CN112738083B - System and method for managing secure access key based on cross-network and cross-border data transmission - Google Patents
System and method for managing secure access key based on cross-network and cross-border data transmission Download PDFInfo
- Publication number
- CN112738083B CN112738083B CN202011581638.0A CN202011581638A CN112738083B CN 112738083 B CN112738083 B CN 112738083B CN 202011581638 A CN202011581638 A CN 202011581638A CN 112738083 B CN112738083 B CN 112738083B
- Authority
- CN
- China
- Prior art keywords
- key
- working
- master
- keys
- file data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 34
- 238000000034 method Methods 0.000 title claims abstract description 28
- 230000008676 import Effects 0.000 claims abstract description 13
- 230000006378 damage Effects 0.000 claims abstract description 10
- 238000012545 processing Methods 0.000 claims description 31
- 238000007726 management method Methods 0.000 claims description 30
- 230000006870 function Effects 0.000 claims description 15
- 230000004044 response Effects 0.000 claims description 2
- 239000013256 coordination polymer Substances 0.000 description 11
- 230000008569 process Effects 0.000 description 6
- 238000004364 calculation method Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 3
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000000844 transformation Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to the technical field of encryption and decryption, in particular to a system and a method for managing a secure access key based on cross-network and cross-border data transmission. The system for managing the secure access key based on cross-network and cross-border data transmission comprises the following components: the system comprises a key generation module, a key import module, a key storage module, a key use module and a key destruction module; the key generation module is used for generating one or more keys of the following: a protection key, a master key, an authentication key, and a working key; the key import module is used for: different keys are imported into the corresponding areas respectively; the key storage module is used for: storing different keys into respective corresponding areas; the key use module is used for: performing a corresponding function using the different keys; the key destruction module is used for: destroying the different keys. Through the system, a three-level key management mode is adopted, and all keys are stored in sequence, so that key management is greatly facilitated.
Description
Technical Field
The invention relates to the technical field of encryption and decryption, in particular to a system and a method for managing a secure access key based on cross-network and cross-border data transmission.
Background
With the development of internationalization, more and more enterprises have branch offices abroad, and files often need to be transmitted in the process of enterprise office, if existing communication software is directly used, for example: the transmission of QQ, weChat, etc. has a great security risk, so in the prior art, different encryption methods are adopted to encrypt the file to be transmitted, wherein the more complicated the encryption steps, the more involved keys, and how to effectively manage the keys becomes the urgent need to be solved.
Disclosure of Invention
Therefore, a secure access key management system based on cross-network and cross-border data transmission needs to be provided, which is used for solving the technical problems that encryption is complex and the number of keys is large to be managed in the cross-border file transmission process, and the specific technical scheme is as follows:
a cross-network cross-border data transmission based secure access key management system, comprising: the system comprises a key generation module, a key import module, a key storage module, a key use module and a key destruction module;
the key generation module is used for generating one or more keys of the following: a protection key, a master key, an authentication key, and a working key;
the protection key is randomly generated and is used for encrypting and protecting other locally stored keys, wherein the other locally stored keys comprise one or more of the following keys: a master key, a derivative key, an authentication key, and a device key;
the other locally stored secret keys are arranged in the memory of the external network processing area;
the protection key is a primary key, the master key, the authentication key and the derivative key are secondary keys, and the working key is a tertiary key;
the master key is used for encrypting the working key;
the derivative key is used for updating and calculating a master key;
the authentication key is used for calculating a working key MAC;
the equipment key is used for identity authentication of equipment;
the working key is used for encrypting and decrypting the user file data;
the key import module is used for: different keys are imported into the corresponding areas respectively;
the key storage module is used for: storing different keys into respective corresponding areas;
the key use module is used for: performing a corresponding function using the different keys;
the key destruction module is used for: destroying different keys;
the different keys include one or more of the following: protection key, master key, authentication key, working key, derivative key, device key.
Further, the first component and the third component of the protection key are arranged in the internal memory of the external network processing area, and the second component of the protection key is arranged in the starting UKEY of the internal network processing area.
In order to solve the technical problems, the invention also provides a cross-network and cross-border data transmission based secure access key management method, which comprises the following specific technical scheme:
a secure access key management method based on cross-network and cross-border data transmission comprises the following steps:
the key generation module randomly generates a protection key, writes a first component and a third component of the protection key into the memory of the external network processing area, and writes a second component of the protection key into the boot UKEY, wherein the protection key is used for encrypting and protecting other locally stored keys, and the other locally stored keys comprise one or more keys of the following: a master key, a derivative key, an authentication key, and a device key;
the key generation module is further configured to generate one or more of the following keys: a master key, an authentication key, and a working key;
the other locally stored secret keys are arranged in the memory of the external network processing area;
the protection key is a primary key, the master key, the authentication key and the derivative key are secondary keys, and the working key is a tertiary key;
the master key is used for encrypting the working key;
the derivative key is used for updating and calculating a master key;
the authentication key is used for calculating a working key MAC;
the equipment key is used for identity authentication of equipment;
the working key is used for encrypting and decrypting the user file data;
the key importing module imports different keys to the corresponding areas respectively;
the key storage module stores different keys to respective corresponding areas;
the key use module uses different keys to execute corresponding functions;
the key destroying module destroys different keys;
the different keys include one or more of the following: protection key, master key, authentication key, working key, derivative key, device key.
Further, the method further comprises the steps of:
loading a master key, decrypting the master key ciphertext through a protection key, processing a master key plaintext check value through CRC32, and splicing and storing the master key ciphertext and the master key plaintext check value into an external network processing area memory;
loading an authentication key, decrypting the authentication key ciphertext through a protection key to obtain an authentication key plaintext, processing the authentication key plaintext through a CRC32 to obtain an authentication key plaintext check value, and splicing and storing the authentication key ciphertext and the authentication key plaintext check value into an external network processing area memory.
Further, the method further comprises the steps of:
responding to the file uploading instruction, and selecting a master key according to the ID of the receiving terminal equipment;
generating a working key;
reading file data, and encrypting the file data plaintext through the working key to obtain a file data ciphertext;
calculating a plaintext hash value of the file data;
encrypting the working key by using the master key to obtain a working key ciphertext, and calculating the working key information to obtain a message authentication code;
sending the working key ciphertext, the file data ciphertext, the message authentication code and the data plaintext hash value to a central server;
the receiving end obtains the working key ciphertext, the file data ciphertext, the message authentication code and the data plaintext hash value from the central server, selects a master key according to the ID of the transmitting end equipment, and uses the master key to decrypt the working key ciphertext;
verifying whether the message authentication code is correct, if so, decrypting the file data ciphertext through the working key to obtain a file data plaintext to be confirmed, and calculating the file data plaintext hash value to be confirmed;
and judging whether the plaintext hash value of the file data to be confirmed is consistent with the plaintext hash value of the data, and if so, successfully decrypting.
Further, the method further comprises the steps of:
judging whether the current master key is used or not, if so, calculating a new master key according to the current master key data, the derivative key and the version number;
the derivative key is preset.
Further, before the "response file upload instruction", the method further includes:
and distributing a unique corresponding master key for each combination of the sending end and the receiving end.
Further, the step of reading the file data specifically further includes the steps of:
and reading the file data according to the file name.
The beneficial effects of the invention are as follows: a cross-network cross-border data transmission based secure access key management system, comprising: the device is provided with a key generation module, a key import module, a key storage module, a key use module and a key destruction module; the key generation module is used for generating one or more keys of the following: a protection key, a master key, an authentication key, and a working key; the protection key is randomly generated, a first component and a third component of the protection key are arranged in the memory of the external network processing area, and a second component of the protection key is arranged in the startup UKEY; the protection key is used for encrypting and protecting other locally stored keys, wherein the other locally stored keys comprise one or more of the following keys: a master key, a derivative key, an authentication key, and a device key; the other locally stored secret keys are arranged in the memory of the external network processing area; the protection key is a primary key, the master key, the authentication key and the derivative key are secondary keys, and the working key is a tertiary key; the master key is used for encrypting the working key; the derivative key is used for updating and calculating a master key; the authentication key is used for calculating a working key MAC; the equipment key is used for identity authentication of equipment; the working key is used for encrypting and decrypting the user file data; the key import module is used for: different keys are imported into the corresponding areas respectively; the key storage module is used for: storing different keys into respective corresponding areas; the key use module is used for: performing a corresponding function using the different keys; the key destruction module is used for: destroying different keys; the different keys include one or more of the following: protection key, master key, authentication key, working key, derivative key, device key. Through the system, a three-level key management mode is adopted, and all keys are stored in sequence, so that key management is greatly facilitated.
Drawings
Fig. 1 is a schematic block diagram of a secure access key management system based on cross-network and cross-border data transmission according to an embodiment;
fig. 2 is a schematic diagram of a secure access key management system based on cross-network and cross-border data transmission according to an embodiment;
fig. 3 is a schematic diagram II of a secure access key management system based on cross-network and cross-border data transmission according to an embodiment;
fig. 4 is a flowchart of a secure access key management method based on cross-network and cross-border data transmission according to an embodiment.
Reference numerals illustrate:
100. a secure access key management system based on cross-network and cross-border data transmission,
101. the key generation module is configured to generate a key,
102. the key is imported into the module by a key importing module,
103. the key storage module is configured to store a key,
104. the key-use module is configured to receive a key,
105. and the key destroying module.
Detailed Description
In order to describe the technical content, constructional features, achieved objects and effects of the technical solution in detail, the following description is made in connection with the specific embodiments in conjunction with the accompanying drawings.
Referring to fig. 1 to 3, in this embodiment, an embodiment of a secure access key management system 100 based on cross-network and cross-border data transmission is as follows:
a cross-network cross-border data transfer based secure access key management system 100, comprising: a key generation module 101, a key import module 102, a key storage module 103, a key use module 104, and a key destruction module 105;
the key generation module 101 is configured to generate one or more of the following keys: a protection key, a master key, an authentication key, and a working key;
the protection key is randomly generated and is used for encrypting and protecting other locally stored keys, wherein the other locally stored keys comprise one or more of the following keys: a master key, a derivative key, an authentication key, and a device key;
the other locally stored secret keys are arranged in the memory of the external network processing area;
the protection key is a primary key, the master key, the authentication key and the derivative key are secondary keys, and the working key is a tertiary key;
the master key is used for encrypting the working key;
the derivative key is used for updating and calculating a master key;
the authentication key is used for calculating a working key MAC;
the equipment key is used for identity authentication of equipment;
the working key is used for encrypting and decrypting the user file data;
the key import module 102 is configured to: different keys are imported into the corresponding areas respectively;
the key storage module 103 is configured to: storing different keys into respective corresponding areas;
the key usage module 104 is configured to: performing a corresponding function using the different keys;
the key destruction module 105 is configured to: destroying different keys;
the different keys include one or more of the following: protection key, master key, authentication key, working key, derivative key, device key.
As shown in fig. 2, the key management is performed in an external network processing area (CP side) and an internal network processing area (FT side) of the hardware main board.
Wherein the key types are as shown in the following table:
| numbering device | Key type | Key algorithm |
| 1 | Protecting keys | SM4 algorithm |
| 2 | Master key | SM4 algorithm |
| 3 | Authentication key | SM4 algorithm |
| 4 | Working key | SM4 algorithm |
In this embodiment, a three-level key management system is employed, as shown in fig. 3.
The first component and the third component of the protection key are arranged in the internal memory of the external network processing area, and the second component of the protection key is arranged in the starting UKEY of the internal network processing area. The protection key components one and three are keys that are uniquely stored in the clear among all keys.
The protection key encrypts the protection master key, the authentication key, the derivative key and the device key, and the key encrypted and protected by the protection key is stored in the FLASH at the CP side and can be used after being decrypted by the protection key.
The specific use process is as follows:
the first and third protection Key components are stored in the FLASH of the CP, the second protection Key component is read from the boot Key after the boot Key authentication is completed by the password module, the protection Key and the protection Key check value are synthesized in the memory of the CP side for storage, and other functions of accessing and using the protection Key are not provided except the encryption and decryption protection of the master Key, the derivative Key, the authentication Key and the equipment Key. The firmware checks the check value before using the protection key, and if the protection key is damaged due to hardware reasons, the firmware can find out through the check and immediately make the cross-network data transmission security access system enter an error state.
Master key: the encrypted text is stored in the FLASH of the CP and is not exported in any form. Besides the encryption and decryption protection of the working key and the update calculation of the master key, other functions for accessing and using the master key are not provided. The firmware checks the check value before using the master key, and if the master key is damaged due to hardware, the firmware can find out through the check and immediately put the cross-network data transmission security access system into an error state.
Authentication key: the encrypted text is stored in the FLASH of the CP and is not exported in any form. No other function is provided for accessing and using the authentication key other than the calculation of the MAC operation on the working key. The firmware checks the check value before using the authentication key, and if the authentication key is damaged due to hardware reasons, the firmware can find out through the check and immediately put the cross-network data transmission security access system into an error state.
Working key: the working key can be used only after the legal user passes through the working key, and the working key ciphertext can be derived by using the master key encryption.
The specific functions are as follows:
the life management cycle of the protection key is as follows:
the full life cycle management of the master key is shown in the following table:
the full life cycle management of the authentication key is as follows:
the full life cycle management of the working key is shown in the following table:
through the system, a three-level key management mode is adopted, and all keys are stored in sequence, so that key management is greatly facilitated.
Referring to fig. 2 to fig. 4, in this embodiment, a specific embodiment of a secure access key management method based on cross-network cross-border data transmission is as follows:
randomly generating a protection key, writing a first component and a third component of the protection key into an external network processing area memory, and writing a second component of the protection key into a startup UKEY, wherein the protection key is used for encrypting and protecting other locally stored keys, and the other locally stored keys comprise one or more of the following keys: a master key, a derivative key, an authentication key, and a device key;
the key generation module is further configured to generate one or more of the following keys: a master key, an authentication key, and a working key;
the other locally stored secret keys are arranged in the memory of the external network processing area;
the protection key is a primary key, the master key, the authentication key and the derivative key are secondary keys, and the working key is a tertiary key;
the master key is used for encrypting the working key;
the derivative key is used for updating and calculating a master key;
the authentication key is used for calculating a working key MAC;
the equipment key is used for identity authentication of equipment;
the working key is used for encrypting and decrypting the user file data;
the key import module is used for importing different keys into the corresponding areas respectively;
the key storage module is used for storing different keys to the corresponding areas respectively;
the key use module is used for executing corresponding functions by using different keys;
the key destroying module is used for destroying different keys;
the different keys include one or more of the following: protection key, master key, authentication key, working key, derivative key, device key.
As shown in fig. 2, the key management is performed in an external network processing area (CP side) and an internal network processing area (FT side) of the hardware main board.
Wherein the key types are as shown in the following table:
| numbering device | Key type | Key algorithm |
| 1 | Protecting keys | SM4 algorithm |
| 2 | Master key | SM4 algorithm |
| 3 | Authentication key | SM4 algorithm |
| 4 | Working key | SM4 algorithm |
In this embodiment, a three-level key management system is employed, as shown in fig. 3.
The specific use process is as follows:
the first and third protection Key components are stored in the FLASH of the CP, the second protection Key component is read from the boot Key after the boot Key authentication is completed by the password module, the protection Key and the protection Key check value are synthesized in the memory of the CP side for storage, and other functions of accessing and using the protection Key are not provided except the encryption and decryption protection of the master Key, the derivative Key, the authentication Key and the equipment Key. The firmware checks the check value before using the protection key, and if the protection key is damaged due to hardware reasons, the firmware can find out through the check and immediately make the cross-network data transmission security access system enter an error state.
Master key: the encrypted text is stored in the FLASH of the CP and is not exported in any form. Besides the encryption and decryption protection of the working key and the update calculation of the master key, other functions for accessing and using the master key are not provided. The firmware checks the check value before using the master key, and if the master key is damaged due to hardware, the firmware can find out through the check and immediately put the cross-network data transmission security access system into an error state.
Authentication key: the encrypted text is stored in the FLASH of the CP and is not exported in any form. No other function is provided for accessing and using the authentication key other than the calculation of the MAC operation on the working key. The firmware checks the check value before using the authentication key, and if the authentication key is damaged due to hardware reasons, the firmware can find out through the check and immediately put the cross-network data transmission security access system into an error state.
Working key: the working key can be used only after the legal user passes through the working key, and the working key ciphertext can be derived by using the master key encryption.
The specific functions are as follows:
the life management period of the protection key, the full life management of the authentication key and the full life period of the working key are the same as those of the above-mentioned system for managing the secure access key based on cross-network and cross-border data transmission, and will not be repeated here.
Further, in order to protect the security of cross-network and cross-border data transmission, in this embodiment, a master key and a working key are involved, where the master key is mainly used to encrypt the working key, and the security is not further improved, and the method further includes the steps of: judging whether the current master key is used or not, if so, calculating a new master key according to the current master key data, the derivative key and the version number; the derivative key is preset. I.e. the master key is used only once, wherein both the version number and the derivative key are preset.
In this embodiment, a unique master key is assigned to each combination of the transmitting end and the receiving end in advance. The method comprises the following steps: if two transmitting ends a1, a2 (may also be receiving ends) and three receiving ends b1, b2, b3 (may also be transmitting ends) coexist, six combinations a1b1, a1b2, a1b3, a2b1, a2b2, and a2b3 exist. Six uniquely corresponding master keys are assigned to the two combinations, respectively.
Referring to fig. 4, the specific encryption and decryption processes are as follows (wherein steps S401 to S406 are encryption processes; steps S407 to S411 are decryption processes):
step S401: and responding to the file uploading instruction, and selecting a master key according to the ID of the receiving terminal equipment. The method comprises the following steps: and after receiving the file uploaded by the corresponding service system, the sending end enters a file encryption processing flow, and the main control program selects a main key according to the ID of the receiving end equipment.
Step S402: a working key is generated. The method comprises the following steps: and calling the noise source chip to generate a working key.
Step S403: and reading file data, and encrypting the file data plaintext through the working key to obtain file data ciphertext. The step of reading the file data specifically further comprises the steps of: and reading the file data according to the file name. And the file data plaintext encryption processing (SM4_XTS) is completed through the FPGA.
Step S404: and calculating the plaintext hash value of the file data. The method comprises the following steps: the file data plaintext HASH value calculation (sm3_hash) is completed by the FPGA.
Step S405: and encrypting the working key by using the master key to obtain a working key ciphertext, and calculating the working key information to obtain a message authentication code. The method comprises the following steps: the working key is encrypted (sm4_cbc) using the master key and a message authentication code (sm4_cbc_mac) is calculated for the working key information. The method comprises the following steps: the transmitting end, the receiving end and the server all store the correct format of the message authentication code. The format serves as an initial authentication and information extraction standard. If the format is not satisfied, the message authentication code is directly considered illegal and the information in the message authentication code is not extracted. When transmitting, the transmitting end calculates the message authentication code by adopting the format. Such as: the fixed character with fixed bit number is preset in front of the message authentication code as the initial identification message of the information. And then storing the work key information, and storing the end identification information of the fixed character information after the work key information. And finally calculating the length information of the work key information and storing the length information at the tail end.
Step S406: and sending the working key ciphertext, the file data ciphertext, the message authentication code and the data plaintext hash value to a central server.
Step S407: the receiving end obtains the working key ciphertext, the file data ciphertext, the message authentication code and the data plaintext hash value from the central server, selects a master key according to the ID of the sending end device, and uses the master key to decrypt the working key ciphertext.
Step S408: is the message authentication code correct? The method comprises the following steps: judging whether the message authentication code accords with a preset format or not according to the preset format. The method accords with the work key information and the length information to make preliminary judgment whether the work key information and the length information are correct. If so, the message authentication code is considered correct.
If so, step S409 is performed: and decrypting the file data ciphertext through the working key to obtain a file data plaintext to be confirmed, and calculating the file data plaintext hash value to be confirmed. The method comprises the following steps: and the receiving end FPGA decrypts the file data ciphertext by using the working key to obtain a file data plaintext to be confirmed, and the FPGA calculates the file data plaintext hash value to be confirmed.
Step S410: is the file data plaintext hash value to be validated consistent with the data plaintext hash value? If so, step S411 is executed: decryption was successful.
By the mode, the safety of cross-network and cross-border data transmission between the sending end and the receiving end can be practically ensured.
It should be noted that, although the foregoing embodiments have been described herein, the scope of the present invention is not limited thereby. Therefore, based on the innovative concepts of the present invention, alterations and modifications to the embodiments described herein, or equivalent structures or equivalent flow transformations made by the present description and drawings, apply the above technical solution, directly or indirectly, to other relevant technical fields, all of which are included in the scope of the invention.
Claims (6)
1. A cross-network cross-border data transmission based secure access key management system, comprising: the system comprises a key generation module, a key import module, a key storage module, a key use module and a key destruction module;
the key generation module is used for generating one or more keys of the following: a protection key, a master key, an authentication key, and a working key;
the protection key is randomly generated and is used for encrypting and protecting other locally stored keys, wherein the other locally stored keys comprise one or more of the following keys: a master key, a derivative key, an authentication key, and a device key;
the other locally stored secret keys are arranged in the memory of the external network processing area;
the protection key is a primary key, the master key, the authentication key and the derivative key are secondary keys, and the working key is a tertiary key;
the master key is used for encrypting the working key;
the derivative key is used for updating and calculating a master key;
the authentication key is used for calculating a working key MAC;
the equipment key is used for identity authentication of equipment;
the working key is used for encrypting and decrypting the user file data;
the key import module is used for: different keys are imported into the corresponding areas respectively;
the key storage module is used for: storing different keys into respective corresponding areas;
the key use module is used for: performing a corresponding function using the different keys;
the key destruction module is used for: destroying different keys;
the different keys include one or more of the following: a protection key, a master key, an authentication key, a working key, a derivative key, and a device key; the first component and the third component of the protection key are arranged in the internal memory of the external network processing area, and the second component of the protection key is arranged in the starting UKEY of the internal network processing area;
the key generation module is further configured to: responding to the file uploading instruction, and selecting a master key according to the ID of the receiving terminal equipment; generating a working key;
the key usage module is further configured to: reading file data, and encrypting the file data plaintext through the working key to obtain a file data ciphertext; calculating a plaintext hash value of the file data; encrypting the working key by using the master key to obtain a working key ciphertext, and calculating the working key information to obtain a message authentication code; sending the working key ciphertext, the file data ciphertext, the message authentication code and the data plaintext hash value to a central server; the corresponding receiving end obtains the working key ciphertext, the file data ciphertext, the message authentication value and the data plaintext hash value from the central server, selects a master key according to the ID of the transmitting end device, and decrypts the working key ciphertext by using the master key; verifying whether the message authentication code is correct, if so, decrypting the file data ciphertext through the working key to obtain a file data plaintext to be confirmed, and calculating the file data plaintext hash value to be confirmed; and judging whether the plaintext hash value of the file data to be confirmed is consistent with the plaintext hash value of the data, and if so, successfully decrypting.
2. The method for managing the secure access key based on cross-network and cross-border data transmission is characterized by comprising the following steps:
the key generation module randomly generates a protection key, writes a first component and a third component of the protection key into the memory of the external network processing area, and writes a second component of the protection key into the boot UKEY, wherein the protection key is used for encrypting and protecting other locally stored keys, and the other locally stored keys comprise one or more keys of the following: a master key, a derivative key, an authentication key, and a device key;
the key generation module is further configured to generate one or more of the following keys: a master key, an authentication key, and a working key;
the other locally stored secret keys are arranged in the memory of the external network processing area;
the protection key is a primary key, the master key, the authentication key and the derivative key are secondary keys, and the working key is a tertiary key;
the master key is used for encrypting the working key;
the derivative key is used for updating and calculating a master key;
the authentication key is used for calculating a working key MAC;
the equipment key is used for identity authentication of equipment;
the working key is used for encrypting and decrypting the user file data;
the key importing module imports different keys to the corresponding areas respectively;
the key storage module stores different keys to respective corresponding areas;
the key use module uses different keys to execute corresponding functions;
the key destroying module destroys different keys;
the different keys include one or more of the following: a protection key, a master key, an authentication key, a working key, a derivative key, and a device key;
responding to the file uploading instruction, and selecting a master key according to the ID of the receiving terminal equipment;
generating a working key;
reading file data, and encrypting the file data plaintext through the working key to obtain a file data ciphertext;
calculating a plaintext hash value of the file data;
encrypting the working key by using the master key to obtain a working key ciphertext, and calculating the working key information to obtain a message authentication code;
sending the working key ciphertext, the file data ciphertext, the message authentication code and the data plaintext hash value to a central server;
the receiving end obtains the working key ciphertext, the file data ciphertext, the message authentication code and the data plaintext hash value from the central server, selects a master key according to the ID of the transmitting end equipment, and uses the master key to decrypt the working key ciphertext;
verifying whether the message authentication code is correct, if so, decrypting the file data ciphertext through the working key to obtain a file data plaintext to be confirmed, and calculating the file data plaintext hash value to be confirmed;
and judging whether the plaintext hash value of the file data to be confirmed is consistent with the plaintext hash value of the data, and if so, successfully decrypting.
3. The cross-network and cross-border data transmission based secure access key management method according to claim 2, further comprising the steps of:
loading a master key, decrypting the master key ciphertext through a protection key, processing a master key plaintext check value through CRC32, and splicing and storing the master key ciphertext and the master key plaintext check value into an external network processing area memory;
loading an authentication key, decrypting the authentication key ciphertext through a protection key to obtain an authentication key plaintext, processing the authentication key plaintext through a CRC32 to obtain an authentication key plaintext check value, and splicing and storing the authentication key ciphertext and the authentication key plaintext check value into an external network processing area memory.
4. The cross-network and cross-border data transmission based secure access key management method according to claim 2, further comprising the steps of:
judging whether the current master key is used or not, if so, calculating a new master key according to the current master key data, the derivative key and the version number;
the derivative key is preset.
5. The method for managing a secure access key based on cross-network and cross-border data transmission according to claim 2, wherein before the "response file upload instruction", further comprises:
and distributing a unique corresponding master key for each combination of the sending end and the receiving end.
6. The method for managing the secure access key based on cross-network and cross-border data transmission according to claim 2, wherein the step of reading file data specifically further comprises the steps of:
and reading the file data according to the file name.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011581638.0A CN112738083B (en) | 2020-12-28 | 2020-12-28 | System and method for managing secure access key based on cross-network and cross-border data transmission |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011581638.0A CN112738083B (en) | 2020-12-28 | 2020-12-28 | System and method for managing secure access key based on cross-network and cross-border data transmission |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112738083A CN112738083A (en) | 2021-04-30 |
| CN112738083B true CN112738083B (en) | 2023-05-19 |
Family
ID=75606584
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011581638.0A Active CN112738083B (en) | 2020-12-28 | 2020-12-28 | System and method for managing secure access key based on cross-network and cross-border data transmission |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112738083B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114528561B (en) * | 2022-01-13 | 2025-03-14 | 山东华芯半导体有限公司 | A flash key storage management method |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101986596A (en) * | 2010-10-21 | 2011-03-16 | 无锡江南信息安全工程技术中心 | Key management mechanism |
| CN103065082A (en) * | 2012-07-04 | 2013-04-24 | 北京京航计算通讯研究所 | Software security protection method based on Linux system |
| CN106330868A (en) * | 2016-08-14 | 2017-01-11 | 北京数盾信息科技有限公司 | Encrypted storage key management system and method of high-speed network |
| CN107733647A (en) * | 2017-12-08 | 2018-02-23 | 前海联大(深圳)技术有限公司 | Key updating method based on PKI security system |
| CN110071799A (en) * | 2019-04-09 | 2019-07-30 | 山东超越数控电子股份有限公司 | A kind of generation guard method of encryption storage key, system, terminating machine and readable storage medium storing program for executing |
| CN111428280A (en) * | 2020-06-09 | 2020-07-17 | 浙江大学 | SoC security chip key information integrity storage and error self-healing method |
| CN111444553A (en) * | 2020-04-01 | 2020-07-24 | 中国人民解放军国防科技大学 | Secure storage implementation method and system supporting TEE extension |
| CN111625791A (en) * | 2020-04-28 | 2020-09-04 | 郑州信大捷安信息技术股份有限公司 | Key management method and system based on software cryptographic module |
| CN111737770A (en) * | 2020-05-29 | 2020-10-02 | 宁波三星医疗电气股份有限公司 | Key management method and application |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9432184B2 (en) * | 2008-09-05 | 2016-08-30 | Vixs Systems Inc. | Provisioning of secure storage for both static and dynamic rules for cryptographic key information |
| US10110380B2 (en) * | 2011-03-28 | 2018-10-23 | Nxp B.V. | Secure dynamic on chip key programming |
-
2020
- 2020-12-28 CN CN202011581638.0A patent/CN112738083B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101986596A (en) * | 2010-10-21 | 2011-03-16 | 无锡江南信息安全工程技术中心 | Key management mechanism |
| CN103065082A (en) * | 2012-07-04 | 2013-04-24 | 北京京航计算通讯研究所 | Software security protection method based on Linux system |
| CN106330868A (en) * | 2016-08-14 | 2017-01-11 | 北京数盾信息科技有限公司 | Encrypted storage key management system and method of high-speed network |
| CN107733647A (en) * | 2017-12-08 | 2018-02-23 | 前海联大(深圳)技术有限公司 | Key updating method based on PKI security system |
| CN110071799A (en) * | 2019-04-09 | 2019-07-30 | 山东超越数控电子股份有限公司 | A kind of generation guard method of encryption storage key, system, terminating machine and readable storage medium storing program for executing |
| CN111444553A (en) * | 2020-04-01 | 2020-07-24 | 中国人民解放军国防科技大学 | Secure storage implementation method and system supporting TEE extension |
| CN111625791A (en) * | 2020-04-28 | 2020-09-04 | 郑州信大捷安信息技术股份有限公司 | Key management method and system based on software cryptographic module |
| CN111737770A (en) * | 2020-05-29 | 2020-10-02 | 宁波三星医疗电气股份有限公司 | Key management method and application |
| CN111428280A (en) * | 2020-06-09 | 2020-07-17 | 浙江大学 | SoC security chip key information integrity storage and error self-healing method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112738083A (en) | 2021-04-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11308241B2 (en) | Security data generation based upon software unreadable registers | |
| CN111104691A (en) | Sensitive information processing method and device, storage medium and equipment | |
| CN111639348B (en) | Management method and device of database keys | |
| CN113132099A (en) | Method and device for encrypting and decrypting transmission file based on hardware password equipment | |
| US11128455B2 (en) | Data encryption method and system using device authentication key | |
| CN103051641A (en) | Method and system for updating multiple-client key, and information security transmission method | |
| WO2019114137A1 (en) | Password calling method, server, and storage medium | |
| CN108270739A (en) | A kind of method and device of managing encrypted information | |
| CN117155549A (en) | Key distribution method, key distribution device, computer equipment and storage medium | |
| CN111639952A (en) | Returned goods checking method, returned goods checking system, returned goods checking server and returned goods checking terminal based on block chain | |
| CN113489710B (en) | File sharing method, device, equipment and storage medium | |
| CN101019368A (en) | Method of delivering direct proof private keys to devices using a distribution CD | |
| CN112738083B (en) | System and method for managing secure access key based on cross-network and cross-border data transmission | |
| CN103378966A (en) | Secret key programming on safety dynamic piece | |
| CN112787996B (en) | Password equipment management method and system | |
| US11463251B2 (en) | Method for secure management of secrets in a hierarchical multi-tenant environment | |
| CN104735020A (en) | Method, device and system for acquiring sensitive data | |
| CN112769778B (en) | Encryption and decryption processing method and system based on cross-network cross-border data security transmission | |
| CN110287725B (en) | Equipment, authority control method thereof and computer readable storage medium | |
| CN109792380B (en) | Method, terminal and system for transmitting secret key | |
| CN114553557B (en) | Key calling method, device, computer equipment and storage medium | |
| CN112910654B (en) | Private key management method, system, equipment and storage medium | |
| CN114154179A (en) | Block chain key escrow method, system, terminal device and storage medium | |
| CN103179088A (en) | Protection method and protection system of common gateway interface business | |
| CN116032472B (en) | Method and device for generating quantum security key and authentication parameter and root key center |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |