CN110166458B - Three-level key encryption method - Google Patents
Three-level key encryption method Download PDFInfo
- Publication number
- CN110166458B CN110166458B CN201910434496.6A CN201910434496A CN110166458B CN 110166458 B CN110166458 B CN 110166458B CN 201910434496 A CN201910434496 A CN 201910434496A CN 110166458 B CN110166458 B CN 110166458B
- Authority
- CN
- China
- Prior art keywords
- key
- file
- encrypted
- initial vector
- ciphertext
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0478—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a three-level secret key encryption system, which comprises the following steps: the invention relates to a method for encrypting a file, which comprises the steps of key classification, file encryption, file decryption and key management.
Description
Technical Field
The invention relates to the technical field of secret key encryption, in particular to a three-level secret key encryption system.
Background
After the existing symmetric key encryption technology encrypts the files, the security of the key becomes a difficult problem, and once a database or a file system for storing the key is broken, all the files have exposure risks.
Disclosure of Invention
In order to solve the technical problems, the technical scheme provided by the invention is as follows: a three-level key encryption system comprising the steps of:
s1, the third-level key comprises a root key which is solidified in the program and is only used for encrypting the system key, a system key which can be dynamically modified and a file key which is generated by using a random algorithm and corresponds to the file;
s2, file encryption: the encryption algorithm adopts a symmetric encryption algorithm, a 256-bit secret key and a CBC mode are used, each file is configured with a file secret key and an Initial Vector (IV), and the file secret key is encrypted by a built-in system secret key and then stored in a database;
s3, file decryption: the method comprises the following steps that a file can be decrypted only when two elements, namely a file key and an Initial Vector (IV), are simultaneously possessed, the file key is stored in a database after being encrypted through a system key, and the initial vector is stored in an encrypted file; when decrypting, reading out the file secret key and decrypting, and then decrypting the file data by matching with the initial vector;
s4, key management: the system key, the file key and the initial vector are respectively stored in a database and a file server.
As an improvement, the file encryption process comprises the following steps:
s2-1, generating key data (binary vector) with the length required by encryption by using a key generation algorithm;
s2-2, generating an initial vector required by file encryption operation by using a random algorithm;
s2-3, encrypting the file by using the secret key and the initial vector;
s2-4, storing the file in a file memory, storing the initial vector and the file ID in the head position of the encrypted file, wherein the file ID uses a unique character sequence generated by a serial number or other modes;
s2-5, encrypting the key data by using the system key, and storing the key in the database, wherein the key data takes the file ID as the main key.
As an improvement, the file decryption process comprises the following steps:
s3-1, reading out the file ID from the file, and obtaining a file key ciphertext from the database according to the ID;
s3-2, obtaining a system key ciphertext, decrypting the system key and decrypting the file key by using the system key;
and S3-3, decrypting the file ciphertext by using the file key and the vector data read from the file.
As an improvement, the key management process comprises the following steps:
s4-1, solidifying the root key in the compiled program during system development, or providing the root key in the form of an additional independent file;
s4-2, the system secret key is triggered by a system administrator through an interface function provided externally, the system background automatically generates the system secret key, and the system secret key is encrypted by using the secret key and then is stored in a database, so that the temporary system secret key generated in the development and test processes can be replaced when the temporary system secret key is formally on-line;
s4-3, generating a file key and an encryption vector when each file is encrypted, wherein the key is encrypted and stored in a database (or other persistent storage modes), and the initial vector is stored in the encrypted file in a specific format;
s4-4, through the key management process from S4-1 to S4-3, the root key is generated by a developer and exists in the application server, the system key is encrypted by using the root key, the file key is encrypted by using the system key and then stored in the database server, and the encrypted initial vector and the encrypted ciphertext are stored in the file server.
As an improvement, when the system key is changed every time, the file key needs to be decrypted again, encrypted by using a new system key, and then stored.
After adopting the structure, the invention has the following advantages: according to the invention, through three-level secret key encryption, all links of system development, maintenance and use can not independently obtain all secret keys, and through a method of grading secret keys, a new encryption algorithm is not needed, so that the security of encrypted files is ensured.
Drawings
Fig. 1 is a schematic structural diagram of a three-level key structure of a three-level key encryption system according to the present invention.
Fig. 2 is a schematic structural diagram of a file encryption process of a three-level key encryption system according to the present invention.
FIG. 3 is a schematic diagram of a file decryption process of a three-level key encryption system according to the present invention.
Detailed Description
With reference to fig. 1 to 3, a three-level key encryption system includes the following steps:
s1, the three-level keys comprise a root key which is solidified in the program and is only used for encrypting the system key, a system key which can be dynamically modified and a file key which is generated by using a random algorithm and corresponds to the file; the initialization and modification of the system key are triggered to generate a function through an interface by a system administrator after the system is on line, the server side sets a random key, the random key is not transmitted to the client side, an operator cannot contact the content of the key, the file key is generated by using a safe random algorithm when a file is encrypted, and the client side cannot contact the content of the key.
S2, file encryption: the encryption algorithm adopts a symmetric encryption algorithm, a 256-bit secret key and a CBC mode are used, each file is configured with a file secret key and an Initial Vector (IV), and the file secret key is encrypted by a built-in system secret key and then stored in a database;
s3, file decryption: the file decryption method includes the steps that a file can be decrypted only when two elements including a file key and an Initial Vector (IV) are simultaneously possessed, the file key is stored in a database after being encrypted through a system key, and the initial vector is stored in an encrypted file; when decrypting, reading out the file secret key and decrypting, and then decrypting the file data by matching with the initial vector;
s4, key management: the system key, the file key and the initial vector are respectively stored in a database and a file server.
As a preferred embodiment of this embodiment, the file encryption process includes the following steps:
s2-1, generating key data (binary vector) with the length required by encryption by using a key generation algorithm;
s2-2, generating an initial vector required by file encryption operation by using a random algorithm;
s2-3, encrypting the file by using the secret key and the initial vector;
s2-4, storing the file in a file memory, storing the initial vector and the file ID at the head position of the encrypted file, wherein the file ID uses a unique character sequence generated by a serial number or other modes;
s2-5, encrypting the key data by using the system key, and storing the key in the database, wherein the key data takes the file ID as the main key.
As a preferred embodiment of this embodiment, the file decryption process includes the following steps:
s3-1, reading out the file ID from the file, and obtaining a file key ciphertext from the database according to the ID;
s3-2, obtaining a system key ciphertext, decrypting the system key and decrypting the file key by using the system key;
and S3-3, decrypting the file ciphertext by using the file key and the vector data read from the file.
As a preferred implementation of this embodiment, the key management process includes the following steps:
s4-1, solidifying the root key in the compiled program during system development, or providing the root key in the form of an additional independent file;
s4-2, the system secret key is triggered by a system administrator through an interface function provided externally, the system background automatically generates the system secret key, and the system secret key is encrypted by using the secret key and then is stored in a database, so that the temporary system secret key generated in the development and test processes can be replaced when the temporary system secret key is formally on-line;
s4-3, generating a file key and an encryption vector when each file is encrypted, wherein the key is encrypted and stored in a database (or other persistent storage modes), and the initial vector is stored in the encrypted file in a specific format;
s4-4, through the key management process from S4-1 to S4-3, the root key is generated by a developer and exists in the application server, the system key is encrypted by using the root key, the file key is encrypted by using the system key and then stored in the database server, and the encrypted initial vector and the encrypted ciphertext are stored in the file server. As long as development and system operation and maintenance and system administrator responsibility are separated, the safety of the whole encrypted file can be ensured. The root key, the system key, the file key and the encrypted file must be mastered at the same time to decrypt the file, so that the security of the file is greatly improved.
As a preferred embodiment of this embodiment, each time the system key is changed, the file key needs to be decrypted again and encrypted by using a new system key before being stored.
Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made in the above embodiments by those of ordinary skill in the art without departing from the principle and spirit of the present invention.
Claims (2)
1. A three-level key encryption method is characterized by comprising the following steps:
s1, the third-level key comprises a root key which is solidified in the program and is only used for encrypting the system key, a system key which can be dynamically modified and a file key which is generated by using a random algorithm and corresponds to the file;
s2, file encryption: the encryption algorithm adopts a symmetric encryption algorithm, a 256-bit secret key and a CBC mode are used, a file secret key and an Initial Vector (IV) are configured for each file, and the file secret key is encrypted by a built-in system secret key and then stored in a database; the method specifically comprises the following steps:
s2-1, generating a file key with a length required by encryption by using a key generation algorithm;
s2-2, generating an initial vector required by file encryption operation by using a random algorithm;
s2-3, encrypting the file by using the file key and the initial vector;
s2-4, storing the file ciphertext in the file server, storing the initial vector and the file ID in the head position of the encrypted file, wherein the file ID uses a unique character sequence generated by a serial number or other modes;
s2-5, encrypting the file key by using the system key, and storing a file key ciphertext in the database, wherein the file key ciphertext takes the file ID as a main key;
s3, file decryption: the file can be decrypted only when the two elements of the file key and the initial vector are possessed simultaneously, the file key is stored in the database after being encrypted by the system key, and the initial vector is stored in the encrypted file; when decrypting, the file secret key ciphertext is read and decrypted, and then the file ciphertext is decrypted by matching with the initial vector; the method specifically comprises the following steps:
s3-1, reading a file ID from the encrypted file, and acquiring a file key ciphertext from a database according to the file ID;
s3-2, obtaining the system key ciphertext, decrypting the system key and decrypting the file key ciphertext by using the system key;
s3-3, decrypting the file ciphertext by using the decrypted file key and the initial vector read from the file ciphertext;
s4, key management: storing the system key and the file key in a database; storing the initial vector on a file server; the method specifically comprises the following steps:
s4-1, solidifying the root key in the compiled program during system development, or providing the root key in the form of an additional independent file;
s4-2, the system secret key is triggered by a system administrator through an externally provided interface function, the system background automatically generates the system secret key, and the system secret key is encrypted by using the secret key and then is stored in a database, so that the temporary system secret key generated in the development and test processes can be replaced when the temporary system secret key is formally on-line;
s4-3, the file key and the initial vector are generated when each file is encrypted, the file key is encrypted and stored in the database, and the initial vector is stored in the encrypted file in a specific format;
s4-4, through the key management process from S4-1 to S4-3, the root key is generated by a developer and exists in the application server, the system key is encrypted by using the root key, the file key is encrypted by using the system key and then stored in the database, and the initial vector and the file ciphertext are stored in the file server.
2. The three-level key encryption method according to claim 1, wherein: when the system key is changed every time, the file key needs to be decrypted again, encrypted by using a new system key and then stored.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910434496.6A CN110166458B (en) | 2019-05-23 | 2019-05-23 | Three-level key encryption method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910434496.6A CN110166458B (en) | 2019-05-23 | 2019-05-23 | Three-level key encryption method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110166458A CN110166458A (en) | 2019-08-23 |
CN110166458B true CN110166458B (en) | 2022-08-02 |
Family
ID=67632413
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910434496.6A Active CN110166458B (en) | 2019-05-23 | 2019-05-23 | Three-level key encryption method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110166458B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113656814A (en) * | 2021-07-30 | 2021-11-16 | 成都长城开发科技有限公司 | Equipment key safety management method and system |
CN114095302A (en) * | 2021-11-23 | 2022-02-25 | 北京云迹科技有限公司 | Encryption system based on CAN bus transmission |
CN114826696B (en) * | 2022-04-08 | 2023-05-09 | 中国电子科技集团公司第三十研究所 | File content hierarchical sharing method, device, equipment and medium |
Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102014133A (en) * | 2010-11-26 | 2011-04-13 | 清华大学 | Method for implementing safe storage system in cloud storage environment |
CN102685148A (en) * | 2012-05-31 | 2012-09-19 | 清华大学 | Method for realizing secure network backup system under cloud storage environment |
CN104580487A (en) * | 2015-01-20 | 2015-04-29 | 成都信升斯科技有限公司 | Mass data storage system and processing method |
CN104780175A (en) * | 2015-04-24 | 2015-07-15 | 广东电网有限责任公司信息中心 | Hierarchical classification access authorization management method based on roles |
CN105072134A (en) * | 2015-08-31 | 2015-11-18 | 成都卫士通信息产业股份有限公司 | Cloud disk system file secure transmission method based on three-level key |
CN105245328A (en) * | 2015-09-09 | 2016-01-13 | 西安电子科技大学 | User and file key generation and management method based on third party |
CN105740725A (en) * | 2016-01-29 | 2016-07-06 | 北京大学 | File protection method and system |
CN105812391A (en) * | 2016-05-16 | 2016-07-27 | 广州鼎鼎信息科技有限公司 | Safe cloud storage system |
US9735962B1 (en) * | 2015-09-30 | 2017-08-15 | EMC IP Holding Company LLC | Three layer key wrapping for securing encryption keys in a data storage system |
CN109040109A (en) * | 2018-08-31 | 2018-12-18 | 国鼎网络空间安全技术有限公司 | Data trade method and system based on key management mechanism |
CN109635586A (en) * | 2018-12-13 | 2019-04-16 | 苏州科达科技股份有限公司 | Media file encryption key managing method, system, equipment and storage medium |
CN109711175A (en) * | 2018-12-11 | 2019-05-03 | 武汉达梦数据库有限公司 | A kind of database encryption method and device |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106330868B (en) * | 2016-08-14 | 2019-11-26 | 北京数盾信息科技有限公司 | A kind of high speed network encryption storage key management system and method |
CN206611427U (en) * | 2017-03-28 | 2017-11-03 | 浙江神州量子网络科技有限公司 | A kind of key storage management system based on trust computing device |
CN206611428U (en) * | 2017-03-28 | 2017-11-03 | 浙江神州量子网络科技有限公司 | A kind of remote cipher key based on quantum communication network issues system |
-
2019
- 2019-05-23 CN CN201910434496.6A patent/CN110166458B/en active Active
Patent Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102014133A (en) * | 2010-11-26 | 2011-04-13 | 清华大学 | Method for implementing safe storage system in cloud storage environment |
CN102685148A (en) * | 2012-05-31 | 2012-09-19 | 清华大学 | Method for realizing secure network backup system under cloud storage environment |
CN104580487A (en) * | 2015-01-20 | 2015-04-29 | 成都信升斯科技有限公司 | Mass data storage system and processing method |
CN104780175A (en) * | 2015-04-24 | 2015-07-15 | 广东电网有限责任公司信息中心 | Hierarchical classification access authorization management method based on roles |
CN105072134A (en) * | 2015-08-31 | 2015-11-18 | 成都卫士通信息产业股份有限公司 | Cloud disk system file secure transmission method based on three-level key |
CN105245328A (en) * | 2015-09-09 | 2016-01-13 | 西安电子科技大学 | User and file key generation and management method based on third party |
US9735962B1 (en) * | 2015-09-30 | 2017-08-15 | EMC IP Holding Company LLC | Three layer key wrapping for securing encryption keys in a data storage system |
CN105740725A (en) * | 2016-01-29 | 2016-07-06 | 北京大学 | File protection method and system |
CN105812391A (en) * | 2016-05-16 | 2016-07-27 | 广州鼎鼎信息科技有限公司 | Safe cloud storage system |
CN109040109A (en) * | 2018-08-31 | 2018-12-18 | 国鼎网络空间安全技术有限公司 | Data trade method and system based on key management mechanism |
CN109711175A (en) * | 2018-12-11 | 2019-05-03 | 武汉达梦数据库有限公司 | A kind of database encryption method and device |
CN109635586A (en) * | 2018-12-13 | 2019-04-16 | 苏州科达科技股份有限公司 | Media file encryption key managing method, system, equipment and storage medium |
Non-Patent Citations (3)
Title |
---|
"一种云存储环境下的安全网盘***";傅颖勋,罗圣美,舒继武.;《软件学报》;20140815;第25卷(第08期);第1831-1843页 * |
"密钥安全性讨论 ";jz;《华为云+云社区 ,原文链接:https://bbs.huaweicloud.com/forum/thread-5695-1-1.html 》;20171230;第1-5页 * |
"网络安全系列 之 密钥安全管理";eaglediao;《原文链接为:https://www.cnblogs.com/eaglediao/p/7798066.html 》;20171107;第1-4页 * |
Also Published As
Publication number | Publication date |
---|---|
CN110166458A (en) | 2019-08-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107086915B (en) | Data transmission method, data sending end and data receiving end | |
CN110166458B (en) | Three-level key encryption method | |
CN105681031B (en) | A kind of storage encryption gateway key management system and method | |
CN109543434B (en) | Block chain information encryption method, decryption method, storage method and device | |
CN101043326B (en) | Dynamic information encrypting system and method | |
CN105184181B (en) | File encryption method, file decryption method and file encryption device | |
CN103618705A (en) | Personal code managing tool and method under open cloud platform | |
CN112866227A (en) | File authorization protection method and system | |
TWI597960B (en) | Key splitting | |
CN105915345A (en) | Realization method for authorized production and reform in home gateway device production testing | |
CN112528309A (en) | Data storage encryption and decryption method and device | |
CN106257859A (en) | A kind of password using method | |
Veeraragavan et al. | Enhanced encryption algorithm (EEA) for protecting users' credentials in public cloud | |
CN112187767A (en) | Multi-party contract consensus system, method and medium based on block chain | |
CN100531032C (en) | Method for storing cipher key | |
CN106452754B (en) | Multi-user online dynamic encryption method and device | |
CN112329066A (en) | Data file encryption method and system | |
CN114329390A (en) | Financial institution database access password protection method and system | |
CN114036541A (en) | Application method for compositely encrypting and storing user private content | |
GB2446200A (en) | Encryption system for peer-to-peer networks which relies on hash based self-encryption and mapping | |
CN106027553A (en) | Encryption/decryption method based on dynamic password | |
CN108197487A (en) | A kind of encryption method and system for promoting mass data security performance | |
CN109635577A (en) | A kind of method of the data file of offline decryption oracle tde encryption | |
CN110135187A (en) | A kind of file encryption-decryption system and encipher-decipher method based on PUF | |
CN113111372B (en) | Terminal data cloud loading system and method based on quantum key encryption |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |