CN115913548A - Symmetric key distribution method and device - Google Patents
Symmetric key distribution method and device Download PDFInfo
- Publication number
- CN115913548A CN115913548A CN202211617277.XA CN202211617277A CN115913548A CN 115913548 A CN115913548 A CN 115913548A CN 202211617277 A CN202211617277 A CN 202211617277A CN 115913548 A CN115913548 A CN 115913548A
- Authority
- CN
- China
- Prior art keywords
- key
- service node
- encryption
- node
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000009826 distribution Methods 0.000 title claims abstract description 49
- 238000000034 method Methods 0.000 title claims abstract description 25
- 238000007726 management method Methods 0.000 claims description 37
- 238000004806 packaging method and process Methods 0.000 claims description 18
- 230000002194 synthesizing effect Effects 0.000 claims description 3
- 230000002708 enhancing effect Effects 0.000 abstract 1
- 230000005540 biological transmission Effects 0.000 description 2
- 230000015572 biosynthetic process Effects 0.000 description 2
- 238000005538 encapsulation Methods 0.000 description 2
- 238000003786 synthesis reaction Methods 0.000 description 2
- 238000009827 uniform distribution Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a symmetric key distribution method, in the symmetric key distribution process, the first distribution adopts the form of key weight and the protection of a safety medium to be sent to a corresponding node in an off-line manner, thereby enhancing the security of key distribution; when multiple pairs of symmetric keys exist among the nodes, the key can be distributed again by selecting any key protection according to the service scene, so that the flexibility of the key protection relationship is improved; and the confidentiality and the integrity of the secret key are effectively protected in the whole distribution process, and the applicability is strong.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a symmetric key distribution method and device.
Background
In order to achieve a specific cryptographic function during communication, a sender generally encrypts data using an encryption key, and a receiver generally decrypts data using a decryption key. Keys can be divided into two broad categories, symmetric keys and asymmetric keys. The asymmetric key is "asymmetric" in the sense that the encryption key and the decryption key are different, and usually the encryption key and the decryption key have a specific mathematical relationship; the term "symmetric" in symmetric keys means that the encryption key and the decryption key are the same.
The core of the symmetric encryption system lies in the management and protection of keys, which must ensure the key synchronization between communication nodes and the security of keys in the processes of generation, storage and use.
Based on a symmetric algorithm, under the condition that a security channel does not exist, two traditional methods of symmetric key distribution are generally adopted, one is to distribute a preset key or an appointed key, and the randomness of the key cannot be ensured; the other method is to adopt media for off-line transmission, if a password is leaked, a security risk exists in a secret key, and if the security risk exists in the secret key, the secret key needs to be replaced in time. In addition, the two traditional key distribution modes cannot meet the requirement of uniform distribution, replacement and management.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a symmetric key distribution method and device, which realize uniform distribution and replacement management of symmetric keys and improve the security of symmetric key distribution.
In order to solve the technical problems, the technical scheme adopted by the invention is as follows.
A symmetric key distribution method specifically comprises the following steps:
s1, respectively generating key encryption keys KEK for m service nodes at a password management node am Before the key encryption key is generated, determining the number n (n is more than or equal to 2) of key components according to a key component threshold; and storing each key component in corresponding safety medium T mn Performing the following steps;
s2, respectively enabling the security media T of each service node mn Off-line delivery to the corresponding service node;
s3, after the service node receiving the security media unseals the key components in each security media, further performing XOR to obtain a key encryption key KEK generated by the password management node am ;
S4, generating a communication key KT for the ith (i belongs to m) service node at the password management node ai To communicate a key KT ai Packaging the data packet into a distributed key data packet distributed to the i service node, and exporting the distributed key data packet to a secure medium T ssi ;
S5, a safety medium T is put into ssi Off-line delivering to the ith service node, the ith service node obtaining the encryption key information according to the distribution key data packet, reading the encryption keyDecrypting data by encrypting the key, verifying the integrity of the key data to obtain a communication key KT ai ;
S6, generating a communication key KT between the ith (i belongs to m) service node and the jth (j belongs to m) service node at the password management node ij ;
S7, selecting encryption key to use communication key KT ij Respectively packaging the distributed key data packets to the ith service node and the jth service node, and respectively exporting the corresponding distributed key data packets to the secure media T si And a safety medium T sj (ii) a The encryption key information adopted during encapsulation can select a key encryption key KEK am Or communication key KT ai ;
S8, a safety medium T is put into si And a safety medium T sj Respectively transmitting the information to the ith service node and the jth service node in an off-line manner, and acquiring encryption key information and an encryption key by the ith service node and the jth service node according to the distributed key data packet; decrypting data by the encryption key, verifying the integrity of the key data to obtain the communication key KT ij 。
In the above symmetric key distribution method, step S1 specifically includes the following steps:
s11, respectively generating a Key Encryption Key (KEK) of the ith (i belongs to m) service node at the password management node am Key component F of i1 Dividing the key component F i1 Packaging into a key component data packet, and exporting to a secure medium T i1 ;
S12, respectively generating a Key Encryption Key (KEK) of the ith (i belongs to m) service node at the password management node am Key component F of i2 Dividing the key component F i2 Packaging into a key component data packet, and exporting to a secure medium T i2 ;
S13, judging the condition of reaching the synthetic key according to the key component threshold value, and carrying out XOR synthetic key encryption key KEK am And encrypting and storing the key into a local database of the password management node by using a local key, ensuring the confidentiality and the integrity of the key during storage, calculating the key HASH, and splicing the key plaintext and the HASH to calculate and store a ciphertext.
A symmetric key distribution as described aboveThe method, step S3 includes the following steps: through a security medium T i1 And a safety medium T i2 Acquiring two key encryption key components, decapsulating the key component data packets to obtain key component data, simultaneously determining that the key component data reaches a key component threshold, and synthesizing the key encryption key KEK by XOR ai 。
In the above symmetric key distribution method, the key component data packet includes a key generation node, a destination node, and component threshold information; the type of the security medium is a smart key or a TF password card.
In the above symmetric key distribution method, the distribution key data packet includes encrypted key information, used encryption algorithm and integrity algorithm, and cipher text data of key + key MAC.
Due to the adoption of the technical scheme, the technical progress of the invention is as follows.
In the symmetric key distribution process, the key component and the safety medium are used for protecting and offline transmitting to the opposite node for the first distribution, so that the security of key distribution is enhanced; when multiple symmetric keys exist among the nodes, the key can be distributed again by selecting any key protection according to the service scene, so that the flexibility of the key protection relationship is improved; and the confidentiality and the integrity of the secret key are effectively protected in the whole distribution process, and the applicability is strong.
Drawings
FIG. 1 is a flowchart of example 1 of the present invention;
fig. 2 is a schematic diagram of an alternative key protection component in embodiment 1 of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and specific embodiments.
A symmetric key distribution method is characterized in that a key component form and security medium protection are adopted for offline transmission to service nodes for the first distribution, when multiple symmetric keys exist among the nodes, the key can be distributed again by selecting any key protection according to a service scene, and the flexibility of the key protection relationship is further improved on the basis of improving the security.
In the present embodiment, the detailed steps are explained in detail by taking three nodes as an example, as shown in fig. 1, the present embodiment includes a node a, a node 1, and a node 2; where node a represents a password management node and nodes 1 and 2 represent two service nodes, i.e., m =2.
A symmetric key distribution method specifically comprises the following steps.
S1, respectively generating key encryption keys KEK for m service nodes at password management node am Before the key encryption key is generated, determining the number n (n is more than or equal to 2) of key components according to a key component threshold; and storing each key component in corresponding safety medium T mn In (1). The key component data packet in this step includes key generation node, destination node and component threshold information; the type of the security medium is a smart key or a TF password card.
S11, generating key encryption keys KEK of ith (i belongs to m) service node at the password management node respectively am Key component F of i1 Dividing the key component F i1 Packaging into a key component data packet, and exporting to a secure medium T i1 。
S12, respectively generating a Key Encryption Key (KEK) of the ith (i belongs to m) service node at the password management node am Key component F of i2 Dividing the key component F i2 Packaging into a key component data packet, and exporting to a secure medium T i2 。
S13, judging the condition of reaching the synthetic key according to the key component threshold value, and carrying out XOR synthetic key encryption key KEK am And encrypting and storing the local key to a local database of the password management node, ensuring the confidentiality and the integrity of the key during storage, calculating the key HASH, and splicing the key plaintext and the HASH to calculate a ciphertext for storage.
In this embodiment, the number n of the key components is two, that is, the node a of the password management node generates the key encryption key KEK to each service node am Two key components are generated separately.
Specifically, the method comprises the following steps: 1) Generating a key encryption key KEK from a node A to a service node 1 at a password management node a1 Is a key ofComponent F 11 Dividing the key component F 11 Packaging into a key component data packet, and exporting to a secure medium T 11 (ii) a Generating a key encryption key KEK from a node A to a service node 1 at a password management node a1 Key component F of 12 Dividing the key component F 12 Packaging into a key component data packet, and exporting to a secure medium T 12 (ii) a Judging the condition of reaching the synthetic key according to the key component threshold value, and carrying out XOR synthesis on the key encryption key KEK from the node A to the service node 1 a1 And encrypting and storing the key into a local database of the password management node by using a local key, ensuring the confidentiality and the integrity of the key during storage, calculating the key HASH, and splicing the key plaintext and the HASH to calculate and store a ciphertext.
2) Generating a key encryption key KEK from a node A to a service node 2 at a password management node a2 Key component F of 21 Dividing the key component F 21 Packaging into a key component data packet, and exporting to a secure medium T 21 (ii) a Generating a key encryption key KEK from node A to a service node 2 at a password management node a2 Key component F of 22 Dividing the key component F 22 Packaging into a key component data packet, and exporting to a secure medium T 22 (ii) a Judging the condition of reaching the synthetic key according to the key component threshold value, and carrying out XOR synthesis on the key encryption key KEK from the node A to the service node 2 a2 And encrypting and storing the key into a local database of the password management node by using a local key, ensuring the confidentiality and the integrity of the key during storage, calculating the key HASH, and splicing the key plaintext and the HASH to calculate and store a ciphertext.
S2, respectively enabling the safety medium T of each service node mn Off-line to the corresponding service node.
In this embodiment, the secure medium T is 11 And a safety medium T 12 Off-line delivery to the first service node 1; a security medium T 21 And a safety medium T 22 Off-line to the second service node 2.
S3, after the service node receiving the safety media unseals the key components in the safety media, further performing XOR to obtain a key encryption key KEK generated by the password management node am . In this step, a safety medium T is passed through i1 And a safety medium T i2 Acquiring two key encryption key components, decapsulating the key component data packets to obtain key component data, simultaneously determining that the key component data reaches a key component threshold, and synthesizing the key encryption key KEK by XOR ai 。
In the present invention, a safety medium T i1 And a safety medium T i2 The introduction may be performed in any order.
In this embodiment, 1) the secure medium T 11 Leading the data into a service node 1, and decapsulating the key component data packet to obtain key component data; a security medium T 12 Leading the data into a service node 1, and decapsulating the key component data packet to obtain key component data; at the same time, the key component threshold is judged to be reached, and the key encryption key KEK is synthesized by XOR a1 . 2) A security medium T 21 Importing the data into a service node 2, and decapsulating the key component data packet to obtain key component data; a security medium T 22 Importing the data into a service node 2, and decapsulating the key component data packet to obtain key component data; at the same time, the key component threshold is judged to be reached, and the key encryption key KEK is synthesized by XOR a2 。
The distribution of symmetric keys from the password management node to the service node 1 and the service node 2 is realized through the steps S1 to S3, the symmetric keys are transmitted to the opposite node in an off-line manner by adopting the form of key components and the protection of a safety medium, and the security of key distribution is enhanced.
S4, generating a communication key KT for the ith (i belongs to m) service node at the password management node ai To communicate a key KT ai Packaging the data packet into a distributed key data packet distributed to the i service node, and exporting the distributed key data packet to a secure medium T ssi . The distributed key data packet comprises encrypted key information, used encryption algorithm and integrity algorithm, and cipher text data of key + key MAC.
In this embodiment, the communication key KT between the node a and the first service node 1 is generated at the cipher management node a1 To communicate a key KT a1 Is encapsulated into a distribution key data packet for distribution to the first service node 1 and the distribution key data packet is derivedTo the safety medium T ss1 。
Of course, in this embodiment, the communication key KT between the cryptographic management node generation node a and the second service node 2 may also be selected a2 To communicate a key KT a2 Is encapsulated into a distribution key data package for distribution to the second service node 2 and the distribution key data package is exported to the secure media T ss2 。
S5, a safety medium T is put into ssi The data is delivered to the ith service node in an off-line manner, the ith service node acquires the encryption key information according to the key distribution data packet, reads the encryption key, decrypts the data through the encryption key, verifies the integrity of the key data, and obtains a communication key KT ai 。
In this embodiment, the secure medium T is ss1 The data is delivered to a first service node 1 in an off-line manner, the first service node 1 receives a key distribution data packet, the encryption key information of the time is obtained according to the key distribution data packet, the encryption key is read at the service node 1, the service node 1 decrypts the data through the encryption key, the integrity of the key data is verified, and a communication key KT is obtained a1 。
Or, the security medium T ss2 Off-line delivery is carried out to a second service node 2, the second service node 2 receives the key distribution data packet, the encryption key information of the time is obtained according to the key distribution data packet, the encryption key is read at the service node 2, the service node 2 decrypts the data through the encryption key, the integrity of the key data is verified, and a communication key KT is obtained a2 。
S6, generating a communication key KT between the ith (i belongs to m) service node and the jth (j belongs to m) service node at the password management node ij 。
In this embodiment, the cryptographic management node a generates a communication key KT between the first service node 1 and the second service node 2 12 。
S7, selecting an encryption key to generate a communication key KT ij Respectively packaging the distributed key data packets to the ith service node and the jth service node, and respectively exporting the corresponding distributed key data packets to the secure media T si And a safety medium T sj (ii) a Encryption for use in packagingKey information optional key encryption key KEK am Or communication key KT ai 。
In this embodiment, the communication key KT is chosen to be the encryption key 12 Respectively packaging the distributed key data packets to the first service node 1 and the second service node 2, and respectively exporting the corresponding distributed key data packets to the secure media T s1 And a safety medium T s2 (ii) a The distribution key data packet includes encryption key information, encryption algorithm used, and integrity algorithm.
The encryption key information adopted during encapsulation can select a key encryption key KEK a1 Or communication key KT a1 。
S8, a safety medium T is put into si And a safety medium T sj Respectively transmitting the data to the ith service node and the jth service node in an off-line manner, and obtaining encryption key information and an encryption key by the ith service node and the jth service node according to the distributed key data packet; decrypting data by the encryption key, verifying the integrity of the key data to obtain the communication key KT ij 。
In this embodiment, the secure medium T s1 And a safety medium T s2 Respectively transmitting the data to a first service node 1 and a second service node 2 in an off-line manner, receiving the distributed key data packet by the first service node 1 and the second service node 2, acquiring encryption key information according to the distributed key data packet, and acquiring an encryption key; decrypting data by encrypting the key, verifying the integrity of the key data to obtain a communication key KT 12 。
S4 to S8 realize the distribution of the symmetric key between the two service nodes ij; because two pairs of symmetric keys exist between the two nodes, the key encryption key KEK can be selected according to the service scene when the symmetric keys between the two service nodes are distributed am Or communication key KT ai The protection is distributed, and the flexibility of the key protection relationship is improved. When a key encryption key KEK is adopted between two service nodes ij am Protecting the communication key KT when the symmetric key is distributed ai The service data can be encrypted for use according to the service scene; when a communication key KT is adopted between two service nodes ij ai Protecting the communication key KT when the symmetric key is distributed ai It is not used for other purposes.
The result of showing that the password management node performs symmetric key distribution and protection on each service node provided in this embodiment is shown in fig. 2.
Claims (5)
1. A symmetric key distribution method is characterized by comprising the following steps:
s1, respectively generating key encryption keys KEK for m service nodes at password management node am Determining the number n of key components according to a key component threshold before generating a key encryption key; and storing each key component in corresponding safety medium T mn Performing the following steps;
s2, respectively enabling the security media T of each service node mn Off-line delivery to the corresponding service node;
s3, after the service node receiving the security media unseals the key components in each security media, further performing XOR to obtain a key encryption key KEK generated by the password management node am ;
S4, generating a communication key KT for the ith service node at the password management node ai To communicate a key KT ai Packaging the data packet into a distributed key data packet distributed to the i service node, and exporting the distributed key data packet to a secure medium T ssi ;
S5, applying a safety medium T ssi The data is delivered to the ith service node in an off-line manner, the ith service node acquires the encryption key information according to the key distribution data packet, reads the encryption key, decrypts the data through the encryption key, verifies the integrity of the key data, and obtains a communication key KT ai ;
S6, generating a communication key KT between the ith service node and the jth service node at the password management node ij ;
S7, selecting encryption key to use communication key KT ij Respectively packaging the distributed key data packets to the ith service node and the jth service node, and respectively exporting the corresponding distributed key data packets to the secure media T si And a safety medium T sj (ii) a The encryption key information adopted during packaging can be selectedKey encryption key KEK am Or communication key KT ai ;
S8, a safety medium T is put into si And a safety medium T sj Respectively transmitting the data to the ith service node and the jth service node in an off-line manner, and obtaining encryption key information and an encryption key by the ith service node and the jth service node according to the distributed key data packet; decrypting data by the encryption key, verifying the integrity of the key data to obtain the communication key KT ij 。
2. The symmetric key distribution method according to claim 1, wherein step S1 specifically comprises the steps of:
s11, respectively generating a key encryption key KEK of the ith service node at the password management node am Key component F of i1 Dividing the key component F i1 Packaging into a key component data packet, and exporting to a secure medium T i1 ;
S12, respectively generating a Key Encryption Key (KEK) of the ith service node at the password management node am Key component F of i2 The key component F i2 Packaging into a key component data packet, and exporting to a secure medium T i2 ;
S13, judging the condition of reaching the synthetic key according to the key component threshold value, and carrying out XOR synthetic key encryption key KEK am And encrypting and storing the local key to a local database of the password management node, ensuring the confidentiality and the integrity of the key during storage, calculating the key HASH, and splicing the key plaintext and the HASH to calculate a ciphertext for storage.
3. The symmetric key distribution method according to claim 2, wherein step S3 specifically comprises the steps of: through a security medium T i1 And a safety medium T i2 Acquiring two key encryption key components, decapsulating the key component data packets to obtain key component data, simultaneously determining that the key component data reaches a key component threshold, and synthesizing the key encryption key KEK by XOR ai 。
4. A symmetric key distribution method according to claim 3, wherein the key component data packet comprises a key generation node, a destination node and component threshold information; the type of the security medium is a smart key or a TF password card.
5. A symmetric key distribution method according to claim 3, wherein said key distribution packet comprises cipher key information, used encryption algorithm and integrity algorithm, cipher text data of key + key MAC.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211617277.XA CN115913548A (en) | 2022-12-15 | 2022-12-15 | Symmetric key distribution method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211617277.XA CN115913548A (en) | 2022-12-15 | 2022-12-15 | Symmetric key distribution method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115913548A true CN115913548A (en) | 2023-04-04 |
Family
ID=86480492
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211617277.XA Pending CN115913548A (en) | 2022-12-15 | 2022-12-15 | Symmetric key distribution method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115913548A (en) |
-
2022
- 2022-12-15 CN CN202211617277.XA patent/CN115913548A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8983061B2 (en) | Method and apparatus for cryptographically processing data | |
| US7913085B2 (en) | System and method of per-packet keying | |
| US5920630A (en) | Method of public key cryptography that includes key escrow | |
| EP2461564A1 (en) | Key transport protocol | |
| EP3476078B1 (en) | Systems and methods for authenticating communications using a single message exchange and symmetric key | |
| EP3082356A1 (en) | Method to check and prove the authenticity of an ephemeral public key | |
| US20030026430A1 (en) | Encrypting conversion apparatus, decrypting conversion apparatus, cryptographic communication system, and electronic toll collection apparatus | |
| KR101608815B1 (en) | Method and system for providing service encryption in closed type network | |
| CN112804205A (en) | Data encryption method and device and data decryption method and device | |
| US20220171832A1 (en) | Scalable key management for encrypting digital rights management authorization tokens | |
| WO2000076118A1 (en) | Self authentication ciphertext chaining | |
| CN104901803A (en) | Data interaction safety protection method based on CPK identity authentication technology | |
| EP2326043A1 (en) | Preventing cloning of receivers of encrypted messages | |
| CN110198320B (en) | Encrypted information transmission method and system | |
| KR101991775B1 (en) | Method for data encryption and decryption based on fpga | |
| CN109995519A (en) | A kind of quantum key traffic service method and system | |
| CN118540163A (en) | Quantum security enhancement method for national security SSL VPN protocol | |
| Kumar et al. | Expansion of Round Key generations in Advanced Encryption Standard for secure communication | |
| CN102547686A (en) | M2M (Machine-to-Machine) terminal security access method and terminal and management platform | |
| CN115913548A (en) | Symmetric key distribution method and device | |
| CN114070550A (en) | Information processing method, device, equipment and storage medium | |
| CN111431846A (en) | Data transmission method, device and system | |
| US20090147956A1 (en) | Sharing a Secret Element | |
| CN118694528B (en) | Anti-quantum security enhancement method for on-line certificate issuing and key pair distribution | |
| CN114760053B (en) | Distribution method, device, equipment and medium of symmetric key |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |