update date A1 and the update time A2) is inconsistent with the Advanced Encryption Standard key-initiated update time B (B includes the update date B1 and the update time B2) (A≠B, that is, A1 ≠B1, A2≠B2 or A1=B1, A2≠B2 or A1≠B1, A2=B2), then the server calls the preset timer to time the trigger time of the preset trigger date. The new key generation and update instruction, according to the new key generation update instruction, use the asymmetric key generation algorithm or asymmetric key generation tool (script) to generate the new asymmetric key of the sent message, and configure the new asymmetric key. The validity period and batch number are obtained, and the new asymmetric key information is obtained. The preset business low-peak period is 02:00-06:00, and the update date of the asymmetric key update time is October 20, then the new asymmetric key The effective time of the new asymmetric key in the key information is set to the period of 02:00-06:00 later than October 23 (that is, the effective time is greater than the update date when the asymmetric key initiates the update time + 3), so as to obtain the first a key information.
203、获取已生效的接收方非对称公钥,并通过接收方非对称公钥,对第一密钥信息进行加密,得到第二密钥信息。203. Obtain the valid asymmetric public key of the recipient, and encrypt the first key information by using the recipient's asymmetric public key to obtain the second key information.
步骤203的执行过程与上述步骤103的执行过程类似,在此不再赘述。The execution process of step 203 is similar to the execution process of the foregoing step 103, and details are not repeated here.
204、通过预置的新密钥确认接口,将第二密钥信息和密钥更新请求发送给接收端,以使得接收端基于密钥更新请求,对第二密钥信息进行密钥确认和密钥更新,得到密钥确认更新信息。204. Send the second key information and the key update request to the receiving end through the preset new key confirmation interface, so that the receiving end performs key confirmation and encryption on the second key information based on the key update request. The key is updated, and the key confirmation update information is obtained.
具体地,服务器通过预置的新密钥确认接口,将第二密钥信息和密钥更新请求发送给接收端,以使得接收端基于密钥更新请求,获取接收方非对称私钥;通过接收方非对称私钥,对第二密钥信息进行解密和落地存储,得到解密新密钥信息,解密新密钥信息包括批次号;将预设字段与批次号进行拼接处理,得到新密钥加密约定信息;通过预置的超文本传输协议,对新密钥加密约定信息进行响应报文组装,得到密钥确认更新信息。Specifically, the server sends the second key information and the key update request to the receiver through the preset new key confirmation interface, so that the receiver obtains the receiver's asymmetric private key based on the key update request; The asymmetric private key is used to decrypt and store the second key information on the ground to obtain new decrypted key information, which includes the batch number; Key encryption agreement information; through the preset hypertext transmission protocol, the new key encryption agreement information is assembled with the response message, and the key confirmation update information is obtained.
例如,服务器通过新密钥确认接口KeyExchang接口,将第二密钥信息和密钥更新请求发送给接收端,以使得接收端通过当前已生效的接收方RSA私钥对第二密钥信息进行解密,得到解密新密钥信息,将解密新密钥信息中的批次号和预设字段“CONFIRMED”以“批次号+CONFIRMED”的形式生成新密钥加密约定信息confirmMsg,通过超文本传输协议(hyper text transfer protocol,HTTP),将新密钥加密约定信息组装为响应报文,从而得到密钥确认更新信息。For example, the server sends the second key information and the key update request to the receiving end through the KeyExchange interface of the new key confirmation interface, so that the receiving end decrypts the second key information through the currently valid RSA private key of the receiver , obtain the decryption new key information, and generate the new key encryption agreement information confirmMsg by the batch number and the preset field "CONFIRMED" in the decryption new key information in the form of "batch number + CONFIRMED", through the hypertext transmission protocol (Hyper text transfer protocol, HTTP), assemble the new key encryption protocol information into a response message, so as to obtain the key confirmation update information.
205、当接收到接收端发送的密钥确认更新信息时,对密钥确认更新信息依次进行解密和正确性分析,得到新密钥更新完成信息。205. When receiving the key confirmation update information sent by the receiving end, perform decryption and correctness analysis on the key confirmation update information in turn to obtain new key update completion information.
具体地,服务器当接收到接收端发送的密钥确认更新信息时,对密钥确认更新信息进行解析,得到解析信息,并通过新非对称密钥对解析信息进行解密,得到新密钥加密约定信息;判断新密钥加密约定信息是否与预设值一致;若新密钥加密约定信息与预设值一致,则生成第二密钥信息的新密钥更新完成信息;若新密钥加密约定信息与预设值不一致,则迭代获取目标新密钥加密约定信息,直至目标新密钥加密约定信息与预设值一致,获得新密钥更新完成信息。Specifically, when receiving the key confirmation update information sent by the receiver, the server parses the key confirmation update information to obtain the parsing information, and decrypts the parsing information through the new asymmetric key to obtain a new key encryption agreement information; determine whether the new key encryption agreement information is consistent with the preset value; if the new key encryption agreement information is consistent with the preset value, generate the new key update completion information of the second key information; if the new key encryption agreement information is consistent with the preset value If the information is inconsistent with the preset value, the target new key encryption agreement information is iteratively obtained until the target new key encryption agreement information is consistent with the preset value, and the new key update completion information is obtained.
例如,其中,预设值可为字段和字段值中的至少一种,预设值包括新非对称密钥的批次号和确认字段,当接收到接收端发送的密钥确认更新信息时,对密钥确认更新信息进行解析,得到解析信息,并通过新非对称密钥对解析信息进行解密,得到新密钥加密约定信息,判断新密钥加密约定信息中的批次号是否与服务器存储的新非对称密钥的批次号一致,以及新密钥加密约定信息中的CONFIRMED字段是否为服务器约定的字段(确认字段),若是, 则生成第二密钥信息的新密钥更新完成信息,表示接受端已接收到正确的新非对称密钥,并将当前的新密钥状态更新为待生效;For example, the preset value may be at least one of a field and a field value, and the preset value includes the batch number and confirmation field of the new asymmetric key. When receiving the key confirmation update information sent by the receiving end, Parse the key confirmation update information to obtain the parsing information, and decrypt the parsing information through the new asymmetric key to obtain the new key encryption agreement information, and determine whether the batch number in the new key encryption agreement information is stored with the server. The batch number of the new asymmetric key is the same, and whether the CONFIRMED field in the new key encryption agreement information is a field agreed by the server (confirmation field), if so, generate the new key update completion information of the second key information , indicating that the receiver has received the correct new asymmetric key and updated the current state of the new key to be valid;
若否,则根据旧非对称密钥到期信息生成新非对称密钥信息,获取已生效的接收方非对称公钥,通过接收方非对称公钥对新非对称密钥信息进行加密,得到加密信息,通过预置的新密钥确认接口,将加密信息和密钥更新请求发送给接收端,以使得接收端基于密钥更新请求对加密信息进行密钥确认和密钥更新,得到新的密钥确认更新信息,当接收到接收端发送的新的密钥确认更新信息时,对新的密钥确认更新信息依次进行解析,得到新的解析信息,并通过新非对称密钥对新的解析信息进行解密,得到目标新密钥加密约定信息,判断目标新密钥加密约定信息是否与预设值一致,循环重复执行上述操作步骤的执行过程,直至目标新密钥加密约定信息与预设值一致,得到新密钥更新完成信息。If not, generate new asymmetric key information according to the old asymmetric key expiration information, obtain the valid recipient's asymmetric public key, encrypt the new asymmetric key information with the recipient's asymmetric public key, and obtain Encrypted information, through the preset new key confirmation interface, the encrypted information and the key update request are sent to the receiving end, so that the receiving end performs key confirmation and key update on the encrypted information based on the key update request, and obtains a new key. Key confirmation update information, when receiving the new key confirmation update information sent by the receiver, parse the new key confirmation update information in turn to obtain new parsing information, and use the new asymmetric key to pair the new key confirmation update information. Analyze the information for decryption, obtain the target new key encryption agreement information, determine whether the target new key encryption agreement information is consistent with the preset value, and repeat the execution process of the above operation steps repeatedly until the target new key encryption agreement information is consistent with the preset value. If the value is the same, the new key update completion information is obtained.
206、通过新密钥更新完成信息和生效时间,触发新密钥生效指令,并根据新密钥生效指令和新非对称密钥,对发文信息进行触发加密处理,得到第二加密发文信息。206. Trigger a new key validating instruction according to the new key updating completion information and valid time, and perform trigger encryption processing on the sent message according to the new key validating instruction and the new asymmetric key to obtain second encrypted sending message.
具体地,服务器通过新密钥更新完成信息调用预置计时器,执行基于生效时间的计时任务;当计时任务计时到生效时间时,触发新密钥生效指令;通过新密钥生效指令和新非对称密钥,对发文信息进行加密,得到第二加密发文信息。Specifically, the server invokes the preset timer through the new key update completion information, and executes the timing task based on the effective time; when the timing task counts to the effective time, triggers the new key effective instruction; The symmetric key is used to encrypt the sent message to obtain the second encrypted sent message.
例如,生效时间为10月2月03:00,当服务器接收到新密钥更新完成信息后,调用预置计时器执行基于生效时间的计时任务,当计时任务计时到10月2月03:00时,触发新密钥生效指令,通过新密钥生效指令和新非对称密钥,对发文信息进行加密,得到第二加密发文信息。For example, if the effective time is October-February 03:00, when the server receives the new key update completion information, it calls the preset timer to execute the timing task based on the effective time. When the timing task counts to October-February 03:00 When the new key is valid, the new key validating instruction is triggered, and the sent message is encrypted by the new key validating instruction and the new asymmetric key, and the second encrypted sending message is obtained.
本申请实施例中,通过高级加密标准密钥对发文信息进行加密,根据旧非对称密钥到期信息生成第一密钥信息,实现了对于多种发文类型的通信报文的私密性保护处理,通过预置的新密钥确认接口,将第二密钥信息和密钥更新请求发送给接收端,以使得接收端基于密钥更新请求对第二密钥信息进行密钥确认和密钥更新,实现了密钥的自动安全更新和易分发,根据生效时间和新非对称密钥对发文信息进行触发加密处理,避免了因密钥更新交互过程的异常对业务正常处理的影响,为密钥交互异常的处理提供了足够的响应处理时间,提高了安全加密的可用性,实现了在保障新非对称密钥同步更新成功的情况下减少通信次数,操作简便,进而提高了通信加密机制的安全可靠性。In the embodiment of the present application, the sent message information is encrypted by using the advanced encryption standard key, and the first key information is generated according to the old asymmetric key expiration information, so as to realize the privacy protection processing of communication messages of various sending message types. , send the second key information and the key update request to the receiving end through the preset new key confirmation interface, so that the receiving end performs key confirmation and key update on the second key information based on the key update request , realizes the automatic security update and easy distribution of the key, and triggers the encryption processing of the sent message according to the effective time and the new asymmetric key, avoiding the influence of the abnormal key update interaction process on the normal processing of the business. The handling of interaction exceptions provides sufficient response processing time, improves the availability of security encryption, reduces the number of communications while ensuring the successful synchronization of the new asymmetric key update, and is easy to operate, thereby improving the security and reliability of the communication encryption mechanism. sex.
上面对本申请实施例中基于密钥更新的加密方法进行了描述,下面对本申请实施例中基于密钥更新的加密装置进行描述,请参阅图3,本申请实施例中基于密钥更新的加密装置一个实施例包括:The encryption method based on key update in the embodiment of the present application is described above, and the encryption device based on key update in the embodiment of the present application is described below. Please refer to FIG. 3 , the encryption device based on key update in the embodiment of the present application is described. One embodiment includes:
更新加密模块301,用于获取发文信息,当发文信息为业务发文,且接收到密钥更新完成指令时,获取密钥更新完成后的高级加密标准密钥,并调用预置的基于高级加密标准的报文加密机制,通过高级加密标准密钥,对发文信息进行加密,得到第一加密发文信息;The update encryption module 301 is used to obtain the sent message information, when the sent message information is a business sent message and the key update completion instruction is received, obtain the advanced encryption standard key after the key update is completed, and call the preset based on the advanced encryption standard The message encryption mechanism of the device encrypts the message sent by the Advanced Encryption Standard Key to obtain the first encrypted message sent;
生成模块302,用于当发文信息为密钥更新发文时,获取发文信息的旧非对称密钥到期信息,根据旧非对称密钥到期信息,生成第一密钥信息,第一密钥信息包括新非对称密钥,以及新非对称密钥的生效时间;The generating module 302 is configured to obtain the old asymmetric key expiration information of the sent message when the sent message is a key update message, and generate first key information, the first key according to the old asymmetric key expiration information The information includes the new asymmetric key, and the effective time of the new asymmetric key;
加密模块303,用于获取已生效的接收方非对称公钥,并通过接收方非对称公钥,对第一密钥信息进行加密,得到第二密钥信息;The encryption module 303 is configured to obtain the valid asymmetric public key of the recipient, and encrypt the first key information through the recipient's asymmetric public key to obtain the second key information;
发送模块304,用于通过预置的新密钥确认接口,将第二密钥信息和密钥更新请求发送给接收端,以使得接收端基于密钥更新请求,对第二密钥信息进行密钥确认和密钥更新,得到密钥确认更新信息;The sending module 304 is configured to send the second key information and the key update request to the receiving end through the preset new key confirmation interface, so that the receiving end encrypts the second key information based on the key update request. Key confirmation and key update, get key confirmation update information;
触发加密模块305,用于当接收到接收端发送的密钥确认更新信息时,根据新非对称密钥和生效时间,对发文信息进行触发加密处理,得到第二加密发文信息。The trigger encryption module 305 is configured to, when receiving the key confirmation update information sent by the receiving end, perform trigger encryption processing on the sent message according to the new asymmetric key and the effective time to obtain the second encrypted sent message.
上述基于密钥更新的加密装置中各个模块的功能实现与上述基于密钥更新的加密方法实施例中各步骤相对应,其功能和实现过程在此处不再一一赘述。The function implementation of each module in the above-mentioned key update-based encryption apparatus corresponds to each step in the above-mentioned key update-based encryption method embodiment, and the functions and implementation processes thereof will not be repeated here.
本申请实施例中,通过高级加密标准密钥对发文信息进行加密,根据旧非对称密钥到期信息生成第一密钥信息,实现了对于多种发文类型的通信报文的私密性保护处理,通过预置的新密钥确认接口,将第二密钥信息和密钥更新请求发送给接收端,以使得接收端基于密钥更新请求对第二密钥信息进行密钥确认和密钥更新,实现了密钥的自动安全更新和易分发,根据生效时间和新非对称密钥对发文信息进行触发加密处理,避免了因密钥更新交互过程的异常对业务正常处理的影响,为密钥交互异常的处理提供了足够的响应处理时间,提高了安全加密的可用性,实现了在保障新非对称密钥同步更新成功的情况下减少通信次数,操作简便,进而提高了通信加密机制的安全可靠性。In the embodiment of the present application, the sent message information is encrypted by using the advanced encryption standard key, and the first key information is generated according to the old asymmetric key expiration information, so as to realize the privacy protection processing of communication messages of various sending message types. , send the second key information and the key update request to the receiving end through the preset new key confirmation interface, so that the receiving end performs key confirmation and key update on the second key information based on the key update request , realizes the automatic security update and easy distribution of the key, and triggers the encryption processing of the sent message according to the effective time and the new asymmetric key, avoiding the influence of the abnormal key update interaction process on the normal processing of the business. The handling of interaction exceptions provides sufficient response processing time, improves the availability of security encryption, reduces the number of communications while ensuring the successful synchronization of the new asymmetric key update, and is easy to operate, thereby improving the security and reliability of the communication encryption mechanism sex.
请参阅图4,本申请实施例中基于密钥更新的加密装置的另一个实施例包括:Referring to FIG. 4, another embodiment of the encryption device based on key update in the embodiment of the present application includes:
更新加密模块301,用于获取发文信息,当发文信息为业务发文,且接收到密钥更新完成指令时,获取密钥更新完成后的高级加密标准密钥,并调用预置的基于高级加密标准的报文加密机制,通过高级加密标准密钥,对发文信息进行加密,得到第一加密发文信息;The update encryption module 301 is used to obtain the sent message information, when the sent message information is a business sent message and the key update completion instruction is received, obtain the advanced encryption standard key after the key update is completed, and call the preset based on the advanced encryption standard The message encryption mechanism of the device encrypts the message sent by the Advanced Encryption Standard Key to obtain the first encrypted message sent;
生成模块302,用于当发文信息为密钥更新发文时,获取发文信息的旧非对称密钥到期信息,根据旧非对称密钥到期信息,生成第一密钥信息,第一密钥信息包括新非对称密钥,以及新非对称密钥的生效时间;The generating module 302 is configured to obtain the old asymmetric key expiration information of the sent message when the sent message is a key update message, and generate first key information, the first key according to the old asymmetric key expiration information The information includes the new asymmetric key, and the effective time of the new asymmetric key;
加密模块303,用于获取已生效的接收方非对称公钥,并通过接收方非对称公钥,对第一密钥信息进行加密,得到第二密钥信息;The encryption module 303 is configured to obtain the valid asymmetric public key of the recipient, and encrypt the first key information through the recipient's asymmetric public key to obtain the second key information;
发送模块304,用于通过预置的新密钥确认接口,将第二密钥信息和密钥更新请求发送给接收端,以使得接收端基于密钥更新请求,对第二密钥信息进行密钥确认和密钥更新,得到密钥确认更新信息;The sending module 304 is configured to send the second key information and the key update request to the receiving end through the preset new key confirmation interface, so that the receiving end encrypts the second key information based on the key update request. Key confirmation and key update, get key confirmation update information;
触发加密模块305,用于当接收到接收端发送的密钥确认更新信息时,根据新非对称密钥和生效时间,对发文信息进行触发加密处理,得到第二加密发文信息; Trigger encryption module 305, for when receiving the key confirmation update information sent by the receiving end, according to the new asymmetric key and the effective time, trigger encryption processing on the sent message to obtain the second encrypted sent message;
其中,触发加密模块305具体包括:Wherein, the trigger encryption module 305 specifically includes:
解密分析单元3051,用于当接收到接收端发送的密钥确认更新信息时,对密钥确认更新信息依次进行解密和正确性分析,得到新密钥更新完成信息;The decryption analysis unit 3051 is used to perform decryption and correctness analysis on the key confirmation update information in turn when receiving the key confirmation update information sent by the receiver to obtain new key update completion information;
触发加密单元3052,用于通过新密钥更新完成信息和生效时间,触发新密钥生效指令,并根据新密钥生效指令和新非对称密钥,对发文信息进行触发加密处理,得到第二加密发文信息。The trigger encryption unit 3052 is used to trigger the new key validation instruction through the new key update completion information and valid time, and perform trigger encryption processing on the sent message according to the new key validation instruction and the new asymmetric key to obtain the second key. Encrypted message.
可选的,生成模块302还可以具体用于:Optionally, the generating module 302 can also be specifically used for:
获取单元3021,用于当发文信息为密钥更新发文时,获取发文信息的旧非对称密钥到期信息和非对称密钥发起更新时间,以及基于密钥更新完成指令的高级加密标准密钥发起更新时间,旧非对称密钥到期信息包括预设触发日期;The obtaining unit 3021 is configured to obtain the old asymmetric key expiration information and the asymmetric key update time of the sent message information, and the Advanced Encryption Standard key based on the key update completion instruction when the sent message information is a key update message The update time is initiated, and the old asymmetric key expiration information includes the preset trigger date;
判断单元3022,用于判断非对称密钥发起更新时间是否与高级加密标准密钥发起更新时间一致;Judging unit 3022, for judging whether the asymmetric key initiation update time is consistent with the Advanced Encryption Standard key initiation update time;
生成单元3023,用于若非对称密钥发起更新时间与高级加密标准密钥发起更新时间不一致,则获取新密钥生成规则,并通过新密钥生成规则和预设触发日期,生成第一密钥信息。The generating unit 3023 is configured to obtain a new key generation rule if the asymmetric key initiation update time is inconsistent with the Advanced Encryption Standard key initiation update time, and generate the first key by using the new key generation rule and the preset trigger date information.
可选的,生成单元3023还可以具体用于:Optionally, the generating unit 3023 can also be specifically used for:
若非对称密钥发起更新时间与高级加密标准密钥发起更新时间不一致,则获取新密钥生成规则,并通过预设触发日期触发新密钥生成更新指令;If the time when the asymmetric key is initiated and updated is inconsistent with the time when the advanced encryption standard key is initiated and updated, a new key generation rule is obtained, and a new key generation and update instruction is triggered by the preset trigger date;
通过新密钥生成更新指令和新密钥生成规则,生成发文信息的新非对称密钥,以及新 非对称密钥的有效期和批次号,得到新非对称密钥信息;Through the new key generation update instruction and the new key generation rule, generate the new asymmetric key of the message information, as well as the validity period and batch number of the new asymmetric key, and obtain the new asymmetric key information;
根据非对称密钥发起更新时间和预设业务低峰期,对新非对称密钥信息中新非对称密钥的生效时间进行配置,得到第一密钥信息。The effective time of the new asymmetric key in the new asymmetric key information is configured according to the time when the asymmetric key is initiated and updated and the preset service low-peak period, to obtain the first key information.
可选的,发送模块304还可以具体用于:Optionally, the sending module 304 may also be specifically used for:
通过预置的新密钥确认接口,将第二密钥信息和密钥更新请求发送给接收端,以使得接收端基于密钥更新请求,获取接收方非对称私钥;Send the second key information and the key update request to the receiver through the preset new key confirmation interface, so that the receiver obtains the receiver's asymmetric private key based on the key update request;
通过接收方非对称私钥,对第二密钥信息进行解密和落地存储,得到解密新密钥信息,解密新密钥信息包括批次号;Decrypt and store the second key information through the receiver's asymmetric private key to obtain new decrypted key information, which includes the batch number;
将预设字段与批次号进行拼接处理,得到新密钥加密约定信息;Splicing the preset field and the batch number to obtain the new key encryption agreement information;
通过预置的超文本传输协议,对新密钥加密约定信息进行响应报文组装,得到密钥确认更新信息。Through the preset hypertext transmission protocol, the response message is assembled to the new key encryption agreement information, and the key confirmation update information is obtained.
可选的,解密分析单元3051还可以具体用于:Optionally, the decryption analysis unit 3051 can also be specifically used for:
当接收到接收端发送的密钥确认更新信息时,对密钥确认更新信息进行解析,得到解析信息,并通过新非对称密钥对解析信息进行解密,得到新密钥加密约定信息;When receiving the key confirmation update information sent by the receiver, parse the key confirmation update information to obtain the parsing information, and decrypt the parsing information through the new asymmetric key to obtain the new key encryption agreement information;
判断新密钥加密约定信息是否与预设值一致;Determine whether the new key encryption agreement information is consistent with the preset value;
若新密钥加密约定信息与预设值一致,则生成第二密钥信息的新密钥更新完成信息;If the new key encryption agreement information is consistent with the preset value, generating new key update completion information of the second key information;
若新密钥加密约定信息与预设值不一致,则迭代获取目标新密钥加密约定信息,直至目标新密钥加密约定信息与预设值一致,获得新密钥更新完成信息。If the new key encryption agreement information is inconsistent with the preset value, the target new key encryption agreement information is iteratively acquired until the target new key encryption agreement information is consistent with the preset value, and the new key update completion information is obtained.
可选的,触发加密单元3052还可以具体用于:Optionally, the trigger encryption unit 3052 can also be specifically used for:
通过新密钥更新完成信息调用预置计时器,执行基于生效时间的计时任务;Call the preset timer through the new key update completion information to execute the timing task based on the effective time;
当计时任务计时到生效时间时,触发新密钥生效指令;When the timing task counts to the effective time, trigger the new key effective instruction;
通过新密钥生效指令和新非对称密钥,对发文信息进行加密,得到第二加密发文信息。Through the new key validating instruction and the new asymmetric key, the sent message information is encrypted to obtain the second encrypted sent message information.
上述基于密钥更新的加密装置中各模块和各单元的功能实现与上述基于密钥更新的加密方法实施例中各步骤相对应,其功能和实现过程在此处不再一一赘述。The function implementation of each module and each unit in the above key update-based encryption device corresponds to each step in the above key update-based encryption method embodiment, and their functions and implementation processes are not repeated here.
本申请实施例中,通过高级加密标准密钥对发文信息进行加密,根据旧非对称密钥到期信息生成第一密钥信息,实现了对于多种发文类型的通信报文的私密性保护处理,通过预置的新密钥确认接口,将第二密钥信息和密钥更新请求发送给接收端,以使得接收端基于密钥更新请求对第二密钥信息进行密钥确认和密钥更新,实现了密钥的自动安全更新和易分发,根据生效时间和新非对称密钥对发文信息进行触发加密处理,避免了因密钥更新交互过程的异常对业务正常处理的影响,为密钥交互异常的处理提供了足够的响应处理时间,提高了安全加密的可用性,实现了在保障新非对称密钥同步更新成功的情况下减少通信次数,操作简便,进而提高了通信加密机制的安全可靠性。In the embodiment of the present application, the sent message information is encrypted by using the advanced encryption standard key, and the first key information is generated according to the old asymmetric key expiration information, so as to realize the privacy protection processing of communication messages of various sending message types. , send the second key information and the key update request to the receiving end through the preset new key confirmation interface, so that the receiving end performs key confirmation and key update on the second key information based on the key update request , realizes the automatic security update and easy distribution of the key, and triggers the encryption processing of the sent message according to the effective time and the new asymmetric key, avoiding the influence of the abnormal key update interaction process on the normal processing of the business. The handling of interaction exceptions provides sufficient response processing time, improves the availability of security encryption, reduces the number of communications while ensuring the successful synchronization of the new asymmetric key update, and is easy to operate, thereby improving the security and reliability of the communication encryption mechanism. sex.
上面图3至图4从模块化功能实体的角度对本申请实施例中的基于密钥更新的加密装置进行详细描述,下面从硬件处理的角度对本申请实施例中基于密钥更新的加密设备进行详细描述。3 to 4 above describe in detail the encryption device based on key update in the embodiment of the present application from the perspective of modular functional entities, and the following describes the encryption device based on key update in the embodiment of the present application from the perspective of hardware processing in detail. describe.
图5是本申请实施例提供的一种基于密钥更新的加密设备的结构示意图,该基于密钥更新的加密设备500可因配置或性能不同而产生比较大的差异,可以包括一个或一个以上处理器(central processing units,CPU)510(例如,一个或一个以上处理器)和存储器520,一个或一个以上存储应用程序533或数据532的存储介质530(例如一个或一个以上海量存储设备)。其中,存储器520和存储介质530可以是短暂存储或持久存储。存储在存储介质530的程序可以包括一个或一个以上模块(图示没标出),每个模块可以包括对基于密钥更新的加密设备500中的一系列指令操作。更进一步地,处理器510可以设置为与存储介质530通信,在基于密钥更新的加密设备500上执行存储介质530中的一系列指令 操作。FIG. 5 is a schematic structural diagram of an encryption device based on key update provided by an embodiment of the present application. The encryption device 500 based on key update may vary greatly due to different configurations or performances, and may include one or more than one Central processing units (CPU) 510 (eg, one or more processors) and memory 520, one or more storage media 530 (eg, one or more mass storage devices) that store application programs 533 or data 532. Among them, the memory 520 and the storage medium 530 may be short-term storage or persistent storage. The program stored in the storage medium 530 may include one or more modules (not shown in the figure), and each module may include a series of instructions to operate on the key update-based encryption device 500 . Further, the processor 510 may be configured to communicate with the storage medium 530 to execute a series of instruction operations in the storage medium 530 on the encryption device 500 based on key update.
基于密钥更新的加密设备500还可以包括一个或一个以上电源540,一个或一个以上有线或无线网络接口550,一个或一个以上输入输出接口560,和/或,一个或一个以上操作系统531,例如Windows Serve,Mac OS X,Unix,Linux,FreeBSD等等。本领域技术人员可以理解,图5示出的基于密钥更新的加密设备结构并不构成对基于密钥更新的加密设备的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。The encryption device 500 based on key update may also include one or more power supplies 540, one or more wired or wireless network interfaces 550, one or more input and output interfaces 560, and/or, one or more operating systems 531, For example Windows Server, Mac OS X, Unix, Linux, FreeBSD, etc. Those skilled in the art can understand that the structure of the encryption device based on key update shown in FIG. 5 does not constitute a limitation on the encryption device based on key update, and may include more or less components than those shown in the figure, or a combination of certain components may be included. some components, or a different arrangement of components.
本申请还提供一种基于密钥更新的加密设备,包括:存储器和至少一个处理器,所述存储器中存储有指令,所述存储器和所述至少一个处理器通过线路互连;所述至少一个处理器调用所述存储器中的所述指令,以使得所述基于密钥更新的加密设备执行上述基于密钥更新的加密方法中的步骤。The present application also provides an encryption device based on key update, comprising: a memory and at least one processor, wherein instructions are stored in the memory, the memory and the at least one processor are interconnected by a line; the at least one processor The processor invokes the instructions in the memory to cause the key update-based encryption device to perform the steps in the above-mentioned key update-based encryption method.
本申请还提供一种计算机可读存储介质,该计算机可读存储介质可以为非易失性计算机可读存储介质,也可以为易失性计算机可读存储介质。计算机可读存储介质存储有计算机指令,当所述计算机指令在计算机上运行时,使得计算机执行如下步骤:The present application also provides a computer-readable storage medium, and the computer-readable storage medium may be a non-volatile computer-readable storage medium or a volatile computer-readable storage medium. The computer-readable storage medium stores computer instructions, and when the computer instructions are executed on the computer, the computer performs the following steps:
获取发文信息,当所述发文信息为业务发文,且接收到密钥更新完成指令时,获取密钥更新完成后的高级加密标准密钥,并调用预置的基于高级加密标准的报文加密机制,通过所述高级加密标准密钥,对所述发文信息进行加密,得到第一加密发文信息;当所述发文信息为密钥更新发文时,获取所述发文信息的旧非对称密钥到期信息,根据所述旧非对称密钥到期信息,生成第一密钥信息,所述第一密钥信息包括新非对称密钥,以及所述新非对称密钥的生效时间;获取已生效的接收方非对称公钥,并通过所述接收方非对称公钥,对所述第一密钥信息进行加密,得到第二密钥信息;通过预置的新密钥确认接口,将所述第二密钥信息和密钥更新请求发送给接收端,以使得所述接收端基于所述密钥更新请求,对所述第二密钥信息进行密钥确认和密钥更新,得到密钥确认更新信息;当接收到所述接收端发送的密钥确认更新信息时,根据所述新非对称密钥和所述生效时间,对所述发文信息进行触发加密处理,得到第二加密发文信息。Obtain the message sent, when the message sent is a business message, and the key update completion instruction is received, obtain the Advanced Encryption Standard key after the key update is completed, and call the preset message encryption mechanism based on the Advanced Encryption Standard , encrypting the sending information by using the Advanced Encryption Standard key to obtain the first encrypted sending information; when the sending information is a key update sending, the old asymmetric key for obtaining the sending information expires information, generate first key information according to the old asymmetric key expiration information, the first key information includes the new asymmetric key, and the effective time of the new asymmetric key; obtain the effective time and encrypt the first key information through the receiver's asymmetric public key to obtain the second key information; through the preset new key confirmation interface, the The second key information and the key update request are sent to the receiving end, so that the receiving end performs key confirmation and key update on the second key information based on the key update request, and obtains key confirmation Update information; when receiving the key confirmation update information sent by the receiving end, trigger encryption processing on the sent message according to the new asymmetric key and the effective time to obtain second encrypted sent message.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working process of the system, device and unit described above may refer to the corresponding process in the foregoing method embodiments, which will not be repeated here.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。The integrated unit, if implemented in the form of a software functional unit and sold or used as an independent product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solutions of the present application can be embodied in the form of software products in essence, or the parts that contribute to the prior art, or all or part of the technical solutions, and the computer software products are stored in a storage medium , including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (ROM), random access memory (RAM), magnetic disk or optical disk and other media that can store program codes .
以上所述,以上实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的精神和范围。As mentioned above, the above embodiments are only used to illustrate the technical solutions of the present application, but not to limit them; although the present application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand: The technical solutions described in the embodiments are modified, or some technical features thereof are equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions in the embodiments of the present application.

Claims (20)

  1. 一种基于密钥更新的加密方法,包括:A key update-based encryption method, comprising:
    获取发文信息,当所述发文信息为业务发文,且接收到密钥更新完成指令时,获取密钥更新完成后的高级加密标准密钥,并调用预置的基于高级加密标准的报文加密机制,通过所述高级加密标准密钥,对所述发文信息进行加密,得到第一加密发文信息;Obtain the message sent, when the message sent is a business message, and the key update completion instruction is received, obtain the Advanced Encryption Standard key after the key update is completed, and call the preset message encryption mechanism based on the Advanced Encryption Standard , encrypting the sending message by using the Advanced Encryption Standard key to obtain the first encrypted sending message;
    当所述发文信息为密钥更新发文时,获取所述发文信息的旧非对称密钥到期信息,根据所述旧非对称密钥到期信息,生成第一密钥信息,所述第一密钥信息包括新非对称密钥,以及所述新非对称密钥的生效时间;When the sent message is a key update message, obtain the old asymmetric key expiration information of the sent message, and generate first key information according to the old asymmetric key expiration information. The key information includes the new asymmetric key and the effective time of the new asymmetric key;
    获取已生效的接收方非对称公钥,并通过所述接收方非对称公钥,对所述第一密钥信息进行加密,得到第二密钥信息;Obtaining the valid asymmetric public key of the recipient, and encrypting the first key information through the recipient asymmetric public key to obtain second key information;
    通过预置的新密钥确认接口,将所述第二密钥信息和密钥更新请求发送给接收端,以使得所述接收端基于所述密钥更新请求,对所述第二密钥信息进行密钥确认和密钥更新,得到密钥确认更新信息;Send the second key information and the key update request to the receiver through the preset new key confirmation interface, so that the receiver can update the second key information based on the key update request. Perform key confirmation and key update, and obtain key confirmation update information;
    当接收到所述接收端发送的密钥确认更新信息时,根据所述新非对称密钥和所述生效时间,对所述发文信息进行触发加密处理,得到第二加密发文信息。When receiving the key confirmation update information sent by the receiving end, according to the new asymmetric key and the effective time, trigger encryption processing on the sent message to obtain second encrypted sent message.
  2. 根据权利要求1所述的基于密钥更新的加密方法,其中,所述当所述发文信息为密钥更新发文时,获取所述发文信息的旧非对称密钥到期信息,根据所述旧非对称密钥到期信息,生成第一密钥信息,包括:The encryption method based on key update according to claim 1, wherein, when the sent message is a key update sent message, the old asymmetric key expiration information of the sent message is obtained, according to the old asymmetric key expiration information. Asymmetric key expiration information, generating first key information, including:
    当所述发文信息为密钥更新发文时,获取所述发文信息的旧非对称密钥到期信息和非对称密钥发起更新时间,以及基于所述密钥更新完成指令的高级加密标准密钥发起更新时间,所述旧非对称密钥到期信息包括预设触发日期;When the sent message is a key update message, obtain the old asymmetric key expiration information and the asymmetric key update time of the sent message, and the Advanced Encryption Standard key based on the key update completion instruction Initiating update time, the old asymmetric key expiration information includes a preset trigger date;
    判断所述非对称密钥发起更新时间是否与所述高级加密标准密钥发起更新时间一致;Judging whether the asymmetric key initiation update time is consistent with the Advanced Encryption Standard key initiation update time;
    若所述非对称密钥发起更新时间与所述高级加密标准密钥发起更新时间不一致,则获取新密钥生成规则,并通过所述新密钥生成规则和所述预设触发日期,生成第一密钥信息。If the asymmetric key initiation update time is inconsistent with the Advanced Encryption Standard key initiation update time, obtain a new key generation rule, and generate a first key generation rule based on the new key generation rule and the preset trigger date a key information.
  3. 根据权利要求2所述的基于密钥更新的加密方法,其中,所述若所述非对称密钥发起更新时间与所述高级加密标准密钥发起更新时间不一致,则获取新密钥生成规则,并通过所述新密钥生成规则和所述预设触发日期,生成第一密钥信息,包括:The encryption method based on key update according to claim 2, wherein, if the time when the asymmetric key is updated is inconsistent with the time when the advanced encryption standard key is updated, a new key generation rule is obtained, And through the new key generation rule and the preset trigger date, generate the first key information, including:
    若所述非对称密钥发起更新时间与所述高级加密标准密钥发起更新时间不一致,则获取新密钥生成规则,并通过所述预设触发日期触发新密钥生成更新指令;If the asymmetric key initiation update time is inconsistent with the Advanced Encryption Standard key initiation update time, acquiring a new key generation rule, and triggering a new key generation update instruction through the preset trigger date;
    通过所述新密钥生成更新指令和所述新密钥生成规则,生成所述发文信息的新非对称密钥,以及所述新非对称密钥的有效期和批次号,得到新非对称密钥信息;Through the new key generation and update instruction and the new key generation rule, a new asymmetric key of the sent message is generated, as well as the validity period and batch number of the new asymmetric key, and a new asymmetric key is obtained. key information;
    根据所述非对称密钥发起更新时间和预设业务低峰期,对所述新非对称密钥信息中新非对称密钥的生效时间进行配置,得到第一密钥信息。The effective time of the new asymmetric key in the new asymmetric key information is configured according to the time when the asymmetric key is initiated and updated and the preset service low-peak period, to obtain the first key information.
  4. 根据权利要求1所述的基于密钥更新的加密方法,其中,所述通过预置的新密钥确认接口,将所述第二密钥信息和密钥更新请求发送给接收端,以使得所述接收端基于所述密钥更新请求,对所述第二密钥信息进行密钥确认和密钥更新,得到密钥确认更新信息,包括:The encryption method based on key update according to claim 1, wherein the second key information and the key update request are sent to the receiving end through a preset new key confirmation interface, so that all The receiving end performs key confirmation and key update on the second key information based on the key update request, and obtains key confirmation update information, including:
    通过预置的新密钥确认接口,将所述第二密钥信息和密钥更新请求发送给接收端,以使得所述接收端基于所述密钥更新请求,获取接收方非对称私钥;Send the second key information and the key update request to the receiver through the preset new key confirmation interface, so that the receiver obtains the receiver's asymmetric private key based on the key update request;
    通过所述接收方非对称私钥,对所述第二密钥信息进行解密和落地存储,得到解密新密钥信息,所述解密新密钥信息包括批次号;Decrypt and store the second key information through the receiver's asymmetric private key to obtain new decrypted key information, where the new decrypted key information includes a batch number;
    将预设字段与所述批次号进行拼接处理,得到新密钥加密约定信息;splicing the preset field and the batch number to obtain the new key encryption agreement information;
    通过预置的超文本传输协议,对所述新密钥加密约定信息进行响应报文组装,得到密钥确认更新信息。Through the preset hypertext transmission protocol, a response message is assembled for the new key encryption agreement information, and the key confirmation update information is obtained.
  5. 根据权利要求1-4中任一项所述的基于密钥更新的加密方法,其中,所述当接收到所述接收端发送的密钥确认更新信息时,根据所述新非对称密钥和所述生效时间,对所述发文信息进行触发加密处理,得到第二加密发文信息,包括:The encryption method based on key update according to any one of claims 1-4, wherein when receiving the key confirmation update information sent by the receiving end, according to the new asymmetric key and For the effective time, trigger encryption processing on the sent message information to obtain second encrypted sent message information, including:
    当接收到所述接收端发送的密钥确认更新信息时,对所述密钥确认更新信息依次进行解密和正确性分析,得到新密钥更新完成信息;When receiving the key confirmation update information sent by the receiving end, perform decryption and correctness analysis on the key confirmation update information in turn to obtain new key update completion information;
    通过所述新密钥更新完成信息和所述生效时间,触发新密钥生效指令,并根据所述新密钥生效指令和所述新非对称密钥,对所述发文信息进行触发加密处理,得到第二加密发文信息。According to the new key update completion information and the effective time, a new key effective instruction is triggered, and according to the new key effective instruction and the new asymmetric key, trigger encryption processing is performed on the sent message, Obtain the second encrypted message information.
  6. 根据权利要求5所述的基于密钥更新的加密方法,其中,所述当接收到所述接收端发送的密钥确认更新信息时,对所述密钥确认更新信息依次进行解密和正确性分析,得到新密钥更新完成信息,包括:The encryption method based on key update according to claim 5, wherein when receiving the key confirmation update information sent by the receiving end, the key confirmation update information is sequentially decrypted and correctness analysis is performed , get the new key update completion information, including:
    当接收到所述接收端发送的密钥确认更新信息时,对所述密钥确认更新信息进行解析,得到解析信息,并通过所述新非对称密钥对所述解析信息进行解密,得到新密钥加密约定信息;When receiving the key confirmation update information sent by the receiving end, parse the key confirmation update information to obtain the parsing information, and decrypt the parsing information by using the new asymmetric key to obtain a new Key encryption agreement information;
    判断所述新密钥加密约定信息是否与预设值一致;Judging whether the new key encryption agreement information is consistent with a preset value;
    若所述新密钥加密约定信息与预设值一致,则生成所述第二密钥信息的新密钥更新完成信息;If the new key encryption agreement information is consistent with the preset value, generating new key update completion information of the second key information;
    若所述新密钥加密约定信息与预设值不一致,则迭代获取目标新密钥加密约定信息,直至所述目标新密钥加密约定信息与所述预设值一致,获得新密钥更新完成信息。If the new key encryption agreement information is inconsistent with the preset value, iteratively obtains the target new key encryption agreement information until the target new key encryption agreement information is consistent with the preset value, and the obtained new key is updated. information.
  7. 根据权利要求5所述的基于密钥更新的加密方法,其中,所述通过所述新密钥更新完成信息和所述生效时间,触发新密钥生效指令,并根据所述新密钥生效指令和所述新非对称密钥,对所述发文信息进行触发加密处理,得到第二加密发文信息,包括:The encryption method based on key update according to claim 5, wherein the new key validation instruction is triggered according to the new key update completion information and the validation time, and according to the new key validation instruction and the new asymmetric key, triggering encryption processing on the sent message to obtain the second encrypted message sent, including:
    通过所述新密钥更新完成信息调用预置计时器,执行基于所述生效时间的计时任务;The preset timer is invoked through the new key update completion information, and the timing task based on the effective time is executed;
    当所述计时任务计时到所述生效时间时,触发新密钥生效指令;When the timing task counts to the effective time, trigger a new key effective instruction;
    通过所述新密钥生效指令和所述新非对称密钥,对所述发文信息进行加密,得到第二加密发文信息。The sending message is encrypted by using the new key validating instruction and the new asymmetric key to obtain second encrypted sending message.
  8. 一种基于密钥更新的加密设备,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机可读指令,所述处理器执行所述计算机可读指令时实现如下步骤:An encryption device based on key update, comprising a memory, a processor, and computer-readable instructions stored on the memory and executable on the processor, which are implemented when the processor executes the computer-readable instructions Follow the steps below:
    获取发文信息,当所述发文信息为业务发文,且接收到密钥更新完成指令时,获取密钥更新完成后的高级加密标准密钥,并调用预置的基于高级加密标准的报文加密机制,通过所述高级加密标准密钥,对所述发文信息进行加密,得到第一加密发文信息;Obtain the message sent, when the message sent is a business message, and the key update completion instruction is received, obtain the Advanced Encryption Standard key after the key update is completed, and call the preset message encryption mechanism based on the Advanced Encryption Standard , encrypting the sending message by using the Advanced Encryption Standard key to obtain the first encrypted sending message;
    当所述发文信息为密钥更新发文时,获取所述发文信息的旧非对称密钥到期信息,根据所述旧非对称密钥到期信息,生成第一密钥信息,所述第一密钥信息包括新非对称密钥,以及所述新非对称密钥的生效时间;When the sent message is a key update message, obtain the old asymmetric key expiration information of the sent message, and generate first key information according to the old asymmetric key expiration information. The key information includes the new asymmetric key, and the effective time of the new asymmetric key;
    获取已生效的接收方非对称公钥,并通过所述接收方非对称公钥,对所述第一密钥信息进行加密,得到第二密钥信息;Obtaining the valid recipient's asymmetric public key, and encrypting the first key information by using the recipient's asymmetric public key to obtain second key information;
    通过预置的新密钥确认接口,将所述第二密钥信息和密钥更新请求发送给接收端,以使得所述接收端基于所述密钥更新请求,对所述第二密钥信息进行密钥确认和密钥更新,得到密钥确认更新信息;Send the second key information and the key update request to the receiver through the preset new key confirmation interface, so that the receiver can update the second key information based on the key update request. Perform key confirmation and key update, and obtain key confirmation update information;
    当接收到所述接收端发送的密钥确认更新信息时,根据所述新非对称密钥和所述生效时间,对所述发文信息进行触发加密处理,得到第二加密发文信息。When receiving the key confirmation update information sent by the receiving end, according to the new asymmetric key and the effective time, trigger encryption processing on the sent message to obtain second encrypted sent message.
  9. 根据权利要求8所述的基于密钥更新的加密设备,其中,所述处理器执行所述计算机可读指令实现所述当所述发文信息为密钥更新发文时,获取所述发文信息的旧非对称密钥到期信息,根据所述旧非对称密钥到期信息,生成第一密钥信息时,包括以下步骤:The encryption device based on key update according to claim 8, wherein the processor executes the computer-readable instructions to realize the acquisition of the old information of the sent message when the sent message is a key update sent message The asymmetric key expiration information, when generating the first key information according to the old asymmetric key expiration information, includes the following steps:
    当所述发文信息为密钥更新发文时,获取所述发文信息的旧非对称密钥到期信息和非对称密钥发起更新时间,以及基于所述密钥更新完成指令的高级加密标准密钥发起更新时间,所述旧非对称密钥到期信息包括预设触发日期;When the sent message is a key update message, obtain the old asymmetric key expiration information and the asymmetric key update time of the sent message, and the Advanced Encryption Standard key based on the key update completion instruction Initiating update time, the old asymmetric key expiration information includes a preset trigger date;
    判断所述非对称密钥发起更新时间是否与所述高级加密标准密钥发起更新时间一致;Judging whether the asymmetric key initiation update time is consistent with the Advanced Encryption Standard key initiation update time;
    若所述非对称密钥发起更新时间与所述高级加密标准密钥发起更新时间不一致,则获取新密钥生成规则,并通过所述新密钥生成规则和所述预设触发日期,生成第一密钥信息。If the asymmetric key initiation update time is inconsistent with the Advanced Encryption Standard key initiation update time, obtain a new key generation rule, and generate a first key generation rule based on the new key generation rule and the preset trigger date a key information.
  10. 根据权利要求9所述的基于密钥更新的加密设备,其中,所述处理器执行所述计算机可读指令实现所述若所述非对称密钥发起更新时间与所述高级加密标准密钥发起更新时间不一致,则获取新密钥生成规则,并通过所述新密钥生成规则和所述预设触发日期,生成第一密钥信息时,包括以下步骤:The encryption device based on key update according to claim 9, wherein the processor executes the computer-readable instructions to implement the if the asymmetric key initiates an update time and the Advanced Encryption Standard key initiate If the update time is inconsistent, obtain a new key generation rule, and generate the first key information by using the new key generation rule and the preset trigger date, including the following steps:
    若所述非对称密钥发起更新时间与所述高级加密标准密钥发起更新时间不一致,则获取新密钥生成规则,并通过所述预设触发日期触发新密钥生成更新指令;If the asymmetric key initiation update time is inconsistent with the Advanced Encryption Standard key initiation update time, acquiring a new key generation rule, and triggering a new key generation update instruction through the preset trigger date;
    通过所述新密钥生成更新指令和所述新密钥生成规则,生成所述发文信息的新非对称密钥,以及所述新非对称密钥的有效期和批次号,得到新非对称密钥信息;Through the new key generation and update instruction and the new key generation rule, a new asymmetric key of the sent message is generated, as well as the validity period and batch number of the new asymmetric key, and a new asymmetric key is obtained. key information;
    根据所述非对称密钥发起更新时间和预设业务低峰期,对所述新非对称密钥信息中新非对称密钥的生效时间进行配置,得到第一密钥信息。The effective time of the new asymmetric key in the new asymmetric key information is configured according to the time when the asymmetric key is initiated and updated and the preset service low-peak period, to obtain the first key information.
  11. 根据权利要求8所述的基于密钥更新的加密设备,其中,所述处理器执行所述计算机可读指令实现所述通过预置的新密钥确认接口,将所述第二密钥信息和密钥更新请求发送给接收端,以使得所述接收端基于所述密钥更新请求,对所述第二密钥信息进行密钥确认和密钥更新,得到密钥确认更新信息时,包括以下步骤:The encryption device based on key update according to claim 8, wherein the processor executes the computer-readable instructions to implement the new key confirmation interface through the preset, and the second key information and the The key update request is sent to the receiving end, so that the receiving end performs key confirmation and key update on the second key information based on the key update request, and when the key confirmation update information is obtained, it includes the following step:
    通过预置的新密钥确认接口,将所述第二密钥信息和密钥更新请求发送给接收端,以使得所述接收端基于所述密钥更新请求,获取接收方非对称私钥;Send the second key information and the key update request to the receiver through the preset new key confirmation interface, so that the receiver obtains the receiver's asymmetric private key based on the key update request;
    通过所述接收方非对称私钥,对所述第二密钥信息进行解密和落地存储,得到解密新密钥信息,所述解密新密钥信息包括批次号;Decrypt and store the second key information through the receiver's asymmetric private key to obtain new decrypted key information, where the new decrypted key information includes a batch number;
    将预设字段与所述批次号进行拼接处理,得到新密钥加密约定信息;splicing the preset field and the batch number to obtain the new key encryption agreement information;
    通过预置的超文本传输协议,对所述新密钥加密约定信息进行响应报文组装,得到密钥确认更新信息。Through the preset hypertext transmission protocol, a response message is assembled for the new key encryption agreement information, and the key confirmation update information is obtained.
  12. 根据权利要求8-11中任一项所述的基于密钥更新的加密设备,其中,所述处理器执行所述计算机可读指令实现所述当接收到所述接收端发送的密钥确认更新信息时,根据所述新非对称密钥和所述生效时间,对所述发文信息进行触发加密处理,得到第二加密发文信息时,包括以下步骤:The encryption device based on key update according to any one of claims 8-11, wherein the processor executes the computer-readable instructions to realize the key confirmation update when receiving the key sent by the receiving end When the message is sent, according to the new asymmetric key and the effective time, the trigger encryption process is performed on the sent message to obtain the second encrypted sent message, including the following steps:
    当接收到所述接收端发送的密钥确认更新信息时,对所述密钥确认更新信息依次进行 解密和正确性分析,得到新密钥更新完成信息;When receiving the key confirmation update information sent by the receiving terminal, decryption and correctness analysis are carried out successively to the key confirmation update information to obtain new key update completion information;
    通过所述新密钥更新完成信息和所述生效时间,触发新密钥生效指令,并根据所述新密钥生效指令和所述新非对称密钥,对所述发文信息进行触发加密处理,得到第二加密发文信息。According to the new key update completion information and the effective time, a new key effective instruction is triggered, and according to the new key effective instruction and the new asymmetric key, trigger encryption processing is performed on the sent message, Obtain the second encrypted message information.
  13. 根据权利要求12所述的基于密钥更新的加密设备,其中,所述处理器执行所述计算机可读指令实现所述当接收到所述接收端发送的密钥确认更新信息时,对所述密钥确认更新信息依次进行解密和正确性分析,得到新密钥更新完成信息时,包括以下步骤:The encryption device based on key update according to claim 12, wherein the processor executes the computer-readable instructions to implement the process of performing the key confirmation update information sent by the receiving end to the The key confirmation update information is decrypted and correctness analysis is performed in turn, and when the new key update completion information is obtained, the following steps are included:
    当接收到所述接收端发送的密钥确认更新信息时,对所述密钥确认更新信息进行解析,得到解析信息,并通过所述新非对称密钥对所述解析信息进行解密,得到新密钥加密约定信息;When receiving the key confirmation update information sent by the receiving end, parse the key confirmation update information to obtain the parsing information, and decrypt the parsing information by using the new asymmetric key to obtain a new Key encryption agreement information;
    判断所述新密钥加密约定信息是否与预设值一致;Judging whether the new key encryption agreement information is consistent with a preset value;
    若所述新密钥加密约定信息与预设值一致,则生成所述第二密钥信息的新密钥更新完成信息;If the new key encryption agreement information is consistent with the preset value, generating new key update completion information of the second key information;
    若所述新密钥加密约定信息与预设值不一致,则迭代获取目标新密钥加密约定信息,直至所述目标新密钥加密约定信息与所述预设值一致,获得新密钥更新完成信息。If the new key encryption agreement information is inconsistent with the preset value, iteratively obtains the target new key encryption agreement information until the target new key encryption agreement information is consistent with the preset value, and the obtained new key is updated. information.
  14. 根据权利要求12所述的基于密钥更新的加密设备,其中,所述处理器执行所述计算机可读指令实现所述通过所述新密钥更新完成信息和所述生效时间,触发新密钥生效指令,并根据所述新密钥生效指令和所述新非对称密钥,对所述发文信息进行触发加密处理,得到第二加密发文信息时,包括以下步骤:The encryption device based on key update according to claim 12, wherein the processor executes the computer-readable instructions to realize the triggering of the new key through the new key update completion information and the effective time The validating instruction, and according to the new key validating instruction and the new asymmetric key, triggering encryption processing on the sending message, and obtaining the second encrypted sending message, including the following steps:
    通过所述新密钥更新完成信息调用预置计时器,执行基于所述生效时间的计时任务;The preset timer is invoked through the new key update completion information, and the timing task based on the effective time is executed;
    当所述计时任务计时到所述生效时间时,触发新密钥生效指令;When the timing task counts to the effective time, trigger a new key effective instruction;
    通过所述新密钥生效指令和所述新非对称密钥,对所述发文信息进行加密,得到第二加密发文信息。The sending message is encrypted by using the new key validating instruction and the new asymmetric key to obtain second encrypted sending message.
  15. 一种计算机可读存储介质,所述计算机可读存储介质中存储计算机指令,当所述计算机指令在计算机上运行时,使得计算机执行如下步骤:A computer-readable storage medium, storing computer instructions in the computer-readable storage medium, when the computer instructions are executed on a computer, the computer is made to perform the following steps:
    获取发文信息,当所述发文信息为业务发文,且接收到密钥更新完成指令时,获取密钥更新完成后的高级加密标准密钥,并调用预置的基于高级加密标准的报文加密机制,通过所述高级加密标准密钥,对所述发文信息进行加密,得到第一加密发文信息;Obtain the message sent, when the message sent is a business message, and the key update completion instruction is received, obtain the Advanced Encryption Standard key after the key update is completed, and call the preset message encryption mechanism based on the Advanced Encryption Standard , encrypting the sending message by using the Advanced Encryption Standard key to obtain the first encrypted sending message;
    当所述发文信息为密钥更新发文时,获取所述发文信息的旧非对称密钥到期信息,根据所述旧非对称密钥到期信息,生成第一密钥信息,所述第一密钥信息包括新非对称密钥,以及所述新非对称密钥的生效时间;When the sent message is a key update message, obtain the old asymmetric key expiration information of the sent message, and generate first key information according to the old asymmetric key expiration information. The key information includes the new asymmetric key, and the effective time of the new asymmetric key;
    获取已生效的接收方非对称公钥,并通过所述接收方非对称公钥,对所述第一密钥信息进行加密,得到第二密钥信息;Obtaining the valid recipient's asymmetric public key, and encrypting the first key information by using the recipient's asymmetric public key to obtain second key information;
    通过预置的新密钥确认接口,将所述第二密钥信息和密钥更新请求发送给接收端,以使得所述接收端基于所述密钥更新请求,对所述第二密钥信息进行密钥确认和密钥更新,得到密钥确认更新信息;Send the second key information and the key update request to the receiver through the preset new key confirmation interface, so that the receiver can update the second key information based on the key update request. Perform key confirmation and key update, and obtain key confirmation update information;
    当接收到所述接收端发送的密钥确认更新信息时,根据所述新非对称密钥和所述生效时间,对所述发文信息进行触发加密处理,得到第二加密发文信息。When receiving the key confirmation update information sent by the receiving end, according to the new asymmetric key and the effective time, trigger encryption processing on the sent message to obtain second encrypted sent message.
  16. 根据权利要求15所述的计算机可读存储介质,当所述计算机指令在计算机上运行时,使得计算机还执行以下步骤:The computer-readable storage medium of claim 15, when the computer instructions are executed on a computer, causing the computer to further perform the following steps:
    当所述发文信息为密钥更新发文时,获取所述发文信息的旧非对称密钥到期信息和非 对称密钥发起更新时间,以及基于所述密钥更新完成指令的高级加密标准密钥发起更新时间,所述旧非对称密钥到期信息包括预设触发日期;When the sent message is a key update message, obtain the old asymmetric key expiration information and the asymmetric key update time of the sent message, and the Advanced Encryption Standard key based on the key update completion instruction Initiating update time, the old asymmetric key expiration information includes a preset trigger date;
    判断所述非对称密钥发起更新时间是否与所述高级加密标准密钥发起更新时间一致;Judging whether the asymmetric key initiation update time is consistent with the Advanced Encryption Standard key initiation update time;
    若所述非对称密钥发起更新时间与所述高级加密标准密钥发起更新时间不一致,则获取新密钥生成规则,并通过所述新密钥生成规则和所述预设触发日期,生成第一密钥信息。If the asymmetric key initiation update time is inconsistent with the Advanced Encryption Standard key initiation update time, obtain a new key generation rule, and generate a first key generation rule based on the new key generation rule and the preset trigger date a key information.
  17. 根据权利要求16所述的计算机可读存储介质,当所述计算机指令在计算机上运行时,使得计算机还执行以下步骤:The computer-readable storage medium of claim 16, which, when executed on a computer, causes the computer to further perform the following steps:
    若所述非对称密钥发起更新时间与所述高级加密标准密钥发起更新时间不一致,则获取新密钥生成规则,并通过所述预设触发日期触发新密钥生成更新指令;If the asymmetric key initiation update time is inconsistent with the Advanced Encryption Standard key initiation update time, acquiring a new key generation rule, and triggering a new key generation update instruction through the preset trigger date;
    通过所述新密钥生成更新指令和所述新密钥生成规则,生成所述发文信息的新非对称密钥,以及所述新非对称密钥的有效期和批次号,得到新非对称密钥信息;Through the new key generation and update instruction and the new key generation rule, a new asymmetric key of the sent message is generated, as well as the validity period and batch number of the new asymmetric key, and a new asymmetric key is obtained. key information;
    根据所述非对称密钥发起更新时间和预设业务低峰期,对所述新非对称密钥信息中新非对称密钥的生效时间进行配置,得到第一密钥信息。The effective time of the new asymmetric key in the new asymmetric key information is configured according to the time when the asymmetric key is initiated and updated and the preset service low-peak period, to obtain the first key information.
  18. 根据权利要求15所述的计算机可读存储介质,当所述计算机指令在计算机上运行时,使得计算机还执行以下步骤:The computer-readable storage medium of claim 15, when the computer instructions are executed on a computer, causing the computer to further perform the following steps:
    通过预置的新密钥确认接口,将所述第二密钥信息和密钥更新请求发送给接收端,以使得所述接收端基于所述密钥更新请求,获取接收方非对称私钥;Send the second key information and the key update request to the receiver through the preset new key confirmation interface, so that the receiver obtains the receiver's asymmetric private key based on the key update request;
    通过所述接收方非对称私钥,对所述第二密钥信息进行解密和落地存储,得到解密新密钥信息,所述解密新密钥信息包括批次号;Decrypt and store the second key information through the receiver's asymmetric private key to obtain new decrypted key information, where the new decrypted key information includes a batch number;
    将预设字段与所述批次号进行拼接处理,得到新密钥加密约定信息;splicing the preset field and the batch number to obtain the new key encryption agreement information;
    通过预置的超文本传输协议,对所述新密钥加密约定信息进行响应报文组装,得到密钥确认更新信息。Through the preset hypertext transmission protocol, a response message is assembled for the new key encryption agreement information, and the key confirmation update information is obtained.
  19. 根据权利要求15-18中任一项所述的计算机可读存储介质,当所述计算机指令在计算机上运行时,使得计算机还执行以下步骤:The computer-readable storage medium of any one of claims 15-18, when the computer instructions run on a computer, cause the computer to further perform the following steps:
    当接收到所述接收端发送的密钥确认更新信息时,对所述密钥确认更新信息依次进行解密和正确性分析,得到新密钥更新完成信息;When receiving the key confirmation update information sent by the receiving end, perform decryption and correctness analysis on the key confirmation update information in turn to obtain new key update completion information;
    通过所述新密钥更新完成信息和所述生效时间,触发新密钥生效指令,并根据所述新密钥生效指令和所述新非对称密钥,对所述发文信息进行触发加密处理,得到第二加密发文信息。According to the new key update completion information and the effective time, a new key effective instruction is triggered, and according to the new key effective instruction and the new asymmetric key, trigger encryption processing is performed on the sent message, Obtain the second encrypted message information.
  20. 一种基于密钥更新的加密装置,所述基于密钥更新的加密装置包括:A key update-based encryption device, the key update-based encryption device comprising:
    更新加密模块,用于获取发文信息,当所述发文信息为业务发文,且接收到密钥更新完成指令时,获取密钥更新完成后的高级加密标准密钥,并调用预置的基于高级加密标准的报文加密机制,通过所述高级加密标准密钥,对所述发文信息进行加密,得到第一加密发文信息;The update encryption module is used to obtain the sent message, when the sent message is a business message and the key update completion instruction is received, obtain the advanced encryption standard key after the key update is completed, and call the preset based on advanced encryption a standard message encryption mechanism, encrypting the message sending information through the advanced encryption standard key to obtain the first encrypted message sending information;
    生成模块,用于当所述发文信息为密钥更新发文时,获取所述发文信息的旧非对称密钥到期信息,根据所述旧非对称密钥到期信息,生成第一密钥信息,所述第一密钥信息包括新非对称密钥,以及所述新非对称密钥的生效时间;A generating module, configured to obtain the old asymmetric key expiration information of the sent message when the sent message is a key update message, and generate first key information according to the old asymmetric key expiration information , the first key information includes a new asymmetric key, and the effective time of the new asymmetric key;
    加密模块,用于获取已生效的接收方非对称公钥,并通过所述接收方非对称公钥,对所述第一密钥信息进行加密,得到第二密钥信息;an encryption module, configured to obtain the valid recipient's asymmetric public key, and encrypt the first key information through the recipient's asymmetric public key to obtain second key information;
    发送模块,用于通过预置的新密钥确认接口,将所述第二密钥信息和密钥更新请求发 送给接收端,以使得所述接收端基于所述密钥更新请求,对所述第二密钥信息进行密钥确认和密钥更新,得到密钥确认更新信息;The sending module is configured to send the second key information and the key update request to the receiving end through a preset new key confirmation interface, so that the receiving end, based on the key update request, The second key information performs key confirmation and key update, and obtains key confirmation update information;
    触发加密模块,用于当接收到所述接收端发送的密钥确认更新信息时,根据所述新非对称密钥和所述生效时间,对所述发文信息进行触发加密处理,得到第二加密发文信息。The trigger encryption module is configured to, when receiving the key confirmation update information sent by the receiving end, perform trigger encryption processing on the sent message according to the new asymmetric key and the effective time to obtain a second encryption Post information.
PCT/CN2021/090175 2020-11-17 2021-04-27 Key-update-based encryption method, apparatus and device, and storage medium WO2022105113A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202011284393.5 2020-11-17
CN202011284393.5A CN112202557B (en) 2020-11-17 2020-11-17 Encryption method, device, equipment and storage medium based on key update distribution

Publications (1)

Publication Number Publication Date
WO2022105113A1 true WO2022105113A1 (en) 2022-05-27

Family

ID=74033579

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/090175 WO2022105113A1 (en) 2020-11-17 2021-04-27 Key-update-based encryption method, apparatus and device, and storage medium

Country Status (2)

Country Link
CN (1) CN112202557B (en)
WO (1) WO2022105113A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112202557B (en) * 2020-11-17 2023-05-30 平安科技(深圳)有限公司 Encryption method, device, equipment and storage medium based on key update distribution
CN115460595B (en) * 2022-11-11 2023-03-24 北京数盾信息科技有限公司 Data transmission method based on satellite network, central gateway station and system
CN116155491B (en) * 2023-02-02 2024-03-08 广州万协通信息技术有限公司 Symmetric key synchronization method of security chip and security chip device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107070909A (en) * 2017-04-01 2017-08-18 广东欧珀移动通信有限公司 Method for sending information, message receiving method, apparatus and system
US20180351740A1 (en) * 2017-06-01 2018-12-06 International Business Machines Corporation Slice-level keyed encryption with support for efficient rekeying
CN110324143A (en) * 2019-05-24 2019-10-11 平安科技(深圳)有限公司 Data transmission method, electronic equipment and storage medium
CN111200491A (en) * 2018-11-20 2020-05-26 千寻位置网络有限公司 Key updating method, data decrypting method, device, client and interactive system
CN112202557A (en) * 2020-11-17 2021-01-08 平安科技(深圳)有限公司 Encryption method, device, equipment and storage medium based on secret key update distribution

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8699713B1 (en) * 2011-09-30 2014-04-15 Emc Corporation Key update with compromise detection
CN104539420B (en) * 2014-12-15 2017-09-19 南京中新赛克科技有限责任公司 A kind of safety key managing method of general Intelligent hardware
US10419211B1 (en) * 2015-11-30 2019-09-17 Cisco Technology, Inc. Hash-based key distribution
CN109587178A (en) * 2019-01-23 2019-04-05 四川虹美智能科技有限公司 A kind of intelligent appliance encryption control system and method based on MQTT
CN111669402B (en) * 2020-06-22 2023-03-21 深圳前海微众银行股份有限公司 Encrypted communication method, device, equipment and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107070909A (en) * 2017-04-01 2017-08-18 广东欧珀移动通信有限公司 Method for sending information, message receiving method, apparatus and system
US20180351740A1 (en) * 2017-06-01 2018-12-06 International Business Machines Corporation Slice-level keyed encryption with support for efficient rekeying
CN111200491A (en) * 2018-11-20 2020-05-26 千寻位置网络有限公司 Key updating method, data decrypting method, device, client and interactive system
CN110324143A (en) * 2019-05-24 2019-10-11 平安科技(深圳)有限公司 Data transmission method, electronic equipment and storage medium
CN112202557A (en) * 2020-11-17 2021-01-08 平安科技(深圳)有限公司 Encryption method, device, equipment and storage medium based on secret key update distribution

Also Published As

Publication number Publication date
CN112202557B (en) 2023-05-30
CN112202557A (en) 2021-01-08

Similar Documents

Publication Publication Date Title
WO2022105113A1 (en) Key-update-based encryption method, apparatus and device, and storage medium
WO2022206349A1 (en) Information verification method, related apparatus, device, and storage medium
CN110691087B (en) Access control method, device, server and storage medium
CN110166242B (en) Message transmission method and device
CN107800675B (en) Data transmission method, terminal and server
US20190306157A1 (en) Authenticating and authorizing users with jwt and tokenization
EP2779524A1 (en) Secure data transmission method, device and system
EP3121994B1 (en) Automated provisioning of a network appliance
CN110213195B (en) Login authentication method, server and user terminal
CN110213247B (en) Method and system for improving safety of pushed information
CN111130798B (en) Request authentication method and related equipment
CN109688098B (en) Method, device and equipment for secure communication of data and computer readable storage medium
CN111740942B (en) Login/registration method, device, system, electronic equipment and storage medium
US20190273612A1 (en) Password based key derivation function for ntp
US11245518B2 (en) Systems and methods for enhancing web security
JP2018519562A (en) Method and system for transaction security
CN105262592A (en) Data interaction method and API interface
CN111970109A (en) Data transmission method and system
JP2013238965A (en) Authentication system, authentication device, authentication method, and program
WO2022042198A1 (en) Identity authentication method and apparatus, computer device, and storage medium
CN113205337A (en) Transaction processing system and method
KR102121399B1 (en) Local information acquisition method, apparatus and system
US11831792B2 (en) Mutual authentication of computer systems over an insecure network
CN113381853B (en) Method and device for generating random password and client authentication
CN113474777A (en) Service trust status

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21893270

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21893270

Country of ref document: EP

Kind code of ref document: A1