[go: up one dir, main page]

CN109040109A - Data trade method and system based on key management mechanism - Google Patents

Data trade method and system based on key management mechanism Download PDF

Info

Publication number
CN109040109A
CN109040109A CN201811013228.9A CN201811013228A CN109040109A CN 109040109 A CN109040109 A CN 109040109A CN 201811013228 A CN201811013228 A CN 201811013228A CN 109040109 A CN109040109 A CN 109040109A
Authority
CN
China
Prior art keywords
key
user
file
data
root
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811013228.9A
Other languages
Chinese (zh)
Other versions
CN109040109B (en
Inventor
张文
邵帅
崔浩亮
潘旭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sailong Wenzhou Communication Technology Co ltd
Original Assignee
Guo Ding Cyberspace Safe Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guo Ding Cyberspace Safe Technology Co Ltd filed Critical Guo Ding Cyberspace Safe Technology Co Ltd
Priority to CN201811013228.9A priority Critical patent/CN109040109B/en
Publication of CN109040109A publication Critical patent/CN109040109A/en
Application granted granted Critical
Publication of CN109040109B publication Critical patent/CN109040109B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses the data trade method and system based on key management mechanism, using cipher mode end to end, ensure that user's private data is being saved in the form of ciphertext data volume from the local cipher key management services of transmitting terminal into the Key Management server again transmission process to the local cipher key management services of receiving end always, file encryption key is generated by transmitting terminal, is saved by Key Management server;Apply for key from Key Management server after the authorization of receiving end purchase data acquisition file decryption key, completes the decryption of data at this time, avoid facing the risk monitored and distorted in private data transmission process;Present invention employs the key management systems that symmetric cryptography and asymmetric cryptography combine, it guarantees safety of the user in the publication and application process of key, and then ensured data sale and the safety in purchasing process, the transaction platform of high efficient and reliable is provided for user.

Description

Data trade method and system based on key management mechanism
Technical field
The present invention relates to data trade technical fields, more particularly to the data trade method based on key management mechanism and are System, user can be based on self-demand, the paid sharing of data be realized using the system, including data are sold and purchase.
Background technique
With the continuous development of the information society, more and more people recognize the commercial value and data guarantor that data contain behind The importance of shield.However common data service depends on public network, in transmission process, since network itself lacks necessity Safeguard measure, the private data of user faces various risks, is such as ravesdropping or distorts.How in the feelings for not influencing user experience The data trade mode for providing safe and convenient under condition for user is current data transaction field matter of utmost importance in need of consideration.
Data encryption is a kind of common practice for ensureing data safety, and contemporary cryptology provides many high efficient and reliables thus Cryptographic algorithm.Symetric key cryptography is encrypted and is decrypted using identical data key, is had and is simple and efficient And the characteristics of deciphering difficult.But due to encrypting and decrypting the different phase usually occurred in data trade, symmetric key is negotiated Process may face potential security threat, simultaneously as the confidentiality of system depends on the safety of key, in disclosed meter Safe transmission and keeping key are a severe problems on calculation machine network.It is on the other side, asymmetric-key encryption technology It is encrypted and is decrypted using a pair of matched key, public key discloses, and then secret saves private key, and every kind of data key carries out single To operation, it is another then be used for reverse operation.It can only be decrypted by corresponding private key using the data of public key encryption, and private key adds Close data can only pass through corresponding public key decryptions.Asymmetric cryptosystem algorithm intensity high confidentiality is good, eliminates user not Safe lane exchanges the demand of key, but encryption/decryption speed is slow, is not suitable for the encryption of mass data, meanwhile, public key cryptography System usually requires a trusted third party to provide the infrastructure of security service.
Summary of the invention
Aiming at the shortcomings existing in the above problems, present invention combination DSE arithmetic and asymmetric cryptosystem, Design a kind of data trade method and system of one-time pad, data trade method of the invention based on key management mechanism and System provides a kind of reliable easily data trade operation under the premise of ensuring data protection efficiency and safety, for user Platform.
To achieve the above object, the present invention provides a kind of data trade method based on key management mechanism, comprising:
User A is the Generating Data File file encryption key of required transaction, and the root by file encryption key through user A Key Management server is sent to after key encryption;
Key Management server decrypts file encryption key, and the file encryption key ID of distribution is close through the root of user A User A is sent to after key encryption;
User A decrypts file encryption key ID, and the data that file encryption key ID is encrypted with file encryption key File is sent to user B;
User B obtains the authorization of the data file decruption key by process of purchase, and will include file encryption key ID File decryption key solicitation message be sent to Key Management server after the root key encryption of user B;
Key Management server verifies the authorization message of user B, after being verified, by file decryption key through user B's User B is sent to after root key encryption, user B checks data file original text by file decryption key.
As a further improvement of the present invention, the acquisition methods of user's root key are as follows:
Root key solicitation message comprising client public key is sent to key management clothes by user after server public key encrypts Business device;
Key Management server decrypts root key solicitation message, and the root key of distribution is sent after client public key encrypts To user;
User decrypts root key, obtains root key.
As a further improvement of the present invention, Key Management server uses added by privacy key decryption server public key Close root key solicitation message.
As a further improvement of the present invention, root key user A encrypted using private key for user decrypted user public key.
As a further improvement of the present invention, the Key Management server file encrypted using root key decryption root key Encryption key, and save file encryption key.
As a further improvement of the present invention, each user corresponds to only one root key.
As a further improvement of the present invention, file encryption code key and file decryption key are symmetrical code key, each encryption File corresponds to only one file encryption key.
As a further improvement of the present invention, it is arranged by different key attributes, file encryption key is divided into basis Type data sharing key and restricted type data sharing key.
The present invention also provides a kind of data transacting systems based on key management mechanism, comprising: operates in user application layer Local cipher key management services and long-range Key Management server;
The local cipher key management services:
For generating user's public private key pair;
For by include client public key root key solicitation message be sent to after server public key encrypts key management clothes Business device;
Root key for using private key for user decrypted user public key encrypted;
For the Generating Data File file encryption key for required transaction, and by file encryption key through root key encryption After be sent to Key Management server;
File encryption key ID for using root key decryption root key encrypted, and by file encryption key ID with text The encrypted data file of part encryption key is shared away;
For obtaining the authorization of the data file decruption key by process of purchase, and it will include file encryption key ID's File decryption key solicitation message is sent to Key Management server after root key encryption;
For checking data file original text by file decryption key;
The Key Management server:
For generating server public private key pair;
Root key solicitation message for using privacy key decryption server public key encrypted, and the root of distribution is close Key is sent to local cipher key management services after client public key encrypts;
File encryption key for using root key decryption root key encrypted saves file encryption key, and will divide The file encryption key ID matched is sent to local cipher key management services after root key encryption;
For verifying the authorization message of user, after being verified, file decryption key is sent to after root key encryption Local cipher key management services.
Compared with prior art, the invention has the benefit that
The present invention is using cipher mode end to end, it is ensured that user's private data takes from the local key management of transmitting terminal It is engaged in Key Management server again into the transmission process of the local cipher key management services of receiving end always with ciphertext data volume Form save, file encryption key generates by transmitting terminal, saved by Key Management server;It buys data and obtains in receiving end Apply for key after the authorization of file decryption key from Key Management server, completes the decryption of data at this time;Avoid private number According to the risk for facing monitoring in transmission process with distorting;In addition, data encryption of the present invention uses the mode of symmetric cryptography, data add Close file encryption key use symmetric cryptography mode, present invention employs symmetric cryptography and asymmetric cryptography combine it is close Key management system can farthest guarantee safety of the user in the publication and application process of key, and then ensure Data sale and the safety in purchasing process, provide the transaction platform of high efficient and reliable for user.
Detailed description of the invention
Fig. 1 is the schematic diagram of the data transacting system based on key management mechanism disclosed in an embodiment of the present invention;
Fig. 2 is the key of the layering of the data transacting system based on key management mechanism disclosed in an embodiment of the present invention Structure chart;
Fig. 3 is that root key is initial in the data trade method based on key management mechanism disclosed in an embodiment of the present invention The flow chart of change;
Fig. 4 is that application documents add in the data trade method based on key management mechanism disclosed in an embodiment of the present invention The flow chart of close key ID;
Fig. 5 is to obtain file in the data trade method based on key management mechanism disclosed in an embodiment of the present invention to add The flow chart of key.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiments of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill people Member's every other embodiment obtained without making creative work, shall fall within the protection scope of the present invention.
The present invention is described in further detail with reference to the accompanying drawing:
The present invention provides a kind of data transacting system based on key management mechanism, comprising: operates in user application layer Local cipher key management services (TS) and long-range Key Management server (KMS);Wherein:
The function of local cipher key management services (TS) is as follows:
For generating user's public private key pair;
For by include client public key root key solicitation message be sent to after server public key encrypts key management clothes Business device;
Root key for using private key for user decrypted user public key encrypted;
For the Generating Data File file encryption key for required transaction, and by file encryption key through root key encryption After be sent to Key Management server;
File encryption key ID for using root key decryption root key encrypted, and by file encryption key ID with text The encrypted data file of part encryption key is shared away;
For obtaining the authorization of the data file decruption key by process of purchase, and it will include file encryption key ID's File decryption key solicitation message is sent to Key Management server after root key encryption;
For checking data file original text by file decryption key;
The function of long-range Key Management server (KMS) is as follows:
For generating server public private key pair;
Root key solicitation message for using privacy key decryption server public key encrypted, and the root of distribution is close Key is sent to local cipher key management services after client public key encrypts;
File encryption key for using root key decryption root key encrypted saves file encryption key, and will divide The file encryption key ID matched is sent to local cipher key management services after root key encryption;
For verifying the authorization message of user, after being verified, file decryption key is sent to after root key encryption Local cipher key management services.
It is specific:
Local cipher key management services (TS) of the invention devise a kind of specific ciphertext data format, pass through specified mark Will position and field determine the feature of cryptographic algorithm and encryption information.The original plaintext data of application layer pass through cipher key management services Processing, encryption space in generate carry encryption information and key data ciphertext data volume, it is ensured that ciphertext data can also In the case where original, the plaintext transmission of original private data in a network is avoided, principle is as shown in Figure 1.
Long-range Key Management server (KMS) of the invention provides management and maintenance for key lifetimes, arrives for end The cryptographic services at end provide the security guarantee of key, and then ensure the safety of encryption data process of exchange.Based on close The data transacting system of key administrative mechanism uses the key structure of layering, as shown in Figure 2.
Server public private key pair (KMS_pub_key, KMS_pri_key) is generated by Key Management server (KMS) Public private key pair, wherein public key (KMS_pub_key) is put into certificate, is supplied to the local cipher key management services (TS) of each user In, private key (KMS_pri_key) is stored in Key Management server;
User's public private key pair (TS_pub_key, TS_pri_key) is raw when user is using local cipher key management services (TS) At, the client public key locally generated (TS_pub_key) is sent to Key Management server (KMS) by registration process by user, Protection for root key (rk);Private key for user (TS_pri_key) is stored in local cipher key management services, is used for decrypted user Public key (TS_pub_key);
User's root key (rk) is generated by Key Management server, and passes through client public key (TS_pub_ in user's application Key) user is distributed in encryption, and user's root key and user account are bound, and issues and applied for file encryption key (fek) The protection of file encryption key in journey;
File encryption key (fek) is generated by local cipher key management services (TS), for encrypting data to be shared, user After the completion of data encryption, it can be encrypted by user's root key (rk) to Key Management server and issue this document encryption key, , can also be to Key Management server application documents encryption key after other users buy the data, the file encryption of application is close Key is transmitted by user's root key encryption.
File encryption key is all ciphertext form in passing through interface transmission process, the storage of any plaintext version key It all must be in the case of safety.Each user that is designed as of root key (rk) exclusively enjoys, and a pair of with the account of the user one It answers, it is ensured that root key leakage, which occurs, for single user will not jeopardize the safety of other user key transmission processes.File adds Key (fek) is used for data file encryption, and each encryption file corresponds to only one file encryption key, is file public Transmission on network provides safety guarantee.
The distribution of key is completed with the cipher key management services for negotiating to pass through local with long-range Key Management server jointly. Cipher key management services TS provides the support of many algorithms, including the symmetric encipherment algorithm encrypted for data file, as SM4, AES, DES, IDEA, and the rivest, shamir, adelman negotiated for root key, RSA etc..DSE arithmetic with it is asymmetric close Key system combines, and has not only met the demand for security of data encryption key protection, but also has reached for data encryption user experience The performance requirement of process realizes the balance of safety and practicability.
The present invention provides a kind of data trade method based on key management mechanism, comprising: root key initialization, application text Part encryption key ID and acquisition file encryption key three phases;Wherein:
As shown in figure 3, the method for root key initialization of the present invention are as follows:
User can request distribution root key (rk) to Key Management server (KMS) first after registering for the first time;Root is close Key solicitation message is sent to key management clothes by being preset at local server public key (KMS_pub_key) encryption after encryption Business device;Key solicitation message includes random number (random_num, in order to prevent Replay Attack), user identifier (user_id), uses The mark (user_rflag) of acquisition, client public key (pub_key_TS) after the registration of family;Then, Key Management server receives After key solicitation message, user identity is verified, i.e. Key Management server uses privacy key (KMS_pri_key) decryption clothes The encrypted root key solicitation message of business device public key (KMS_pub_key), if successful decryption, subscriber authentication passes through;With After family authentication passes through, root key is distributed for user and identifies (rk_id) and root key itself (rk_body), and uses message In the client public key (pub_key_TS) that sends by root key encryption and then be handed down to user;Finally, user A uses user The encrypted root key of private key decrypted user public key obtains root key (rk).
Further, each user corresponds to only one root key, if user before registered, carry out data trade or When sharing, the operation of root key initialization can be omitted.
As shown in figure 4, the method for the present patent application file encryption key ID are as follows:
User after the registration is finished, can carry out the encryptions of data with share;User is the private data to be shared first It generates file encryption key (fek), is then encrypted file encryption key (fek) using the root key (rk) of oneself, file adds Key (fek) includes random number (random_num), file identification (file_id), key length (fek_len) and key sheet Body (fek_body), user also need to be arranged the attribute of file encryption key, based on two kinds of encryption keys that this system is supported Type data sharing key (Base Data Sharing Key) and restricted type data sharing key (Restricted Data Sharing Key), wherein BDSK needs to buy, and RDSK is not needed then, and specific descriptions are shown in file encryption key attribute description portion Point;Key Management server (KMS) is sent to by cipher key distribution interface;Then, after Key Management server parses the message, That is the Key Management server file encryption key encrypted using the root key decryption root key of the stored user;It will be literary Part encryption key (fek) is stored in Key Management server (KMS), and the file encryption key ID of distribution is added through root key User is sent to after close;Then key application after buying data for other users returns successful for the data publisher Response message.At this point, user can go out encrypted data sharing by other approach, key or acquisition were only bought The user of authorization can just check the data original text.
As shown in figure 5, the method that the present invention obtains file encryption key are as follows:
User decrypts file encryption key ID, and the data text that file encryption key ID is encrypted with file encryption key Part is sent to another user;Another user is after taking the data file of encryption, if this document is BDSK encryption, Yong Huxu The authorization of file decryption key is obtained by process of purchase, then issuing the documents to Key Management server request, it is close to decrypt Key, file decryption key solicitation message pass through the root key encryption of user, are sent to key management clothes by key application interface Business device, after Key Management server parses the message, according to key attribute, such as key validity period, key effective frequency, key Frequency of usage, key can share number, key has shared number, key ownership person etc., verify the authorization message of the user, verify By rear, server can return to successful response message for the data purchaser, and use the root key encryption file of the user Decruption key is handed down to the user.At this point, user can be by applying for that obtained key checks the data original text.If this document It is that RDSK is encrypted, user requests decruption key of issuing the documents, file decryption key solicitation message warp to Key Management server The root key encryption for crossing user is sent to Key Management server by key application interface, and Key Management server parsing should After message, according to key attribute, as validity period, key effective frequency, key can share number, key has shared number, key Whether cancel etc. and to verify whether the user can obtain decruption key, if the verification passes, server can return for the user Successful response message is returned, and is handed down to the user using the root key encryption file decryption key of the user.
File encryption key (fek) includes a variety of attributes, is configured during encryption file being generated by user, Including Encryption Algorithm, key length, key validity period, key creation time, key effective frequency, key frequency of usage, close Key can share number, key has shared number, key ownership person, cipher key backup etc..This system provides two kinds for user at present The data sharing key of type:
1, basic type data sharing key (Base Data Sharing Key).Basic type data sharing key BDSK is It for encrypting routine data file, is generated by the local cipher key management services of data owner, and uploads to key management clothes Device be engaged in for other users purchase and application.Key used in different data is different.The attribute of basic data sharing key Including Encryption Algorithm, key length, key validity period, key effective frequency, key frequency of usage, key can share number, Key has shared number, key ownership person, cipher key backup etc..
2, restricted type data sharing key (Restricted Data Sharing Key).Restricted type data sharing key RDSK is generated by the local cipher key management services of data owner, and upload to close for encrypting share-type data file Key management server, this key without process of purchase, and can be arranged by data owner whether burn-after-reading, whether mass-send, be No revocable attribute.The attribute of restricted type data sharing key includes that Encryption Algorithm, key length, key validity period, key have The effect frequency, key can share number, key whether revocable, key ownership person, cipher key backup etc..
The present invention is using cipher mode end to end, it is ensured that user's private data takes from the local key management of transmitting terminal It is engaged in Key Management server again into the transmission process of the local cipher key management services of receiving end always with ciphertext data volume Form save, file encryption key generates by transmitting terminal, saved by Key Management server;It buys data and obtains in receiving end Apply for key after the authorization of file decryption key from Key Management server, and completes the decryption of data;Avoid private data The risk monitored and distorted is faced in transmission process;In addition, symmetric cryptography is used to the encryption of data file in the present invention, to text The encryption of part encryption key uses asymmetric encryption, and present invention employs the key pipes that symmetric cryptography and asymmetric cryptography combine System is managed, which can farthest guarantee safety of the user in the publication and application process of key, Jin Erbao Hinder data sale and the safety in purchasing process, provides the transaction platform of high efficient and reliable for user.
Particularly advantage of the invention is as follows:
1, high efficiency.Data encryption uses the mode of symmetric cryptography, is simple and efficient.It also can be real to the biggish file of data volume Encryption and decryption operation is completed in present user's acceptable time, and there is more smooth user experience.
2, private ownership.Data publisher possesses the ownership of data, and data are encrypted to be shared with other users, only in user The data power of checking could be obtained after the purchase of complete paired data encryption key, but can not still obtain data clear text original text.
3, persistence.Data be encrypted after can propagate through a variety of ways, different user can by transaction system into The purchase of row data decryption key, server will record the key purchaser record of user, even if still having after user's more exchange device Check the permission of data clear text.
4, diversity.Data publisher can select different data keys to carry out based on the sharing use occasion of data Encryption, different keys have different attribute, meet the various demands of data publisher.
5, safety.Key for data encryption is protected by asymmetric cryptosystem, guarantees key distribution procedure Safe transmission.In addition, between data publisher and buyer not directly carry out data file transaction, but by transaction system into The transaction of row key, can guarantee the privacy of publisher and the privacy of buyer to the full extent.
These are only the preferred embodiment of the present invention, is not intended to restrict the invention, for those skilled in the art For member, the invention may be variously modified and varied.All within the spirits and principles of the present invention, it is made it is any modification, Equivalent replacement, improvement etc., should all be included in the protection scope of the present invention.

Claims (9)

1. a kind of data trade method based on key management mechanism characterized by comprising
User A is the Generating Data File file encryption key of required transaction, and the root key by file encryption key through user A Key Management server is sent to after encryption;
Key Management server decrypts file encryption key, and the file encryption key ID of distribution is added through the root key of user A User A is sent to after close;
User A decrypts file encryption key ID, and the data file that file encryption key ID is encrypted with file encryption key It is sent to user B;
User B obtains the authorization of the data file decruption key by process of purchase, and by the text comprising file encryption key ID Part decruption key solicitation message is sent to Key Management server after the root key encryption of user B;
Key Management server verifies the authorization message of user B, and after being verified, the root by file decryption key through user B is close It is sent to user B after key encryption, user B checks data file original text by file decryption key.
2. the data trade method based on key management mechanism as described in claim 1, which is characterized in that user's root key Acquisition methods are as follows:
Root key solicitation message comprising client public key is sent to Key Management server after server public key encrypts by user;
Key Management server decrypts root key solicitation message, and the root key of distribution is sent to use after client public key encrypts Family;
User decrypts root key, obtains root key.
3. the data trade method based on key management mechanism as claimed in claim 2, which is characterized in that cipher key management services The device root key solicitation message encrypted using privacy key decryption server public key.
4. the data trade method based on key management mechanism as claimed in claim 2, which is characterized in that user uses user The encrypted root key of private key decrypted user public key.
5. the data trade method based on key management mechanism as described in claim 1, which is characterized in that cipher key management services The device file encryption key encrypted using root key decryption root key, and save file encryption key.
6. the data trade method based on key management mechanism as described in claim 1, which is characterized in that each user is corresponding Only one root key.
7. the data trade method based on key management mechanism as described in claim 1, which is characterized in that file encryption code key It is symmetrical code key with file decryption key, each encryption file corresponds to only one file encryption key.
8. the data trade method based on key management mechanism as described in claim 1, which is characterized in that by different close The setting of key attribute, is divided into basic type data sharing key and restricted type data sharing key for file encryption key.
9. a kind of for realizing such as the data trade method of any of claims 1-8 based on key management mechanism Transaction system characterized by comprising the local cipher key management services and long-range key management for operating in user application layer take Business device;
The local cipher key management services:
For generating user's public private key pair;
For will include that the root key solicitation message of client public key is sent to Key Management server after server public key encrypts;
Root key for using private key for user decrypted user public key encrypted;
It is sent out after root key encryption for the Generating Data File file encryption key for required transaction, and by file encryption key It send to Key Management server;
File encryption key ID for using root key decryption root key encrypted, and file encryption key ID is added with file The encrypted data file of key is shared away;
For obtaining the authorization of the data file decruption key by process of purchase, and by the file comprising file encryption key ID Decruption key solicitation message is sent to Key Management server after root key encryption;
For checking data file original text by file decryption key;
The Key Management server:
For generating server public private key pair;
Root key solicitation message for using privacy key decryption server public key encrypted, and the root key of distribution is passed through Local cipher key management services are sent to after client public key encryption;
For using the encrypted file encryption key of root key decryption root key, file encryption key is saved, and by distribution File encryption key ID is sent to local cipher key management services after root key encryption;
For verifying the authorization message of user, after being verified, file decryption key is sent to local after root key encryption Cipher key management services.
CN201811013228.9A 2018-08-31 2018-08-31 Data transaction method and system based on key management mechanism Expired - Fee Related CN109040109B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811013228.9A CN109040109B (en) 2018-08-31 2018-08-31 Data transaction method and system based on key management mechanism

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811013228.9A CN109040109B (en) 2018-08-31 2018-08-31 Data transaction method and system based on key management mechanism

Publications (2)

Publication Number Publication Date
CN109040109A true CN109040109A (en) 2018-12-18
CN109040109B CN109040109B (en) 2022-01-21

Family

ID=64622651

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811013228.9A Expired - Fee Related CN109040109B (en) 2018-08-31 2018-08-31 Data transaction method and system based on key management mechanism

Country Status (1)

Country Link
CN (1) CN109040109B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110166458A (en) * 2019-05-23 2019-08-23 王怀尊 A kind of three-level code key encryption system
CN110414192A (en) * 2019-06-14 2019-11-05 伊格拉斯控股有限公司 Keyholed back plate system and method applied to safe manufacturing
CN112699132A (en) * 2021-03-22 2021-04-23 阿里云计算有限公司 Method and device for decrypting security module

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1697374A (en) * 2004-05-13 2005-11-16 华为技术有限公司 Method for sanding and receiving cipher data, device for distributing and receiving cipher data
US20080076355A1 (en) * 2006-09-27 2008-03-27 Waltermann Rod D Method for Protecting Security Accounts Manager (SAM) Files Within Windows Operating Systems
CN102025485A (en) * 2009-09-14 2011-04-20 中兴通讯股份有限公司 Key negotiation method, key management server and terminal
CN102970299A (en) * 2012-11-27 2013-03-13 西安电子科技大学 File safe protection system and method thereof
CN103354498A (en) * 2013-05-31 2013-10-16 北京鹏宇成软件技术有限公司 Identity-based file encryption transmission method
CN104506483A (en) * 2014-10-21 2015-04-08 中兴通讯股份有限公司 Method for encrypting and decrypting information and managing secret key as well as terminal and network server
CN104811448A (en) * 2015-04-21 2015-07-29 成都汇智远景科技有限公司 Safe data storage method
CN107276756A (en) * 2017-07-27 2017-10-20 深圳市金立通信设备有限公司 A kind of method and server for obtaining root key
CN108038128A (en) * 2017-11-08 2018-05-15 平安科技(深圳)有限公司 A kind of search method, system, terminal device and storage medium for encrypting file

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1697374A (en) * 2004-05-13 2005-11-16 华为技术有限公司 Method for sanding and receiving cipher data, device for distributing and receiving cipher data
US20080076355A1 (en) * 2006-09-27 2008-03-27 Waltermann Rod D Method for Protecting Security Accounts Manager (SAM) Files Within Windows Operating Systems
CN102025485A (en) * 2009-09-14 2011-04-20 中兴通讯股份有限公司 Key negotiation method, key management server and terminal
CN102970299A (en) * 2012-11-27 2013-03-13 西安电子科技大学 File safe protection system and method thereof
CN103354498A (en) * 2013-05-31 2013-10-16 北京鹏宇成软件技术有限公司 Identity-based file encryption transmission method
CN104506483A (en) * 2014-10-21 2015-04-08 中兴通讯股份有限公司 Method for encrypting and decrypting information and managing secret key as well as terminal and network server
CN104811448A (en) * 2015-04-21 2015-07-29 成都汇智远景科技有限公司 Safe data storage method
CN107276756A (en) * 2017-07-27 2017-10-20 深圳市金立通信设备有限公司 A kind of method and server for obtaining root key
CN108038128A (en) * 2017-11-08 2018-05-15 平安科技(深圳)有限公司 A kind of search method, system, terminal device and storage medium for encrypting file

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110166458A (en) * 2019-05-23 2019-08-23 王怀尊 A kind of three-level code key encryption system
CN110166458B (en) * 2019-05-23 2022-08-02 王怀尊 Three-level key encryption method
CN110414192A (en) * 2019-06-14 2019-11-05 伊格拉斯控股有限公司 Keyholed back plate system and method applied to safe manufacturing
CN110414192B (en) * 2019-06-14 2023-09-26 尚承科技股份有限公司 Control and management system and method applied to safety manufacture
CN112699132A (en) * 2021-03-22 2021-04-23 阿里云计算有限公司 Method and device for decrypting security module
CN112699132B (en) * 2021-03-22 2022-04-22 阿里云计算有限公司 Method and device for decrypting security module

Also Published As

Publication number Publication date
CN109040109B (en) 2022-01-21

Similar Documents

Publication Publication Date Title
CN103729945B (en) A kind of method and system of secure download terminal master key
CN104811450B (en) The date storage method and integrity verification method of a kind of identity-based in cloud computing
US6240187B1 (en) Key replacement in a public key cryptosystem
EP2494486B1 (en) System for protecting an encrypted information unit
TW201914254A (en) Method, apparatus and system for data encryption and decryption
JP2019533384A (en) Data transmission method, apparatus and system
RU2584500C2 (en) Cryptographic authentication and identification method with real-time encryption
CN103716168A (en) Secret key management method and system
CN103716322A (en) Secret key download method, management method, download management method, secret key download device, secret key management device and secret key download management system
US7640432B2 (en) Electronic cash controlled by non-homomorphic signatures
CN113225302A (en) Data sharing system and method based on proxy re-encryption
CN109040109A (en) Data trade method and system based on key management mechanism
CN108550035B (en) Cross-border online banking transaction method and cross-border online banking system
JP2001134534A (en) Authentication delegate method, authentication delegate service system, authentication delegate server device, and client device
KR102475434B1 (en) Security method and system for crypto currency
CN113746645B (en) Public scene anonymous communication charging system and method based on chargeable digital certificate
CN105791301B (en) A key distribution management method for multi-user group separation of information and secrets
CN114448636B (en) Quantum-resistant computing digital currency system based on digital certificate and anonymous communication method
EP1770901B1 (en) Authentication method and related devices
US12261946B2 (en) System and method of creating symmetric keys using elliptic curve cryptography
Mishra et al. Privacy preserving hierarchical content distribution in multiparty multilevel DRM
KR100883899B1 (en) Three-way key exchange method using smart card, recording medium and three-way key exchange system using smart card
Rajasree et al. An abuse-free optimistic signature exchange protocol using block cipher
JP2000214776A (en) Information circulation method, information circulation controller used for relevant method and recording medium recording information circulation program
JPH11205302A (en) Key management method and its system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220406

Address after: 325011 room 325, No. 166, Wenchang Road, Science Park, Wenzhou high tech Industrial Development Zone, Puzhou street, Longwan District, Wenzhou City, Zhejiang Province

Patentee after: Sailong (Wenzhou) communication technology Co.,Ltd.

Address before: Room C606, floor 6, B-2, Zhongguancun Dongsheng Science Park, No. 66, xixiaokou Road, Haidian District, Beijing 100192

Patentee before: GUODING NETWORK SPACE SECURITY TECHNOLOGY CO.,LTD.

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20220121