[go: up one dir, main page]

CN118368063A - A cluster implementation method and device for massive key management - Google Patents

A cluster implementation method and device for massive key management Download PDF

Info

Publication number
CN118368063A
CN118368063A CN202410792147.2A CN202410792147A CN118368063A CN 118368063 A CN118368063 A CN 118368063A CN 202410792147 A CN202410792147 A CN 202410792147A CN 118368063 A CN118368063 A CN 118368063A
Authority
CN
China
Prior art keywords
key
key management
index
cluster
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202410792147.2A
Other languages
Chinese (zh)
Other versions
CN118368063B (en
Inventor
马浩杰
王燚军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Lab
Original Assignee
Zhejiang Lab
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Lab filed Critical Zhejiang Lab
Priority to CN202410792147.2A priority Critical patent/CN118368063B/en
Publication of CN118368063A publication Critical patent/CN118368063A/en
Application granted granted Critical
Publication of CN118368063B publication Critical patent/CN118368063B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a cluster realization method and device for mass key management, comprising the following steps: invoking the service of the key management cluster, performing first analysis on the key management request after verifying the user identity and the authority based on the key management request, and performing caching and multilevel hierarchical storage updating of the key based on a first analysis result; after user identity and authority verification are carried out based on the password operation request, the service of the key management cluster is called through an RDMA protocol, the password operation request is subjected to second analysis, a ciphertext key is obtained from a cache or multi-level hierarchical storage based on a second analysis result, and the ciphertext key or a plaintext key obtained by decrypting the ciphertext key is returned to the password operation cluster through the RDMA protocol to complete encryption or decryption of data, so that the problems of mass key dispersion, low management efficiency, strong coupling with the password operation, high resource consumption and the like are solved.

Description

一种面向海量密钥管理的集群实现方法和装置A cluster implementation method and device for massive key management

技术领域Technical Field

本发明密钥集群管理技术领域,具体涉及一种面向海量密钥管理的集群实现方法和装置。The present invention relates to the technical field of key cluster management, and in particular to a cluster implementation method and device for massive key management.

背景技术Background technique

随着移动互联网和云计算技术的迅猛发展,越来越多的数据在云计算环境下进行处理,密码技术是保障网络安全的核心技术,通过保护数据的机密性、完整性和可用性来保护信息以及信息传递的安全性。With the rapid development of mobile Internet and cloud computing technology, more and more data are processed in the cloud computing environment. Cryptography technology is the core technology to ensure network security. It protects the security of information and information transmission by protecting the confidentiality, integrity and availability of data.

密码云服务是一种全新的密码功能交付模式,是云计算技术与身份认证、授权访问、传输加密、存储加密等密码技术的深度融合。密码服务提供商按照云计算技术架构的要求整合密码产品、密码使用策略、密码服务接口和服务流程,将密码系统设计、部署、运维、管理、计费等组合成一种服务,来解决用户的密码应用需求。用户不再购买密码硬件或密码系统等密码产品,而是以租用的方式使用云中提供的各种密码功能。密码云服务面向的场景有密钥托管、密钥快速计算等。Cryptographic cloud service is a new cryptographic function delivery model, which is a deep integration of cloud computing technology with cryptographic technologies such as identity authentication, authorized access, transmission encryption, and storage encryption. Cryptographic service providers integrate cryptographic products, cryptographic usage policies, cryptographic service interfaces, and service processes in accordance with the requirements of cloud computing technology architecture, and combine cryptographic system design, deployment, operation and maintenance, management, and billing into a service to solve users' cryptographic application needs. Users no longer need to purchase cryptographic products such as cryptographic hardware or cryptographic systems, but use various cryptographic functions provided in the cloud in a rented manner. Cryptographic cloud services are aimed at scenarios such as key hosting and fast key calculation.

在这种场景下,面临着海量密钥难以管理、难以快速查询,密码运算效率降低等技术问题,且传统基于云密码机的方案也逐渐面临弹性扩展难、成本高、维护难、效率低等技术问题,因此,迫切需要一种新技术方案以解决这些技术问题。In this scenario, we face technical problems such as difficulty in managing and quickly querying massive amounts of keys, and reduced cryptographic operation efficiency. Traditional cloud cryptographic machine-based solutions are also gradually facing technical problems such as difficulty in elastic expansion, high cost, difficult maintenance, and low efficiency. Therefore, a new technical solution is urgently needed to solve these technical problems.

公开号为CN116781248A的专利文献公开了一种加密方法、装置及密钥管理系统,应用于第一计算节点,包括:获取一个或多个密钥因子;使用加密密钥对明文数据进行加密得到密文数据,其中,所述加密密钥基于所述一个或多个密钥因子和所述第一计算节点的标识得到,所述标识为所述第一计算节点的标识或第一计算节点所在设备的标识或所述目标处理器的标识;将所述密文数据和所述第一计算节点的标识发送至第二计算节点。公开号为CN115549898A的专利文献公开了一种多级跨域环境下的对称密钥管理方法,包括:包括多级跨域密钥管理层次体系、多级跨域对称密钥生成与存储机制、多级跨域对称密钥分发机制和多级跨域对称密钥更新机制。这两个技术方案不能同时解决上述记载的技术问题。The patent document with publication number CN116781248A discloses an encryption method, device and key management system, which is applied to a first computing node, including: obtaining one or more key factors; using an encryption key to encrypt plaintext data to obtain ciphertext data, wherein the encryption key is obtained based on the one or more key factors and the identifier of the first computing node, the identifier is the identifier of the first computing node or the identifier of the device where the first computing node is located or the identifier of the target processor; the ciphertext data and the identifier of the first computing node are sent to the second computing node. The patent document with publication number CN115549898A discloses a symmetric key management method in a multi-level cross-domain environment, including: a multi-level cross-domain key management hierarchy system, a multi-level cross-domain symmetric key generation and storage mechanism, a multi-level cross-domain symmetric key distribution mechanism and a multi-level cross-domain symmetric key update mechanism. These two technical solutions cannot solve the above-mentioned technical problems at the same time.

发明内容Summary of the invention

鉴于上述,本发明的目的是提供一种面向海量密钥管理的集群实现方法和装置,通过对密码运算集群和密钥管理集群解耦,同时设置跨集群通信机制和缓存和多层级分级存储机制,同时解决了现有技术中通信延迟高、海量密钥管理难、密码运算效率低、弹性扩展难等技术问题。In view of the above, the purpose of the present invention is to provide a cluster implementation method and device for massive key management, which decouples the cryptographic operation cluster and the key management cluster, and sets up a cross-cluster communication mechanism and a cache and a multi-level hierarchical storage mechanism, thereby solving the technical problems in the prior art such as high communication delay, difficulty in massive key management, low cryptographic operation efficiency, and difficulty in elastic expansion.

为实现上述发明目的,本发明实施例提供了一种面向海量密钥管理的集群实现方法,包括以下步骤:To achieve the above-mentioned object of the invention, an embodiment of the present invention provides a cluster implementation method for massive key management, comprising the following steps:

基于密钥管理集群的密钥管理过程,包括:向密钥管理进程发起密钥管理请求,调用密钥管理集群的服务,基于密钥管理请求进行用户身份和权限验证后,对密钥管理请求进行第一解析,并基于第一解析结果进行密钥的缓存和多层级分级存储更新;The key management process based on the key management cluster includes: initiating a key management request to the key management process, calling the service of the key management cluster, performing a first analysis on the key management request after verifying the user identity and authority based on the key management request, and performing a key cache and multi-level hierarchical storage update based on the first analysis result;

基于密码运算集群和密钥管理集群的密码运算过程,包括:向密码运算集群的密码运算进程发送密码运算请求,基于密码运算请求进行用户身份和权限验证后,通过RDMA协议调用密钥管理集群的服务,对密码运算请求进行第二解析,并基于第二解析结果从缓存或多层级分级存储中获得密文密钥,并将密文密钥或对密文密钥解密得到的明文密钥通过RDMA协议返回给密码运算集群完成数据的加密或解密。The cryptographic operation process based on the cryptographic operation cluster and the key management cluster includes: sending a cryptographic operation request to the cryptographic operation process of the cryptographic operation cluster, performing user identity and authority verification based on the cryptographic operation request, calling the service of the key management cluster through the RDMA protocol, performing a second analysis on the cryptographic operation request, and obtaining a ciphertext key from a cache or multi-level hierarchical storage based on the second analysis result, and returning the ciphertext key or the plaintext key obtained by decrypting the ciphertext key to the cryptographic operation cluster through the RDMA protocol to complete data encryption or decryption.

优选地,所述密钥管理集群的服务,包括:Preferably, the services of the key management cluster include:

客户端API服务,其对外提供统一调用接口,并进行请求的解析得到解析结果;Client API service, which provides a unified calling interface to the outside world and parses the request to obtain the parsing result;

海量密钥管理服务,其提供统一密钥管理接口,具有基于智能密码钥匙的身份认证和访问控制策略、对海量密钥文件快速读写的目录结构和索引结构,并创建密钥缓存层进行数据缓存,处理密钥相关业务;Massive key management service, which provides a unified key management interface, with identity authentication and access control strategies based on smart password keys, directory structure and index structure for fast reading and writing of massive key files, and creates a key cache layer for data caching and processing key-related services;

安全密钥存储服务,其提供海量密钥的存储和查询接口,具有密钥的多层次分级存储,主密钥保存在硬件安全模块中,密钥管理集群生成的加密密钥、用户密钥保存在数据库中,用户的托管文件加密保存在分布式文件系统中,其中,数据库包括结构化数据库、非结构化数据库、以及分布式数据库,托管文件包括海量密钥文件和敏感文件;The secure key storage service provides a storage and query interface for massive keys, with multi-level hierarchical storage of keys. The master key is stored in the hardware security module, and the encryption key and user key generated by the key management cluster are stored in the database. The user's managed files are encrypted and stored in the distributed file system. The database includes structured databases, unstructured databases, and distributed databases, and the managed files include massive key files and sensitive files.

硬件安全模块,其保存主密钥,生成真随机数,并提供用户密文密钥安全加解密的运行环境。The hardware security module stores the master key, generates true random numbers, and provides an operating environment for secure encryption and decryption of user ciphertext keys.

优选地,调用密钥管理集群的服务,基于密钥管理请求进行用户身份和权限验证后,对密钥管理请求进行第一解析,并基于第一解析结果进行密钥的缓存和多层级分级存储更新,包括:Preferably, calling the service of the key management cluster, performing a first analysis on the key management request after verifying the user identity and authority based on the key management request, and performing a key cache and multi-level hierarchical storage update based on the first analysis result, including:

基于海量密钥管理服务具有的身份认证和访问控制策略对密钥管理请求进行用户身份和权限验证后,进行调用流向的负载均衡分发,然后调用客户端API服务接口,对密钥管理请求进行第一解析,当为密钥修改或查询类时进行统一密钥索引解析,得到包含密钥索引的第一解析结果;After verifying the user identity and authority of the key management request based on the identity authentication and access control policy of the massive key management service, the load balancing distribution of the call flow is performed, and then the client API service interface is called to perform a first analysis of the key management request. When it is a key modification or query type, a unified key index analysis is performed to obtain a first analysis result including the key index;

调用海量密钥管理服务和安全密钥存储服务,基于密钥索引在缓存层或多层次分级存储中进行查找得到索引指定的密文密钥并进行更新,其中,更新包括删除、替换。Call the massive key management service and the secure key storage service, search in the cache layer or multi-level hierarchical storage based on the key index to obtain the ciphertext key specified by the index and update it, where the update includes deletion and replacement.

优选地,还包括:对密钥管理请求进行第一解析,当为密钥新增类时进行目录/文件索引的解析,得到包含目录/文件索引的第一解析结果;Preferably, the method further comprises: performing a first analysis on the key management request, and when a new class is added to the key, performing an analysis on the directory/file index to obtain a first analysis result including the directory/file index;

调用海量密钥管理服务和安全密钥存储服务,基于对海量密钥文件快速读写的目录结构和索引结构为目录/文件索引创建托管文件的索引,并存储到缓存层和分布式文件系统。Call the massive key management service and the secure key storage service to create an index of the managed files for the directory/file index based on the directory structure and index structure for fast reading and writing of massive key files, and store it in the cache layer and distributed file system.

优选地,还包括:在基于密钥索引的密文密钥更新、基于目录/文件索引的托管文件的新增存储后,在缓存层中逐层删除安全密钥存储服务密钥缓存、海量密钥管理服务密钥缓存,确保缓存和存储数据一致,最终完成本次密钥管理任务。Preferably, it also includes: after the ciphertext key is updated based on the key index and the new storage of the hosted file is added based on the directory/file index, the secure key storage service key cache and the massive key management service key cache are deleted layer by layer in the cache layer to ensure the consistency of the cache and storage data, and finally complete the key management task.

优选地,密码运算时,通过RDMA协议调用密钥管理集群的服务,对密码运算请求进行第二解析,并基于第二解析结果从缓存或多层级分级存储中获得密文密钥,包括:Preferably, during cryptographic operation, the service of the key management cluster is called through the RDMA protocol, a second analysis is performed on the cryptographic operation request, and the ciphertext key is obtained from the cache or multi-level hierarchical storage based on the second analysis result, including:

基于密钥管理线程解析用户指定的统一索引,并按照统一索引的定义,解析出指定用户的密钥索引或托管文件索引,并依据密钥索引或托管文件索引在缓存中查询对应的密钥或托管文件后,得到密文密钥。Based on the key management thread, the unified index specified by the user is parsed, and according to the definition of the unified index, the key index or managed file index of the specified user is parsed, and the corresponding key or managed file is queried in the cache based on the key index or managed file index to obtain the ciphertext key.

优选地,当依据密钥索引或托管文件索引在缓存中不能查询对应的密钥或托管文件时,则调用客户端API服务,并将密钥索引或托管文件索引传输到客户端API服务接口,重新解析获得关键的索引解析信息,其中,索引解析信息包括数据库编码、数据库表编码、密钥索引编码或对应目录索引编码、文件索引编码;Preferably, when the corresponding key or managed file cannot be queried in the cache according to the key index or managed file index, the client API service is called, and the key index or managed file index is transmitted to the client API service interface, and the key index resolution information is re-parsed to obtain the key index resolution information, wherein the index resolution information includes the database code, the database table code, the key index code or the corresponding directory index code, and the file index code;

调用海量密钥管理服务,并基于索引解析信息调用安全密钥存储服务从多层级分级存储中搜索得到对应的密钥或托管文件后,得到密文密钥。Call the massive key management service, and call the secure key storage service based on the index parsing information to search for the corresponding key or managed file from the multi-level hierarchical storage to obtain the ciphertext key.

优选地,还包括:密码运算进程启动时同步创建密钥管理线程,在密钥管理线程中通过RDMA协议远程调用密钥管理集群的服务接口。Preferably, the method further comprises: synchronously creating a key management thread when the cryptographic operation process is started, and remotely calling a service interface of a key management cluster in the key management thread through an RDMA protocol.

优选地,密钥管理集群定义了统一32位长度的密钥索引,0位为统一索引版本号,1-10位为具体的密钥索引值或托管文件索引值,11-15位为存储数据库表编码或目录索引编码,16-19位为存储数据库类型编码或目录索引编码,20-21位为索引类型编码,22-27位为用户编码,其它位为预留扩展字段。Preferably, the key management cluster defines a unified 32-bit key index, where bit 0 is the unified index version number, bits 1-10 are specific key index values or hosted file index values, bits 11-15 are storage database table codes or directory index codes, bits 16-19 are storage database type codes or directory index codes, bits 20-21 are index type codes, bits 22-27 are user codes, and other bits are reserved extension fields.

为实现上述发明目的,本发明实施例提供了一种面向海量密钥管理的集群实现装置,包括:To achieve the above-mentioned purpose of the invention, an embodiment of the present invention provides a cluster implementation device for massive key management, including:

密钥管理模块,其用于基于密钥管理集群的密钥管理过程,包括:向密钥管理进程发起密钥管理请求,调用密钥管理集群的服务,基于密钥管理请求进行用户身份和权限验证后,对密钥管理请求进行第一解析,并基于第一解析结果进行密钥的缓存和多层级分级存储更新;A key management module, which is used for a key management process based on a key management cluster, including: initiating a key management request to a key management process, calling a service of the key management cluster, performing a first analysis on the key management request after verifying the user identity and authority based on the key management request, and performing a key cache and multi-level hierarchical storage update based on the first analysis result;

密码运算模块,其用于基于密码运算集群和密钥管理集群的密码运算过程,包括:向密码运算集群的密码运算进程发送密码运算请求,基于密码运算请求进行用户身份和权限验证后,通过RDMA协议调用密钥管理集群的服务,对密码运算请求进行第二解析,并基于第二解析结果从缓存或多层级分级存储中获得密文密钥,并将密文密钥或对密文密钥解密得到的明文密钥通过RDMA协议返回给密码运算集群完成数据的加密或解密。A cryptographic operation module is used for a cryptographic operation process based on a cryptographic operation cluster and a key management cluster, including: sending a cryptographic operation request to the cryptographic operation process of the cryptographic operation cluster, performing user identity and authority verification based on the cryptographic operation request, calling the service of the key management cluster through the RDMA protocol, performing a second analysis on the cryptographic operation request, and obtaining a ciphertext key from a cache or multi-level hierarchical storage based on the second analysis result, and returning the ciphertext key or the plaintext key obtained by decrypting the ciphertext key to the cryptographic operation cluster through the RDMA protocol to complete data encryption or decryption.

与现有技术相比,本发明具有的有益效果至少包括:Compared with the prior art, the present invention has the following beneficial effects:

本发明通过将密码云服务的密钥管理集群和密码运算集群解耦,通过多层级分级存储体系和基于RDMA协议的跨集群通信机制,降低通信延迟,提升集群中密码运算的性能和效率,可以实现更加安全的密钥管理策略,进行更加海量的密钥资源管理,提供更好的可靠性、稳定性;The present invention decouples the key management cluster and the cryptographic operation cluster of the cryptographic cloud service, reduces communication delays through a multi-level hierarchical storage system and a cross-cluster communication mechanism based on the RDMA protocol, improves the performance and efficiency of cryptographic operations in the cluster, and can implement a more secure key management strategy, manage more massive key resources, and provide better reliability and stability.

本发明可以充分利用软硬件资源,提高密钥管理集群中硬件安全模块的利用率,尤其在海量密码相关业务请求的场景下,提升了密码运算效率低。The present invention can make full use of software and hardware resources and improve the utilization rate of hardware security modules in the key management cluster, especially in the scenario of massive password-related business requests, thereby improving the low efficiency of cryptographic operations.

本发明中密码云服务的密钥管理集群系统性能指标显著优于传统软硬一体的密码机所采用的资源固定,弹性增减困难的方案,具有很强的扩展性和伸缩性。The key management cluster system performance index of the cryptographic cloud service in the present invention is significantly better than the solution adopted by the traditional hardware-software integrated cryptographic machine with fixed resources and difficult elastic increase and decrease, and has strong scalability and extensibility.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图做简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动前提下,还可以根据这些附图获得其他附图。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings required for use in the embodiments or the description of the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For ordinary technicians in this field, other drawings can be obtained based on these drawings without creative work.

图1是实施例提供的面向海量密钥管理的集群实现方法的流程图;FIG1 is a flow chart of a cluster implementation method for massive key management provided by an embodiment;

图2是实施例提供的密钥管理集群的服务的结构示意图;FIG2 is a schematic diagram of the structure of a service of a key management cluster provided in an embodiment;

图3是实施例提供的密钥管理集群与密码运算集群和其他业务集群的交互示意图;3 is a schematic diagram of the interaction between the key management cluster, the cryptographic operation cluster and other service clusters provided in the embodiment;

图4是实施例提供的密钥管理过程和密码运算过程示意图;FIG4 is a schematic diagram of a key management process and a cryptographic operation process provided by an embodiment;

图5是实施例提供的面向海量密钥管理的集群实现装置的结构示意图。FIG5 is a schematic diagram of the structure of a cluster implementation device for massive key management provided by an embodiment.

具体实施方式Detailed ways

为使本发明的目的、技术方案及优点更加清楚明白,以下结合附图及实施例对本发明进行进一步的详细说明。应当理解,此处所描述的具体实施方式仅仅用以解释本发明,并不限定本发明的保护范围。In order to make the purpose, technical solution and advantages of the present invention more clearly understood, the present invention is further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific implementation methods described herein are only used to explain the present invention and do not limit the scope of protection of the present invention.

如图1所示,实施例提供的面向海量密钥管理的集群实现方法,包括以下步骤:As shown in FIG1 , the cluster implementation method for massive key management provided by the embodiment includes the following steps:

S1,基于密钥管理集群的密钥管理过程。S1, key management process based on key management cluster.

实施例中,用户向密码云服务发起计算请求,并指定密钥统一索引。当有海量用户发起各自的计算请求时,则面临海量密钥管理任务。在密码云服务中,包含众多业务集群,其中,核心集群为密码运算集群和密钥管理集群。本发明设置密码运算集群与密钥管理集群解耦运行,即在不同的设备中执行各自的任务,从而减小计算量,能够支持海量密钥管理。In the embodiment, the user initiates a computing request to the cryptographic cloud service and specifies a unified key index. When a large number of users initiate their own computing requests, a large number of key management tasks are faced. In the cryptographic cloud service, there are many business clusters, among which the core clusters are the cryptographic operation cluster and the key management cluster. The present invention sets the cryptographic operation cluster and the key management cluster to run decoupled, that is, to perform their respective tasks in different devices, thereby reducing the amount of computing and being able to support massive key management.

如图3所示,用户或密码云服务中的其他集群向密钥管理进程发起密钥管理请求,并调用密钥管理集群的服务来实现密钥管理过程,包括基于密钥管理请求进行用户身份和权限验证后,对密钥管理请求进行第一解析,并基于第一解析结果进行密钥的缓存和多层级分级存储更新。As shown in Figure 3, the user or other clusters in the password cloud service initiate a key management request to the key management process, and call the service of the key management cluster to implement the key management process, including performing a first analysis of the key management request after verifying the user identity and authority based on the key management request, and caching and multi-level hierarchical storage update of the key based on the first analysis result.

如图2所示,密钥管理集群的服务,包括客户端API服务(Client API)、海量密钥管理服务(MKMS,Massive Key Management Service)、安全密钥存储服务(SKS, Secure KeyStorage)、以及硬件安全模块(HSM)。As shown in Figure 2, the services of the key management cluster include client API service (Client API), massive key management service (MKMS, Massive Key Management Service), secure key storage service (SKS, Secure KeyStorage), and hardware security module (HSM).

其中,客户端API服务对外提供统一调用接口,屏蔽内部差异,并进行请求的解析得到解析结果。Among them, the client API service provides a unified calling interface to the outside world, shields internal differences, and parses the request to obtain the parsing result.

海量密钥管理服务提供统一密钥管理接口,具有基于智能密码钥匙(USBKey)的身份认证和访问控制策略、对海量密钥文件快速读写的目录结构和索引结构,同时具有读写性能,并创建密钥缓存层(CL)进行数据缓存,处理密钥相关业务。The massive key management service provides a unified key management interface with identity authentication and access control strategies based on smart password keys (USBKey), directory structures and index structures for fast reading and writing of massive key files, as well as read and write performance. It also creates a key cache layer (CL) for data caching and handles key-related services.

安全密钥存储服务提供海量密钥的存储和查询接口,具有密钥的多层次分级存储,主密钥保存在硬件安全模块中,密钥管理集群生成的加密密钥、用户密钥保存在数据库(DataBase)中,用户的托管文件加密保存在分布式文件系统(HDFS)中,其中,数据库包括结构化数据库、非结构化数据库、以及分布式数据库,托管文件包括海量密钥文件、以及敏感文件。构建的多层次分级存储和缓存体系,利用软硬件资源,能够快速查到对应密钥,从而提高密文密钥、托管文件等的访问速度,进一步提高密码运算效率。The secure key storage service provides a storage and query interface for massive keys, with multi-level hierarchical storage of keys. The master key is stored in the hardware security module, the encryption key generated by the key management cluster and the user key are stored in the database (DataBase), and the user's managed files are encrypted and stored in the distributed file system (HDFS). The database includes structured databases, unstructured databases, and distributed databases, and the managed files include massive key files and sensitive files. The multi-level hierarchical storage and cache system constructed can quickly find the corresponding key by using software and hardware resources, thereby improving the access speed of ciphertext keys, managed files, etc., and further improving the efficiency of cryptographic operations.

该多层次分级存储中,充分利用软硬件资源,在硬件安全模块中,存储主密钥,确保主密钥的绝对安全。将密钥管理集群生成的加密密钥、用户密钥保存在数据库中,当用户发起数据加密请求时,如果能从缓存中查找到对应的加密密钥,能够明显提高加密速度和系统性能。In this multi-level hierarchical storage, software and hardware resources are fully utilized, and the master key is stored in the hardware security module to ensure the absolute security of the master key. The encryption key and user key generated by the key management cluster are stored in the database. When the user initiates a data encryption request, if the corresponding encryption key can be found from the cache, the encryption speed and system performance can be significantly improved.

实施例中,密钥管理集群定义了统一32位长度的密钥索引,0位为统一索引版本号,1-10位为具体的密钥索引值或托管文件索引值,11-15位为存储数据库表编码或目录索引编码,16-19位为存储数据库类型编码或目录索引编码,20-21位为索引类型编码,22-27位为用户编码,其它位为预留扩展字段。In the embodiment, the key management cluster defines a unified 32-bit key index, where bit 0 is the unified index version number, bits 1-10 are specific key index values or hosted file index values, bits 11-15 are storage database table codes or directory index codes, bits 16-19 are storage database type codes or directory index codes, bits 20-21 are index type codes, bits 22-27 are user codes, and the remaining bits are reserved extension fields.

实施例中,基于上述调用密钥管理集群的进行密钥管理过程,如图4所示,包括:In the embodiment, the key management process based on the above-mentioned calling of the key management cluster, as shown in FIG4 , includes:

密钥管理进程接收密钥管理请求,基于海量密钥管理服务具有的身份认证和访问控制策略对密钥管理请求进行USBKey验证(即身份验证)和用户权限验证后,进行调用流向的负载均衡分发,然后调用客户端API服务接口,对密钥管理请求进行第一解析,当为密钥修改或查询类时进行统一密钥索引解析,得到包含密钥索引的第一解析结果,调用海量密钥管理服务接口和安全密钥存储服务接口,基于密钥索引在缓存层或多层次分级存储中进行查找得到索引指定的密文密钥并进行更新,其中,更新包括删除、替换。The key management process receives the key management request, performs USBKey verification (i.e., identity authentication) and user authority verification on the key management request based on the identity authentication and access control policies of the massive key management service, and then performs load balancing distribution of the call flow. Then, the client API service interface is called to perform a first analysis of the key management request. When it is a key modification or query type, a unified key index analysis is performed to obtain a first analysis result including the key index, and the massive key management service interface and the secure key storage service interface are called to search in the cache layer or multi-level hierarchical storage based on the key index to obtain the ciphertext key specified by the index and update it, where the update includes deletion and replacement.

对密钥管理请求进行第一解析,当为密钥新增类时进行目录/文件索引的解析,得到包含目录/文件索引的第一解析结果;调用海量密钥管理服务接口和安全密钥存储服务接口,基于对海量密钥文件快速读写的目录结构和索引结构为目录/文件索引创建托管文件的索引,并存储到缓存层和分布式文件系统。Perform a first analysis on the key management request, and when a new class is added to the key, analyze the directory/file index to obtain a first analysis result containing the directory/file index; call the massive key management service interface and the secure key storage service interface, and create an index of managed files for the directory/file index based on the directory structure and index structure for fast reading and writing of massive key files, and store it in the cache layer and distributed file system.

实施例中,在密钥管理过程中,当在基于密钥索引的密文密钥更新、基于目录/文件索引的托管文件的新增存储后,在缓存层中逐层删除安全密钥存储服务密钥缓存、海量密钥管理服务密钥缓存、客户端API密钥缓存,确保缓存和存储数据一致,最终完成本次密钥管理任务。需要说明的是,当在密钥运算过程中调用密码管理管理集群的服务时,此时还需要删除密钥运算集群密钥缓存。In the embodiment, during the key management process, after the ciphertext key based on the key index is updated and the new storage of the managed file based on the directory/file index is added, the key cache of the secure key storage service, the key cache of the massive key management service, and the key cache of the client API are deleted layer by layer in the cache layer to ensure that the cache and storage data are consistent, and finally complete the key management task. It should be noted that when the service of the password management cluster is called during the key calculation process, the key cache of the key calculation cluster also needs to be deleted at this time.

S2,基于密码运算集群和密钥管理集群的密码运算过程。S2, cryptographic operation process based on cryptographic operation cluster and key management cluster.

实施例中,如图3所示,用户或密码云服务中的其他集群向密码运算集群的密码运算进程发送密码运算请求,基于密码运算请求进行用户身份和权限验证后,通过RDMA协议调用密钥管理集群的服务,对密码运算请求进行第二解析,并基于第二解析结果从缓存或多层级分级存储中获得密文密钥,并将密文密钥或对密文密钥解密得到的明文密钥通过RDMA协议返回给密码运算集群完成数据的加密或解密。In an embodiment, as shown in Figure 3, a user or other clusters in the cryptographic cloud service sends a cryptographic operation request to the cryptographic operation process of the cryptographic operation cluster, and after user identity and authority verification is performed based on the cryptographic operation request, the service of the key management cluster is called through the RDMA protocol, and the cryptographic operation request is subjected to a second analysis, and a ciphertext key is obtained from the cache or multi-level hierarchical storage based on the second analysis result, and the ciphertext key or the plaintext key obtained by decrypting the ciphertext key is returned to the cryptographic operation cluster through the RDMA protocol to complete the encryption or decryption of the data.

实施例中,基于上述密钥管理集群的服务进行密码运算过程,如图4所示,包括:In the embodiment, the cryptographic operation process based on the service of the key management cluster is performed, as shown in FIG4 , including:

某个密码运算进程接收用户或密码云服务中其他业务集群发送的密码运算请求,并进行首次用户权限验证,具体根据登录信息验证其是否具有密码运算资源,同时同步创建密钥管理线程,基于密钥管理线程解析用户指定的统一索引,并按照统一索引的定义,解析出指定用户的密钥索引或托管文件索引,并将解析出的信息序反序列化到对象中,依据密钥索引或托管文件索引在缓存中查询对应的密钥或托管文件后,得到密文密钥。A cryptographic operation process receives cryptographic operation requests sent by users or other business clusters in the cryptographic cloud service, and performs the first user authority verification. Specifically, it verifies whether it has cryptographic operation resources based on the login information. At the same time, it synchronously creates a key management thread, parses the unified index specified by the user based on the key management thread, and parses the key index or managed file index of the specified user according to the definition of the unified index, and deserializes the parsed information sequence into the object. After querying the corresponding key or managed file in the cache based on the key index or managed file index, the ciphertext key is obtained.

当依据密钥索引或托管文件索引在缓存中不能查询对应的密钥或托管文件(即缓存层中未命中密钥)时,则调用客户端API服务,并将密钥索引或托管文件索引传输到客户端API服务接口,重新解析获得关键的索引解析信息,其中,索引解析信息包括数据库编码、数据库表编码、密钥索引编码或对应目录索引编码、文件索引编码,对于密钥管理集群中的所有密钥或文件等统一索引编码,能够快速查找密钥。When the corresponding key or managed file cannot be queried in the cache based on the key index or managed file index (that is, the key is not hit in the cache layer), the client API service is called, and the key index or managed file index is transmitted to the client API service interface, and the key index resolution information is re-parsed to obtain the key index resolution information, where the index resolution information includes database code, database table code, key index code or corresponding directory index code, file index code, and unified index code for all keys or files in the key management cluster, which can quickly find the key.

调用密钥管理服务接口,并基于索引解析信息调用安全密钥存储服务接口从多层级分级存储中搜索得到对应的密钥或托管文件后,得到密文密钥。The key management service interface is called, and based on the index parsing information, the security key storage service interface is called to search for the corresponding key or managed file from the multi-level hierarchical storage to obtain the ciphertext key.

获得的密文密钥后,可以在密钥管理集群的硬件安全模块中完成解密,得到明文密钥,并将明文密钥通过RDMA协议反馈给密码运算集群的密码运算进程,基于明文密钥进行数据的加密或解密。After obtaining the ciphertext key, decryption can be completed in the hardware security module of the key management cluster to obtain the plaintext key, and the plaintext key can be fed back to the cryptographic operation process of the cryptographic operation cluster through the RDMA protocol to encrypt or decrypt data based on the plaintext key.

获得的密文密钥后,还可以直接将密文密钥通过RDMA协议反馈给密码运算集群的密码运算进程,然后密码运算集群在本地通过硬件安全模块对密文密钥进行解密得到明文密钥,再利用明文密钥进行数据的加密或解密。After obtaining the ciphertext key, the ciphertext key can be directly fed back to the cryptographic operation process of the cryptographic operation cluster through the RDMA protocol. The cryptographic operation cluster then decrypts the ciphertext key locally through the hardware security module to obtain the plaintext key, and then uses the plaintext key to encrypt or decrypt the data.

实施例中,密码运算进程启动时同步创建密钥管理线程,在密钥管理线程中通过RDMA协议的低延迟远程调用密钥管理集群的服务接口,以获取密钥参与计算,降低通信延迟,提高密码运算效率。In an embodiment, a key management thread is synchronously created when a cryptographic operation process is started, and a service interface of a key management cluster is remotely called through the low-latency RDMA protocol in the key management thread to obtain a key to participate in the calculation, thereby reducing communication delays and improving cryptographic operation efficiency.

当面临小批量计算请求时,可以将用户指定的密钥统一索引及待处理数据一起分发到密钥管理集群中,在密钥管理集群中找到指定密钥并对待处理数据进行处理。当从密钥管理集群中找到密钥统一索引对应的明文密钥完成用户发起的计算请求后,还需要将该明文密钥对应的密文密钥更新到缓存中,方便下次运用时,直接从缓存中查找,节省计算资源和运行时间。When faced with small batch computing requests, the user-specified key unified index and the data to be processed can be distributed to the key management cluster, where the specified key is found and the data to be processed is processed. After the plaintext key corresponding to the key unified index is found in the key management cluster to complete the computing request initiated by the user, the ciphertext key corresponding to the plaintext key needs to be updated to the cache, so that it can be directly searched from the cache the next time it is used, saving computing resources and running time.

以一次密钥管理过程中的密钥删除为例,说明以上集群实现方法,包括:Taking the key deletion in a key management process as an example, the above cluster implementation method is explained, including:

用户向密码运算集群的密钥管理进程发起请求,密钥管理进程通过智能密码钥匙对用户身份和权限进行验证;The user initiates a request to the key management process of the cryptographic computing cluster, and the key management process verifies the user's identity and authority through the smart cryptographic key;

用户身份和权限验证通过,则通过RDMA协议远程调用密钥管理集群的服务,并将调用流量进行负载均衡分发;If the user identity and permission verification is passed, the service of the key management cluster is remotely called through the RDMA protocol, and the calling traffic is load balanced and distributed;

分发的流量到达密钥管理集群后,调用客户端API接口服务,对用户请求解析,若为密钥修改、查询类,则进行统一索引解析;After the distributed traffic reaches the key management cluster, the client API interface service is called to parse the user request. If it is a key modification or query type, a unified index analysis is performed;

根据解析结果,调用海量密钥管理服务接口和安全密钥存储服务接口,查询到指定数据库、数据库表,指定索引的密文密钥,将索引密钥删除后,触发多级缓存更新;According to the parsing results, call the massive key management service interface and the security key storage service interface to query the specified database, database table, and the ciphertext key of the specified index. After deleting the index key, trigger the multi-level cache update;

在多级缓存中逐层删除密钥存储服务密钥缓存、密钥管理服务密钥缓存、密码运算集群密钥缓存,确保缓存和数据库数据一致,最终完成本次密钥管理任务。In the multi-level cache, delete the key storage service key cache, key management service key cache, and cryptographic operation cluster key cache layer by layer to ensure that the cache and database data are consistent, and finally complete this key management task.

如图5所示,实施例还提供了一种面向海量密钥管理的集群实现装置50,包括密钥管理模块和51和密码运算模块52,其中,密钥管理模块和51用于基于密钥管理集群的密钥管理过程,密码运算模块52用于基于密码运算集群和密钥管理集群的密码运算过程。As shown in Figure 5, the embodiment also provides a cluster implementation device 50 for massive key management, including a key management module 51 and a cryptographic operation module 52, wherein the key management module 51 is used for a key management process based on a key management cluster, and the cryptographic operation module 52 is used for a cryptographic operation process based on a cryptographic operation cluster and a key management cluster.

需要说明的是,上述实施例提供的面向海量密钥管理的集群实现装置在进行密钥管理过程和密码运算过程时,应以上述各功能模块的划分进行举例说明,可以根据需要将上述功能分配由不同的功能模块完成,即在终端或服务器的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。另外,上述实施例提供的面向海量密钥管理的集群实现装置与面向海量密钥管理的集群实现构建方法实施例属于同一构思,其具体实现过程详见面向海量密钥管理的集群实现方法实施例,这里不再赘述。It should be noted that the cluster implementation device for massive key management provided in the above embodiment should be illustrated by the division of the above functional modules when performing the key management process and the cryptographic operation process. The above functions can be assigned to different functional modules as needed, that is, the internal structure of the terminal or server is divided into different functional modules to complete all or part of the functions described above. In addition, the cluster implementation device for massive key management provided in the above embodiment and the cluster implementation construction method embodiment for massive key management belong to the same concept. The specific implementation process is detailed in the cluster implementation method embodiment for massive key management, which will not be repeated here.

实施例提供的面向海量密钥管理的集群实现方法和装置,将密码运算集群和密钥管理集群解耦,通过构建多级缓存体系和基于RDMA协议的跨集群通信机制提升集群中密码运算的性能和效率,同时增强集群的扩展性;通过智能密码钥匙对操作密钥管理的用户身份进行更安全的验证。本发明的密钥管理集群可以实现更充分的利用软硬件资源,支撑用户进行密钥生成、管理、销毁、备份、密钥托管、加密文件托管等业务,并解决海量密钥分散、管理效率低、与密码运算耦合较强、资源消耗大等问题。The cluster implementation method and device for massive key management provided in the embodiment decouple the cryptographic operation cluster and the key management cluster, improve the performance and efficiency of cryptographic operations in the cluster by building a multi-level cache system and a cross-cluster communication mechanism based on the RDMA protocol, and enhance the scalability of the cluster; the identity of the user operating the key management is more securely verified through the intelligent password key. The key management cluster of the present invention can achieve more effective use of software and hardware resources, support users to perform key generation, management, destruction, backup, key hosting, encrypted file hosting and other services, and solve the problems of massive key dispersion, low management efficiency, strong coupling with cryptographic operations, and high resource consumption.

以上所述的具体实施方式对本发明的技术方案和有益效果进行了详细说明,应理解的是以上所述仅为本发明的最优选实施例,并不用于限制本发明,凡在本发明的原则范围内所做的任何修改、补充和等同替换等,均应包含在本发明的保护范围之内。The specific implementation methods described above have described in detail the technical solutions and beneficial effects of the present invention. It should be understood that the above is only the most preferred embodiment of the present invention and is not intended to limit the present invention. Any modifications, supplements and equivalent substitutions made within the scope of the principles of the present invention should be included in the protection scope of the present invention.

Claims (10)

1.一种面向海量密钥管理的集群实现方法,其特征在于,包括以下步骤:1. A cluster implementation method for massive key management, characterized by comprising the following steps: 基于密钥管理集群的密钥管理过程,包括:向密钥管理进程发起密钥管理请求,调用密钥管理集群的服务,基于密钥管理请求进行用户身份和权限验证后,对密钥管理请求进行第一解析,并基于第一解析结果进行密钥的缓存和多层级分级存储更新;The key management process based on the key management cluster includes: initiating a key management request to the key management process, calling the service of the key management cluster, performing a first analysis on the key management request after verifying the user identity and authority based on the key management request, and performing a key cache and multi-level hierarchical storage update based on the first analysis result; 基于密码运算集群和密钥管理集群的密码运算过程,包括:向密码运算集群的密码运算进程发送密码运算请求,基于密码运算请求进行用户身份和权限验证后,通过RDMA协议调用密钥管理集群的服务,对密码运算请求进行第二解析,并基于第二解析结果从缓存或多层级分级存储中获得密文密钥,并将密文密钥或对密文密钥解密得到的明文密钥通过RDMA协议返回给密码运算集群完成数据的加密或解密。The cryptographic operation process based on the cryptographic operation cluster and the key management cluster includes: sending a cryptographic operation request to the cryptographic operation process of the cryptographic operation cluster, performing user identity and authority verification based on the cryptographic operation request, calling the service of the key management cluster through the RDMA protocol, performing a second analysis on the cryptographic operation request, and obtaining a ciphertext key from a cache or multi-level hierarchical storage based on the second analysis result, and returning the ciphertext key or the plaintext key obtained by decrypting the ciphertext key to the cryptographic operation cluster through the RDMA protocol to complete data encryption or decryption. 2.根据权利要求1所述的面向海量密钥管理的集群实现方法,其特征在于,所述密钥管理集群的服务,包括:2. The cluster implementation method for massive key management according to claim 1, characterized in that the services of the key management cluster include: 客户端API服务,其对外提供统一调用接口,并进行请求的解析得到解析结果;Client API service, which provides a unified calling interface to the outside world and parses the request to obtain the parsing result; 海量密钥管理服务,其提供统一密钥管理接口,具有基于密码钥匙的身份认证和访问控制策略、对海量密钥文件读写的目录结构和索引结构,并创建密钥缓存层进行数据缓存,处理密钥相关业务;Massive key management service, which provides a unified key management interface, has identity authentication and access control strategies based on cryptographic keys, directory structures and index structures for reading and writing massive key files, and creates a key cache layer for data caching and handles key-related services; 安全密钥存储服务,其提供海量密钥的存储和查询接口,具有密钥的多层次分级存储,主密钥保存在硬件安全模块中,密钥管理集群生成的加密密钥、用户密钥保存在数据库中,用户的托管文件加密保存在分布式文件系统中,其中,数据库包括结构化数据库、非结构化数据库、以及分布式数据库,托管文件包括海量密钥文件和敏感文件;The secure key storage service provides a storage and query interface for massive keys, with multi-level hierarchical storage of keys. The master key is stored in the hardware security module, and the encryption key and user key generated by the key management cluster are stored in the database. The user's managed files are encrypted and stored in the distributed file system. The database includes structured databases, unstructured databases, and distributed databases, and the managed files include massive key files and sensitive files. 硬件安全模块,其保存主密钥,生成真随机数,并提供用户密文密钥安全加解密的运行环境。The hardware security module stores the master key, generates true random numbers, and provides an operating environment for secure encryption and decryption of user ciphertext keys. 3.根据权利要求2所述的面向海量密钥管理的集群实现方法,其特征在于,调用密钥管理集群的服务,基于密钥管理请求进行用户身份和权限验证后,对密钥管理请求进行第一解析,并基于第一解析结果进行密钥的缓存和多层级分级存储更新,包括:3. The cluster implementation method for massive key management according to claim 2 is characterized in that the service of the key management cluster is called, after user identity and authority verification is performed based on the key management request, the key management request is first parsed, and the key cache and multi-level hierarchical storage update are performed based on the first parsing result, including: 基于海量密钥管理服务具有的身份认证和访问控制策略对密钥管理请求进行用户身份和权限验证后,进行调用流向的负载均衡分发,然后调用客户端API服务接口,对密钥管理请求进行第一解析,当为密钥修改或查询类时进行统一密钥索引解析,得到包含密钥索引的第一解析结果;After verifying the user identity and authority of the key management request based on the identity authentication and access control policy of the massive key management service, the load balancing distribution of the call flow is performed, and then the client API service interface is called to perform a first analysis of the key management request. When it is a key modification or query type, a unified key index analysis is performed to obtain a first analysis result including the key index; 调用海量密钥管理服务和安全密钥存储服务,基于密钥索引在缓存层或多层次分级存储中进行查找得到索引指定的密文密钥并进行更新,其中,更新包括删除、替换。Call the massive key management service and the secure key storage service, search in the cache layer or multi-level hierarchical storage based on the key index to obtain the ciphertext key specified by the index and update it, where the update includes deletion and replacement. 4.根据权利要求2所述的面向海量密钥管理的集群实现方法,其特征在于,还包括:对密钥管理请求进行第一解析,当为密钥新增类时进行目录/文件索引的解析,得到包含目录/文件索引的第一解析结果;4. The cluster implementation method for mass key management according to claim 2, characterized in that it also includes: performing a first analysis on the key management request, and when a new class is added to the key, performing a directory/file index analysis to obtain a first analysis result including the directory/file index; 调用海量密钥管理服务和安全密钥存储服务,基于对海量密钥文件读写的目录结构和索引结构为目录/文件索引创建托管文件的索引,并存储到缓存层和分布式文件系统。Call the massive key management service and the secure key storage service to create an index of the managed files for the directory/file index based on the directory structure and index structure of reading and writing massive key files, and store it in the cache layer and distributed file system. 5.根据权利要求3或4所述的面向海量密钥管理的集群实现方法,其特征在于,还包括:在基于密钥索引的密文密钥更新、基于目录/文件索引的托管文件的新增存储后,在缓存层中逐层删除安全密钥存储服务密钥缓存、海量密钥管理服务密钥缓存,确保缓存和存储数据一致,最终完成本次密钥管理任务。5. The cluster implementation method for massive key management according to claim 3 or 4 is characterized in that it also includes: after the ciphertext key based on the key index is updated and the hosted file based on the directory/file index is newly stored, the secure key storage service key cache and the massive key management service key cache are deleted layer by layer in the cache layer to ensure that the cache and storage data are consistent, and finally complete the key management task. 6.根据权利要求1所述的面向海量密钥管理的集群实现方法,其特征在于,密码运算时,通过RDMA协议调用密钥管理集群的服务,对密码运算请求进行第二解析,并基于第二解析结果从缓存或多层级分级存储中获得密文密钥,包括:6. The cluster implementation method for massive key management according to claim 1 is characterized in that, during cryptographic operations, the service of the key management cluster is called through the RDMA protocol, a second analysis is performed on the cryptographic operation request, and the ciphertext key is obtained from the cache or multi-level hierarchical storage based on the second analysis result, including: 基于密钥管理线程解析用户指定的统一索引,并按照统一索引的定义,解析出指定用户的密钥索引或托管文件索引,并依据密钥索引或托管文件索引在缓存中查询对应的密钥或托管文件后,得到密文密钥。Based on the key management thread, the unified index specified by the user is parsed, and according to the definition of the unified index, the key index or managed file index of the specified user is parsed, and the corresponding key or managed file is queried in the cache based on the key index or managed file index to obtain the ciphertext key. 7.根据权利要求6所述的面向海量密钥管理的集群实现方法,其特征在于,当依据密钥索引或托管文件索引在缓存中不能查询对应的密钥或托管文件时,则调用客户端API服务,并将密钥索引或托管文件索引传输到客户端API服务接口,重新解析获得关键的索引解析信息,其中,索引解析信息包括数据库编码、数据库表编码、密钥索引编码或对应目录索引编码、文件索引编码;7. The cluster implementation method for massive key management according to claim 6 is characterized in that when the corresponding key or managed file cannot be queried in the cache according to the key index or managed file index, the client API service is called, and the key index or managed file index is transmitted to the client API service interface, and the key index resolution information is re-parsed to obtain the key index resolution information, wherein the index resolution information includes the database code, the database table code, the key index code or the corresponding directory index code, and the file index code; 调用海量密钥管理服务,并基于索引解析信息调用安全密钥存储服务从多层级分级存储中搜索得到对应的密钥或托管文件后,得到密文密钥。Call the massive key management service, and call the secure key storage service based on the index parsing information to search for the corresponding key or managed file from the multi-level hierarchical storage to obtain the ciphertext key. 8.根据权利要求1所述的面向海量密钥管理的集群实现方法,其特征在于,还包括:密码运算进程启动时同步创建密钥管理线程,在密钥管理线程中通过RDMA协议远程调用密钥管理集群的服务接口。8. The cluster implementation method for massive key management according to claim 1 is characterized in that it also includes: synchronously creating a key management thread when the cryptographic operation process is started, and remotely calling the service interface of the key management cluster through the RDMA protocol in the key management thread. 9.根据权利要求1所述的面向海量密钥管理的集群实现方法,其特征在于,密钥管理集群定义了统一32位长度的密钥索引,0位为统一索引版本号,1-10位为具体的密钥索引值或托管文件索引值,11-15位为存储数据库表编码或目录索引编码,16-19位为存储数据库类型编码或目录索引编码,20-21位为索引类型编码,22-27位为用户编码,其它位为预留扩展字段。9. According to the cluster implementation method for massive key management according to claim 1, it is characterized in that the key management cluster defines a unified 32-bit key index, bit 0 is the unified index version number, bits 1-10 are specific key index values or hosted file index values, bits 11-15 are storage database table codes or directory index codes, bits 16-19 are storage database type codes or directory index codes, bits 20-21 are index type codes, bits 22-27 are user codes, and other bits are reserved extension fields. 10.一种面向海量密钥管理的集群实现装置,其特征在于,包括:10. A cluster implementation device for massive key management, comprising: 密钥管理模块,其用于基于密钥管理集群的密钥管理过程,包括:向密钥管理进程发起密钥管理请求,调用密钥管理集群的服务,基于密钥管理请求进行用户身份和权限验证后,对密钥管理请求进行第一解析,并基于第一解析结果进行密钥的缓存和多层级分级存储更新;A key management module, which is used for a key management process based on a key management cluster, including: initiating a key management request to a key management process, calling a service of the key management cluster, performing a first analysis on the key management request after verifying the user identity and authority based on the key management request, and performing a key cache and multi-level hierarchical storage update based on the first analysis result; 密码运算模块,其用于基于密码运算集群和密钥管理集群的密码运算过程,包括:向密码运算集群的密码运算进程发送密码运算请求,基于密码运算请求进行用户身份和权限验证后,通过RDMA协议调用密钥管理集群的服务,对密码运算请求进行第二解析,并基于第二解析结果从缓存或多层级分级存储中获得密文密钥,并将密文密钥或对密文密钥解密得到的明文密钥通过RDMA协议返回给密码运算集群完成数据的加密或解密。A cryptographic operation module is used for a cryptographic operation process based on a cryptographic operation cluster and a key management cluster, including: sending a cryptographic operation request to the cryptographic operation process of the cryptographic operation cluster, performing user identity and authority verification based on the cryptographic operation request, calling the service of the key management cluster through the RDMA protocol, performing a second analysis on the cryptographic operation request, and obtaining a ciphertext key from a cache or multi-level hierarchical storage based on the second analysis result, and returning the ciphertext key or the plaintext key obtained by decrypting the ciphertext key to the cryptographic operation cluster through the RDMA protocol to complete data encryption or decryption.
CN202410792147.2A 2024-06-19 2024-06-19 Cluster implementation method and device for mass key management Active CN118368063B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410792147.2A CN118368063B (en) 2024-06-19 2024-06-19 Cluster implementation method and device for mass key management

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410792147.2A CN118368063B (en) 2024-06-19 2024-06-19 Cluster implementation method and device for mass key management

Publications (2)

Publication Number Publication Date
CN118368063A true CN118368063A (en) 2024-07-19
CN118368063B CN118368063B (en) 2024-08-30

Family

ID=91886305

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410792147.2A Active CN118368063B (en) 2024-06-19 2024-06-19 Cluster implementation method and device for mass key management

Country Status (1)

Country Link
CN (1) CN118368063B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118760405A (en) * 2024-09-06 2024-10-11 北京乐研科技股份有限公司 Data processing method, device, electronic device and storage medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101159556A (en) * 2007-11-09 2008-04-09 清华大学 Key Management Method in Shared Encrypted File System Based on Group Key Server
CN107948156A (en) * 2017-11-24 2018-04-20 郑州云海信息技术有限公司 The closed key management method and system of a kind of identity-based
CN112818332A (en) * 2021-01-29 2021-05-18 西安得安信息技术有限公司 Password management service platform for intelligent manufacturing
CN115378592A (en) * 2022-08-22 2022-11-22 中国工商银行股份有限公司 Cryptographic service invocation method and system
CN115499228A (en) * 2022-09-22 2022-12-20 成都卫士通信息产业股份有限公司 A key protection method, device, equipment, and storage medium
CN115549898A (en) * 2022-09-14 2022-12-30 公安部第三研究所 Symmetric key management method under multi-level cross-domain environment
CN115913621A (en) * 2022-09-27 2023-04-04 中电信量子科技有限公司 Database encryption method, terminal and system suitable for cloud environment
US20240154883A1 (en) * 2021-07-12 2024-05-09 Intel Corporation Sixth generation (6g) system architecture and functions

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101159556A (en) * 2007-11-09 2008-04-09 清华大学 Key Management Method in Shared Encrypted File System Based on Group Key Server
CN107948156A (en) * 2017-11-24 2018-04-20 郑州云海信息技术有限公司 The closed key management method and system of a kind of identity-based
CN112818332A (en) * 2021-01-29 2021-05-18 西安得安信息技术有限公司 Password management service platform for intelligent manufacturing
US20240154883A1 (en) * 2021-07-12 2024-05-09 Intel Corporation Sixth generation (6g) system architecture and functions
CN115378592A (en) * 2022-08-22 2022-11-22 中国工商银行股份有限公司 Cryptographic service invocation method and system
CN115549898A (en) * 2022-09-14 2022-12-30 公安部第三研究所 Symmetric key management method under multi-level cross-domain environment
CN115499228A (en) * 2022-09-22 2022-12-20 成都卫士通信息产业股份有限公司 A key protection method, device, equipment, and storage medium
CN115913621A (en) * 2022-09-27 2023-04-04 中电信量子科技有限公司 Database encryption method, terminal and system suitable for cloud environment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李向锋: "基于多技术融合的密码计算资源池研究", 信息安全研究, 5 April 2021 (2021-04-05) *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118760405A (en) * 2024-09-06 2024-10-11 北京乐研科技股份有限公司 Data processing method, device, electronic device and storage medium

Also Published As

Publication number Publication date
CN118368063B (en) 2024-08-30

Similar Documents

Publication Publication Date Title
CN111488598B (en) Access control method, device, computer equipment and storage medium
CN111191286B (en) Hyperledger Fabric blockchain privacy data storage and access system and method
US10402578B2 (en) Management of encrypted data storage
CN109144961B (en) Authorization file sharing method and device
Li et al. A hybrid cloud approach for secure authorized deduplication
CN101159556B (en) Key Management Method in Shared Encrypted File System Based on Group Key Server
CN110572258B (en) A cloud cryptographic computing platform and computing service method
CN114520747B (en) Data security sharing system and method taking data as center
Namasudra et al. A new table based protocol for data accessing in cloud computing.
CN112118221B (en) Block chain-based privacy data sharing-oriented capability access control method
CN105491058B (en) API access distributed authorization method and system
CN115134087B (en) A client-side secure data deduplication method for decentralized cloud storage
CN106301791B (en) Method and system for realizing unified user authentication authorization based on big data platform
CN118368063A (en) A cluster implementation method and device for massive key management
US8990398B1 (en) Systems and methods for processing requests for network resources
US11252138B2 (en) Redundant device locking key management system
CN115550047A (en) Configuration-free interface authority verification method, device and system
CN111464311A (en) Method for integrated authorization management of mechanical-fixed multi-nodes
Kumar et al. Efficient blockchain enabled attribute-based access control as a service
Li et al. CBI: A Data Access Control System Based on Cloud and Blockchain Integration
US20230231724A1 (en) Blockchain based certificate pinning
Singhal et al. Security in cloud computing-hash function
Carr Blocktree: A Distributed Computing Environment
CN118827157A (en) Method, system, device and medium for improving data security during network transmission
CN118796366A (en) Blockchain-based data processing method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant