CN110166458B - Three-level key encryption method - Google Patents

Three-level key encryption method Download PDF

Info

Publication number
CN110166458B
CN110166458B CN201910434496.6A CN201910434496A CN110166458B CN 110166458 B CN110166458 B CN 110166458B CN 201910434496 A CN201910434496 A CN 201910434496A CN 110166458 B CN110166458 B CN 110166458B
Authority
CN
China
Prior art keywords
key
file
encrypted
initial vector
ciphertext
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910434496.6A
Other languages
Chinese (zh)
Other versions
CN110166458A (en
Inventor
王怀尊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201910434496.6A priority Critical patent/CN110166458B/en
Publication of CN110166458A publication Critical patent/CN110166458A/en
Application granted granted Critical
Publication of CN110166458B publication Critical patent/CN110166458B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a three-level secret key encryption system, which comprises the following steps: the invention relates to a method for encrypting a file, which comprises the steps of key classification, file encryption, file decryption and key management.

Description

Three-level key encryption method
Technical Field
The invention relates to the technical field of secret key encryption, in particular to a three-level secret key encryption system.
Background
After the existing symmetric key encryption technology encrypts the files, the security of the key becomes a difficult problem, and once a database or a file system for storing the key is broken, all the files have exposure risks.
Disclosure of Invention
In order to solve the technical problems, the technical scheme provided by the invention is as follows: a three-level key encryption system comprising the steps of:
s1, the third-level key comprises a root key which is solidified in the program and is only used for encrypting the system key, a system key which can be dynamically modified and a file key which is generated by using a random algorithm and corresponds to the file;
s2, file encryption: the encryption algorithm adopts a symmetric encryption algorithm, a 256-bit secret key and a CBC mode are used, each file is configured with a file secret key and an Initial Vector (IV), and the file secret key is encrypted by a built-in system secret key and then stored in a database;
s3, file decryption: the method comprises the following steps that a file can be decrypted only when two elements, namely a file key and an Initial Vector (IV), are simultaneously possessed, the file key is stored in a database after being encrypted through a system key, and the initial vector is stored in an encrypted file; when decrypting, reading out the file secret key and decrypting, and then decrypting the file data by matching with the initial vector;
s4, key management: the system key, the file key and the initial vector are respectively stored in a database and a file server.
As an improvement, the file encryption process comprises the following steps:
s2-1, generating key data (binary vector) with the length required by encryption by using a key generation algorithm;
s2-2, generating an initial vector required by file encryption operation by using a random algorithm;
s2-3, encrypting the file by using the secret key and the initial vector;
s2-4, storing the file in a file memory, storing the initial vector and the file ID in the head position of the encrypted file, wherein the file ID uses a unique character sequence generated by a serial number or other modes;
s2-5, encrypting the key data by using the system key, and storing the key in the database, wherein the key data takes the file ID as the main key.
As an improvement, the file decryption process comprises the following steps:
s3-1, reading out the file ID from the file, and obtaining a file key ciphertext from the database according to the ID;
s3-2, obtaining a system key ciphertext, decrypting the system key and decrypting the file key by using the system key;
and S3-3, decrypting the file ciphertext by using the file key and the vector data read from the file.
As an improvement, the key management process comprises the following steps:
s4-1, solidifying the root key in the compiled program during system development, or providing the root key in the form of an additional independent file;
s4-2, the system secret key is triggered by a system administrator through an interface function provided externally, the system background automatically generates the system secret key, and the system secret key is encrypted by using the secret key and then is stored in a database, so that the temporary system secret key generated in the development and test processes can be replaced when the temporary system secret key is formally on-line;
s4-3, generating a file key and an encryption vector when each file is encrypted, wherein the key is encrypted and stored in a database (or other persistent storage modes), and the initial vector is stored in the encrypted file in a specific format;
s4-4, through the key management process from S4-1 to S4-3, the root key is generated by a developer and exists in the application server, the system key is encrypted by using the root key, the file key is encrypted by using the system key and then stored in the database server, and the encrypted initial vector and the encrypted ciphertext are stored in the file server.
As an improvement, when the system key is changed every time, the file key needs to be decrypted again, encrypted by using a new system key, and then stored.
After adopting the structure, the invention has the following advantages: according to the invention, through three-level secret key encryption, all links of system development, maintenance and use can not independently obtain all secret keys, and through a method of grading secret keys, a new encryption algorithm is not needed, so that the security of encrypted files is ensured.
Drawings
Fig. 1 is a schematic structural diagram of a three-level key structure of a three-level key encryption system according to the present invention.
Fig. 2 is a schematic structural diagram of a file encryption process of a three-level key encryption system according to the present invention.
FIG. 3 is a schematic diagram of a file decryption process of a three-level key encryption system according to the present invention.
Detailed Description
With reference to fig. 1 to 3, a three-level key encryption system includes the following steps:
s1, the three-level keys comprise a root key which is solidified in the program and is only used for encrypting the system key, a system key which can be dynamically modified and a file key which is generated by using a random algorithm and corresponds to the file; the initialization and modification of the system key are triggered to generate a function through an interface by a system administrator after the system is on line, the server side sets a random key, the random key is not transmitted to the client side, an operator cannot contact the content of the key, the file key is generated by using a safe random algorithm when a file is encrypted, and the client side cannot contact the content of the key.
S2, file encryption: the encryption algorithm adopts a symmetric encryption algorithm, a 256-bit secret key and a CBC mode are used, each file is configured with a file secret key and an Initial Vector (IV), and the file secret key is encrypted by a built-in system secret key and then stored in a database;
s3, file decryption: the file decryption method includes the steps that a file can be decrypted only when two elements including a file key and an Initial Vector (IV) are simultaneously possessed, the file key is stored in a database after being encrypted through a system key, and the initial vector is stored in an encrypted file; when decrypting, reading out the file secret key and decrypting, and then decrypting the file data by matching with the initial vector;
s4, key management: the system key, the file key and the initial vector are respectively stored in a database and a file server.
As a preferred embodiment of this embodiment, the file encryption process includes the following steps:
s2-1, generating key data (binary vector) with the length required by encryption by using a key generation algorithm;
s2-2, generating an initial vector required by file encryption operation by using a random algorithm;
s2-3, encrypting the file by using the secret key and the initial vector;
s2-4, storing the file in a file memory, storing the initial vector and the file ID at the head position of the encrypted file, wherein the file ID uses a unique character sequence generated by a serial number or other modes;
s2-5, encrypting the key data by using the system key, and storing the key in the database, wherein the key data takes the file ID as the main key.
As a preferred embodiment of this embodiment, the file decryption process includes the following steps:
s3-1, reading out the file ID from the file, and obtaining a file key ciphertext from the database according to the ID;
s3-2, obtaining a system key ciphertext, decrypting the system key and decrypting the file key by using the system key;
and S3-3, decrypting the file ciphertext by using the file key and the vector data read from the file.
As a preferred implementation of this embodiment, the key management process includes the following steps:
s4-1, solidifying the root key in the compiled program during system development, or providing the root key in the form of an additional independent file;
s4-2, the system secret key is triggered by a system administrator through an interface function provided externally, the system background automatically generates the system secret key, and the system secret key is encrypted by using the secret key and then is stored in a database, so that the temporary system secret key generated in the development and test processes can be replaced when the temporary system secret key is formally on-line;
s4-3, generating a file key and an encryption vector when each file is encrypted, wherein the key is encrypted and stored in a database (or other persistent storage modes), and the initial vector is stored in the encrypted file in a specific format;
s4-4, through the key management process from S4-1 to S4-3, the root key is generated by a developer and exists in the application server, the system key is encrypted by using the root key, the file key is encrypted by using the system key and then stored in the database server, and the encrypted initial vector and the encrypted ciphertext are stored in the file server. As long as development and system operation and maintenance and system administrator responsibility are separated, the safety of the whole encrypted file can be ensured. The root key, the system key, the file key and the encrypted file must be mastered at the same time to decrypt the file, so that the security of the file is greatly improved.
As a preferred embodiment of this embodiment, each time the system key is changed, the file key needs to be decrypted again and encrypted by using a new system key before being stored.
Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made in the above embodiments by those of ordinary skill in the art without departing from the principle and spirit of the present invention.

Claims (2)

1. A three-level key encryption method is characterized by comprising the following steps:
s1, the third-level key comprises a root key which is solidified in the program and is only used for encrypting the system key, a system key which can be dynamically modified and a file key which is generated by using a random algorithm and corresponds to the file;
s2, file encryption: the encryption algorithm adopts a symmetric encryption algorithm, a 256-bit secret key and a CBC mode are used, a file secret key and an Initial Vector (IV) are configured for each file, and the file secret key is encrypted by a built-in system secret key and then stored in a database; the method specifically comprises the following steps:
s2-1, generating a file key with a length required by encryption by using a key generation algorithm;
s2-2, generating an initial vector required by file encryption operation by using a random algorithm;
s2-3, encrypting the file by using the file key and the initial vector;
s2-4, storing the file ciphertext in the file server, storing the initial vector and the file ID in the head position of the encrypted file, wherein the file ID uses a unique character sequence generated by a serial number or other modes;
s2-5, encrypting the file key by using the system key, and storing a file key ciphertext in the database, wherein the file key ciphertext takes the file ID as a main key;
s3, file decryption: the file can be decrypted only when the two elements of the file key and the initial vector are possessed simultaneously, the file key is stored in the database after being encrypted by the system key, and the initial vector is stored in the encrypted file; when decrypting, the file secret key ciphertext is read and decrypted, and then the file ciphertext is decrypted by matching with the initial vector; the method specifically comprises the following steps:
s3-1, reading a file ID from the encrypted file, and acquiring a file key ciphertext from a database according to the file ID;
s3-2, obtaining the system key ciphertext, decrypting the system key and decrypting the file key ciphertext by using the system key;
s3-3, decrypting the file ciphertext by using the decrypted file key and the initial vector read from the file ciphertext;
s4, key management: storing the system key and the file key in a database; storing the initial vector on a file server; the method specifically comprises the following steps:
s4-1, solidifying the root key in the compiled program during system development, or providing the root key in the form of an additional independent file;
s4-2, the system secret key is triggered by a system administrator through an externally provided interface function, the system background automatically generates the system secret key, and the system secret key is encrypted by using the secret key and then is stored in a database, so that the temporary system secret key generated in the development and test processes can be replaced when the temporary system secret key is formally on-line;
s4-3, the file key and the initial vector are generated when each file is encrypted, the file key is encrypted and stored in the database, and the initial vector is stored in the encrypted file in a specific format;
s4-4, through the key management process from S4-1 to S4-3, the root key is generated by a developer and exists in the application server, the system key is encrypted by using the root key, the file key is encrypted by using the system key and then stored in the database, and the initial vector and the file ciphertext are stored in the file server.
2. The three-level key encryption method according to claim 1, wherein: when the system key is changed every time, the file key needs to be decrypted again, encrypted by using a new system key and then stored.
CN201910434496.6A 2019-05-23 2019-05-23 Three-level key encryption method Active CN110166458B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910434496.6A CN110166458B (en) 2019-05-23 2019-05-23 Three-level key encryption method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910434496.6A CN110166458B (en) 2019-05-23 2019-05-23 Three-level key encryption method

Publications (2)

Publication Number Publication Date
CN110166458A CN110166458A (en) 2019-08-23
CN110166458B true CN110166458B (en) 2022-08-02

Family

ID=67632413

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910434496.6A Active CN110166458B (en) 2019-05-23 2019-05-23 Three-level key encryption method

Country Status (1)

Country Link
CN (1) CN110166458B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113656814A (en) * 2021-07-30 2021-11-16 成都长城开发科技有限公司 Equipment key safety management method and system
CN114095302A (en) * 2021-11-23 2022-02-25 北京云迹科技有限公司 Encryption system based on CAN bus transmission
CN114826696B (en) * 2022-04-08 2023-05-09 中国电子科技集团公司第三十研究所 File content hierarchical sharing method, device, equipment and medium

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102014133A (en) * 2010-11-26 2011-04-13 清华大学 Method for implementing safe storage system in cloud storage environment
CN102685148A (en) * 2012-05-31 2012-09-19 清华大学 Method for realizing secure network backup system under cloud storage environment
CN104580487A (en) * 2015-01-20 2015-04-29 成都信升斯科技有限公司 Mass data storage system and processing method
CN104780175A (en) * 2015-04-24 2015-07-15 广东电网有限责任公司信息中心 Hierarchical classification access authorization management method based on roles
CN105072134A (en) * 2015-08-31 2015-11-18 成都卫士通信息产业股份有限公司 Cloud disk system file secure transmission method based on three-level key
CN105245328A (en) * 2015-09-09 2016-01-13 西安电子科技大学 User and file key generation and management method based on third party
CN105740725A (en) * 2016-01-29 2016-07-06 北京大学 File protection method and system
CN105812391A (en) * 2016-05-16 2016-07-27 广州鼎鼎信息科技有限公司 Safe cloud storage system
US9735962B1 (en) * 2015-09-30 2017-08-15 EMC IP Holding Company LLC Three layer key wrapping for securing encryption keys in a data storage system
CN109040109A (en) * 2018-08-31 2018-12-18 国鼎网络空间安全技术有限公司 Data trade method and system based on key management mechanism
CN109635586A (en) * 2018-12-13 2019-04-16 苏州科达科技股份有限公司 Media file encryption key managing method, system, equipment and storage medium
CN109711175A (en) * 2018-12-11 2019-05-03 武汉达梦数据库有限公司 A kind of database encryption method and device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106330868B (en) * 2016-08-14 2019-11-26 北京数盾信息科技有限公司 A kind of high speed network encryption storage key management system and method
CN206611427U (en) * 2017-03-28 2017-11-03 浙江神州量子网络科技有限公司 A kind of key storage management system based on trust computing device
CN206611428U (en) * 2017-03-28 2017-11-03 浙江神州量子网络科技有限公司 A kind of remote cipher key based on quantum communication network issues system

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102014133A (en) * 2010-11-26 2011-04-13 清华大学 Method for implementing safe storage system in cloud storage environment
CN102685148A (en) * 2012-05-31 2012-09-19 清华大学 Method for realizing secure network backup system under cloud storage environment
CN104580487A (en) * 2015-01-20 2015-04-29 成都信升斯科技有限公司 Mass data storage system and processing method
CN104780175A (en) * 2015-04-24 2015-07-15 广东电网有限责任公司信息中心 Hierarchical classification access authorization management method based on roles
CN105072134A (en) * 2015-08-31 2015-11-18 成都卫士通信息产业股份有限公司 Cloud disk system file secure transmission method based on three-level key
CN105245328A (en) * 2015-09-09 2016-01-13 西安电子科技大学 User and file key generation and management method based on third party
US9735962B1 (en) * 2015-09-30 2017-08-15 EMC IP Holding Company LLC Three layer key wrapping for securing encryption keys in a data storage system
CN105740725A (en) * 2016-01-29 2016-07-06 北京大学 File protection method and system
CN105812391A (en) * 2016-05-16 2016-07-27 广州鼎鼎信息科技有限公司 Safe cloud storage system
CN109040109A (en) * 2018-08-31 2018-12-18 国鼎网络空间安全技术有限公司 Data trade method and system based on key management mechanism
CN109711175A (en) * 2018-12-11 2019-05-03 武汉达梦数据库有限公司 A kind of database encryption method and device
CN109635586A (en) * 2018-12-13 2019-04-16 苏州科达科技股份有限公司 Media file encryption key managing method, system, equipment and storage medium

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"一种云存储环境下的安全网盘***";傅颖勋,罗圣美,舒继武.;《软件学报》;20140815;第25卷(第08期);第1831-1843页 *
"密钥安全性讨论 ";jz;《华为云+云社区 ,原文链接:https://bbs.huaweicloud.com/forum/thread-5695-1-1.html 》;20171230;第1-5页 *
"网络安全系列 之 密钥安全管理";eaglediao;《原文链接为:https://www.cnblogs.com/eaglediao/p/7798066.html 》;20171107;第1-4页 *

Also Published As

Publication number Publication date
CN110166458A (en) 2019-08-23

Similar Documents

Publication Publication Date Title
CN107086915B (en) Data transmission method, data sending end and data receiving end
CN110166458B (en) Three-level key encryption method
CN105681031B (en) A kind of storage encryption gateway key management system and method
CN109543434B (en) Block chain information encryption method, decryption method, storage method and device
CN101043326B (en) Dynamic information encrypting system and method
CN105184181B (en) File encryption method, file decryption method and file encryption device
CN103618705A (en) Personal code managing tool and method under open cloud platform
CN112866227A (en) File authorization protection method and system
TWI597960B (en) Key splitting
CN105915345A (en) Realization method for authorized production and reform in home gateway device production testing
CN112528309A (en) Data storage encryption and decryption method and device
CN106257859A (en) A kind of password using method
Veeraragavan et al. Enhanced encryption algorithm (EEA) for protecting users' credentials in public cloud
CN112187767A (en) Multi-party contract consensus system, method and medium based on block chain
CN100531032C (en) Method for storing cipher key
CN106452754B (en) Multi-user online dynamic encryption method and device
CN112329066A (en) Data file encryption method and system
CN114329390A (en) Financial institution database access password protection method and system
CN114036541A (en) Application method for compositely encrypting and storing user private content
GB2446200A (en) Encryption system for peer-to-peer networks which relies on hash based self-encryption and mapping
CN106027553A (en) Encryption/decryption method based on dynamic password
CN108197487A (en) A kind of encryption method and system for promoting mass data security performance
CN109635577A (en) A kind of method of the data file of offline decryption oracle tde encryption
CN110135187A (en) A kind of file encryption-decryption system and encipher-decipher method based on PUF
CN113111372B (en) Terminal data cloud loading system and method based on quantum key encryption

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant