CN112235324B - Key management system, updating method and reading method based on KeyStore key tree - Google Patents
Key management system, updating method and reading method based on KeyStore key tree Download PDFInfo
- Publication number
- CN112235324B CN112235324B CN202011461506.4A CN202011461506A CN112235324B CN 112235324 B CN112235324 B CN 112235324B CN 202011461506 A CN202011461506 A CN 202011461506A CN 112235324 B CN112235324 B CN 112235324B
- Authority
- CN
- China
- Prior art keywords
- key
- node
- alias
- node key
- tree
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
- H04L9/0833—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
- H04L9/0836—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key using tree structure or hierarchical structure
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to the technical field of secret communication, in particular to a key management system based on a KeyStore key tree, a key updating method and a key reading method applied to the system, wherein the management system comprises the key tree, and the key tree comprises a plurality of key layers in a layered topological structure; each node key is correspondingly provided with a key identification name for identifying the node key, and the key identification name is recorded as a KeyName; naming the association name Alias of the child node key by adopting a mode of suffix of the association name Alias of the parent node key and the KeyName of the child node key to obtain the association name Alias of the child node key; where KeyPass = FUN for child node key (parent node key, Alias for child node key); where FUN represents a one-way function with the input parameters parent node key and the associated name Alias of the child node key. The invention facilitates management of the secret key.
Description
Technical Field
The invention relates to the technical field of secret communication, in particular to a key management system based on a KeyStore key tree, and a key updating method and a key reading method applied to the system.
Background
With the rapid development of the internet of things, more and more key security parameters (such as a key used by a terminal for access authentication, a private key used by an edge platform for identity recognition, and certificate information) of terminal equipment or an edge platform of the internet of things, user sensitive data, and the like need to be stored in a cloud service end of the internet of things for convenient management, so the cloud service end needs to provide management services of a key bank. Many times these key security parameters are often stored in the clear in the server database.
KeyStore is a key store file provided by Java, and is commonly used for encrypting a storage key at a cloud service end to prevent unauthorized access. Typically, the keys stored in this form include symmetric keys, or private keys that bind a chain of corresponding public key certificates. The idea is to encrypt the storage key by setting the associated mnemonic string Alias of the storage key and setting the KeyPass for protecting the key, so that all keys are stored in the KeyStore file independently and without association.
Currently, the key storage management of the cloud service side usually adopts database plaintext storage or KeyStore storage. Obviously, the security of the key cannot be ensured by adopting a database plaintext storage mode, on one hand, the database is dragged due to the fact that a benefit driver is possibly attacked by a hacker, on the other hand, the key is stored in the database in a plaintext form, and therefore, the possibility of ghost exists under the condition that internal developers and background maintenance and management personnel are greatly interested.
When the traditional KeyStore mode is used for storing and managing the keys, the key hierarchical management system cannot be embodied because the keys stored in the KeyStore have no correlation. Therefore, a plurality of corresponding KeyPass storage keys need to be set to protect the keys, and storage management of a large number of KeyPass storage keys needs to be assisted by a database, so that improvement is needed.
Disclosure of Invention
In view of the above, the present invention is directed to a key management system based on a KeyStore key tree.
In order to solve the technical problems, the technical scheme of the invention is as follows:
a key management system based on a KeyStore key tree comprises a key tree, wherein the key tree comprises a plurality of key layers in a layered topological structure;
each node key is correspondingly provided with a key identification name for identifying the node key, and the key identification name is recorded as a KeyName;
naming the association name Alias of the child node key by adopting a mode of suffix of the association name Alias of the parent node key and the KeyName of the child node key to obtain the association name Alias of the child node key;
where KeyPass = FUN for child node key (parent node key, Alias for child node key); where FUN represents a one-way function with the input parameters parent node key and the associated name Alias of the child node key.
Further, when naming the association name Alias of the child node key, if no parent node key exists or the parent node key is the root node key, then directly naming the association name Alias of the child node key by using the KeyName of the child node key.
Further, the FUN function adopts an HMAC or HASH function.
Further, the key tree includes the following layers of keys:
the master key is positioned at the highest layer of the whole key tree hierarchy;
the user key is positioned at the second layer of the whole key tree hierarchy, is encrypted and protected by the master key and is used for encrypting the subordinated branch node key;
the key encryption key is positioned on the third layer of the whole key tree hierarchy, is encrypted and protected by the user key on the upper layer and is used for encrypting the branch node key on the lower subordinate layer;
and the data key is positioned at the fourth layer of the whole key tree hierarchy, is encrypted and protected by the key at the upper layer of the key tree hierarchy, and is directly used for providing the key of the cryptographic operation for the user data.
The invention further provides a key reading method, which is applied to the key management system based on the KeyStore key tree and specifically comprises the following steps:
STP1, calculating to obtain a father node key according to KeyPass of the father node key and the Alias associated with the father node key;
STP2, calculating KeyPass of the child node key according to the parent node key obtained in the step STP1 and the Alias of the child node key;
STP3, the child node key is calculated from the KeyPass of the child node key obtained in step STP2 and the Alias of the child node key.
The invention further provides a key updating method, which is applied to the key management system based on the KeyStore key tree;
the method is used for correspondingly updating the lower-layer branch node keys corresponding to the node key when the current node key is updated, and specifically comprises the following steps:
s100, firstly, a system randomly generates a new secret key;
s200, traversing the lower-layer node key of the node key through the original key, and reading out a key plaintext;
s300, calculating KeyPass of the lower-layer node key by using the new key;
s400, re-encrypting and covering a storage key according to the KeyPass calculated in the step S300 and the Alias corresponding to the lower-layer node key;
s500, encrypting a new key by using the associated name Alias of the current node key and the KeyPass, and covering the original ciphertext of the current node key.
The invention further provides a key updating method, which is applied to the key management system based on the KeyStore key tree;
the method is used for updating the association name of the lower-layer branch node key corresponding to the node key when the association name Alias of the current node key is updated, and specifically comprises the following steps:
t100, reading all branch node keys taking the current node key as a root node key;
t200, correspondingly replacing the associated names Alias of all the branch node keys with the current node key as the root node key;
t300, recalculating KeyPass of all the branch node keys according to the updated associated names Alias of all the branch node keys;
t400, reading all corresponding branch node keys by using the updated associated names Alias of all branch node keys and the KeyPass calculated in the corresponding step T300, and re-executing key storage according to the hierarchical topological structure of the original key tree by using the step T100;
and T500, deleting all the key of all the branch node keys taking the original association name Alias as the root node key according to the original association name Alias of the current node key.
Compared with the prior art, the invention has the advantages that:
1. in the invention, a key tree type topological relation is formed among all key node keys stored in the KeyStore file, and a tree structure topological graph among the key node keys can be recovered through the Alias values of all the keys stored in the KeyStore file, thereby facilitating the key hierarchical management.
2. By means of a derivation method of a current node key KeyPass = FUN (parent node key, Alias of a child node key), it is possible to access all branch node keys taking the node key as a root node key through the node key, so that a database is not required to be established to record KeyPass of node keys of all layers of keys, and only KeyPass of the root node key is required to be recorded.
3. The two key updating methods provided by the invention can be applied to a key hierarchical management system of a subkey tree which takes any key node key as a root node key, thereby realizing multi-user key system management.
Drawings
FIG. 1 is a schematic diagram of KeyStore key storage;
FIG. 2 is a schematic diagram of KeyStore key reading;
FIG. 3 is a schematic diagram of a KeyStore key tree;
FIG. 4 is a table of Alias and KeyPass for KeyStore key tree node keys.
Detailed Description
The following detailed description of the embodiments of the present invention is provided in order to make the technical solution of the present invention easier to understand and understand.
For better illustration of the present invention, some terms and conceptual principles of the prior art will now be briefly described:
(1) concept of KeyStore
Is a key base file provided by Java, and the key stored by the KeyStore includes: symmetric keys, key material, private keys of a chain of bound certificates (e.g., a chain of x.509 certificates). When any Key is stored in the KeyStore file, an association name Alias with a unique Key is correspondingly set and used as the Key for storage or access, the Alias is usually a character string with no case distinction, and plaintext is stored in the KeyStore in an associated manner; and meanwhile, the KeyStore encrypts and protects the stored Key by setting one-to-one corresponding KeyPass.
(2) Keystore key storage
Fig. 1 is a schematic diagram of Key storage of a KeyStore, in which corresponding Key associated names Alias and KeyPass need to be set when storing a Key, and a KeyStore file stores Alias plaintext and Key ciphertext after encryption protection; all storage keys are queried for associated Alias through the KeyStore file.
(3) Keystore key reading
Fig. 2 is a schematic diagram of Key store Key reading, which is used for reading the Key. When reading, the user needs to provide Alias and KeyPass corresponding to the secret Key, and the KeyStore decrypts and verifies the secret Key according to the parameters provided by the user to recover the original secret Key. If the provided Alias does not match the KeyPass, the original key will not be recovered.
KeyStore management may be implemented according to the key storage and reading system KeyStore above, but there is no association between the stored keys.
The following is a detailed description of specific embodiments of the present invention:
example 1:
referring to fig. 1, the present embodiment provides a key management system based on a KeyStore key tree, including a key tree, where the key tree includes a plurality of key layers in a hierarchical topology, specifically, as shown in fig. 3:
the key tree includes the following layers of keys:
the master key is marked as MasterKey and is positioned at the highest layer of the whole key tree hierarchy;
the user key is marked as UserKey, is positioned at the second layer of the whole key tree hierarchy, is encrypted and protected by the main key and is used for encrypting the subordinated branch node key; the layer of keys can be distributed to cloud users or background management personnel and maintenance personnel with different permission levels by the cloud service system. If the layer contains multiple User keys, they are respectively denoted as User1_ Key, User2_ Key, and User3_ Key ….
The key encryption key is marked as KEK, is positioned at the third layer of the whole key tree hierarchy, is encrypted and protected by the user key at the upper layer and is used for encrypting the branch node key at the lower layer; if the layer includes multiple key encryption keys, they are respectively identified as KEK1, KEK2, and KEK3 ….
The data key is marked as a DataKey, is positioned at the fourth layer of the whole key tree hierarchy, is encrypted and protected by the key at the upper layer and is directly used for providing a key for cryptographic operation for user data; if the layer contains a plurality of data keys, they are respectively denoted as DataKey1, DataKey2, DataKey3 ….
In this embodiment, each node key is correspondingly provided with a key identification name for identifying the node key, and the key identification name is recorded as KeyName;
the associated name Alias of the child node key is named in a mode that the associated name Alias of the parent node key is suffixed with the KeyName of the child node key, so that the associated name Alias of the child node key is obtained, and the uniqueness of the associated name Alias is required during naming.
For example, the following is used for naming:
the associated name Alias of the child node key is 'farmalias: KeyName', wherein the farmalias represents the associated name Alias of the parent node key; the KeyName is a key identification name that identifies the child node key. The FatherAlias and SelfAlias are connected in:', although other ways may be used for connection, and are not limited herein.
When naming the association name Alias of the child node key, if the parent node key is absent or the parent node key is the root node key, the association name Alias of the child node key can omit Fatheralias and ": namely directly adopt KeyName.
As shown in fig. 4, the node keys are named according to the above naming method:
1. because one KeyStore file only has one master key MasterKey, the invention stipulates that the associated name Alias corresponding to the MasterKey is 'MasterKey'.
2. For the second layer User Key layer, taking User1_ Key as an example, the corresponding associated name Alias is 'MasterKey: User1_ Key', abbreviated as 'User 1_ Key', because the parent node Key MasterKey can be omitted and is not marked;
3. a Key encryption Key layer, taking KEK1 as an example, wherein the corresponding association name Alias is 'User 2_ Key: KEK 1', wherein 'User 2_ Key' is the Alias of the parent node Key User2_ Key;
4. the data Key layer takes DataKey3 as an example, and the corresponding Alias can be expressed as 'User 2_ Key: KEK1: DataKey 3', wherein 'User 2_ Key: KEK 1' is the Alias associated with the node Key of its parent node Key KEK1, and 'User 2_ Key' is the Alias associated with the node Key of the parent node Key User2_ Key of KEK 1;
the key naming of the keys of other nodes is shown in the table of fig. 4, and is not specifically expanded here.
In the present embodiment, KeyPass = FUN (parent node key, Alias associated with child node key) of the child node key; where FUN represents a one-way function with the input parameters parent node key and the associated name Alias of the child node key.
For example, the parent node Key of a node Key (child node Key) in the KeyStore is a farmerkey, the Alias of the parent node Key is a "farmerkey", and the association name Alias of the node Key is a "farmeralias: KeyName".
Then the KeyPass of the node Key satisfies: KeyPass = FUN (fantherkey, "fantheralias: KeyName"), where FUN (Key, Alias) represents a one-way function with input parameters Key and associated name Alias, and typically may employ HMAC, HASH, or similar cryptographically secure algorithm combining functions.
According to the above formula, KeyPass of the node keys of each layer can be obtained, which is specifically shown in fig. 1.
Based on the above scheme, this embodiment provides a key reading method, which specifically includes the following steps:
STP1, calculating to obtain a father node key according to KeyPass of the father node key and the Alias associated with the father node key;
STP2, calculating KeyPass of the child node key according to the parent node key obtained in the step STP1 and the Alias of the child node key;
STP3, the child node key is calculated from the KeyPass of the child node key obtained in step STP2 and the Alias of the child node key.
As can be seen from the above steps, as long as a certain node key KeyPass is known, all branch node keys with the node key as a root node key can be read, and for understanding, a specific key reading manner is given below:
assuming that the KeyPass of the node Key User2_ Key is known and the node Key of the target Key needs to be read as DataKey3, the recursive steps of reading are as follows:
since Alias = "User 2_ Key: KEK1: DataKey 3" of DataKey3 and KeyPass = FUN (KEK1, "User 2_ Key: KEK1: DataKey 3"), the node Key DataKey3 is read according to the method shown in fig. 2.
However, in the above formula, the KEK1 still belongs to an unknown parameter due to the parent node key of DataKey 3. At this time, with Alias = "User 2_ Key: KEK 1" of the node Key KEK1, KeyPass = FUN (User2_ Key, "User 2_ Key: KEK 1"), the node Key KEK1 can be read according to the method shown in fig. 2.
For the parent node Key User2_ Key of KEK1, when KeyPass of the node Key User2_ Key is known, Alias = "User 2_ Key", the node Key User2_ Key can be read according to the method shown in fig. 2.
Through the above recursive steps, the reading of the node key DataKey3 can be completed.
Example 2:
the present embodiment provides a key updating method, which is applied to the key management system based on the KeyStore key tree described in embodiment 1;
the method is used for correspondingly updating the lower-layer branch node keys corresponding to the current node key when the current node key is updated, and specifically comprises the following steps:
s100, firstly, a system randomly generates a new secret key;
s200, traversing the lower-layer node key of the node key through the original key, and reading out a key plaintext;
s300, calculating KeyPass of the lower-layer node key by using the new key;
s400, re-encrypting and covering a storage key according to the KeyPass calculated in the step S300 and the Alias corresponding to the lower-layer node key;
s500, encrypting a new key by using the associated name Alias of the current node key and the KeyPass, and covering the original ciphertext of the current node key.
In order to understand the above updating method more clearly, taking the node Key User2_ Key as an example, assuming that the User2_ Key is known or the KeyPass corresponding to the User Key is known, if the Key is updated, the node Key User2_ Key and the branch node keys KEK1 and KEK2 both need to be updated, and the updating steps are as follows:
the first step is as follows: firstly, the system randomly generates a new key User2_ NewKey;
the second step is that: traversing Key node Key lower-layer node keys KEK1 and KEK2 through an original Key User2_ Key and reading out a Key plaintext;
the third step: the new key User2_ NewKey is used for calculating the KeyPass of the lower-layer node keys KEK1 and KEK 2;
fourthly, the newly calculated KeyPass and respective Alias are re-encrypted and covered with the storage keys KEK1 and KEK2 according to the node keys KEK1 and KEK 2;
step five, encrypt the new Key User2_ NewKey and overwrite the original User2_ Key ciphertext with Alias and KeyPass of the User2_ Key.
Example 3
As there are two cases when updating the key, the first case is the case of embodiment 2 (updating the key hierarchy brought by updating the node key); the second is the key hierarchy update brought by the Alias of the node key
Therefore, the present embodiment provides a key update method for the second scenario, which is applied to the key management system based on the KeyStore key tree described in embodiment 1.
The method is mainly used for updating the associated name Alias of the lower-layer branch node key corresponding to the node key when the associated name Alias of the current node key is updated, and specifically comprises the following steps:
t100, reading all branch node keys taking the current node key as a root node key;
t200, correspondingly replacing the associated names Alias of all the branch node keys with the current node key as the root node key;
t300, recalculating KeyPass of all the branch node keys according to the updated associated names Alias of all the branch node keys;
t400, utilizing the updated associated names Alias of all the branch node keys and the KeyPass calculated in the corresponding step T300, and utilizing the step T100 to read all the corresponding branch node keys and re-execute key storage according to the hierarchical topological structure of the original key tree;
and T500, deleting all the key of all the branch node keys taking the original association name Alias as the root node key according to the original association name Alias of the current node key.
For a clearer understanding of the present embodiment, the following takes the node Key User2_ Key as an example, and assumes that KeyPass corresponding to the User2_ Key is known, and if its Alias is changed from "User 2_ Key" to "User 2_ Key _ Alias", the updating steps of the node Key and all the branch node keys using it as the root node Key are as follows:
firstly, since it is known that KeyPass corresponding to User2_ Key and Alias = "User 2_ Key", all tree node keys using Key node Key User2_ Key as root node Key can be read by using the Key reading method provided by the present invention;
secondly, replacing a 'User 2_ Key' field in Alias of all branch node keys under an original node Key User2_ Key with 'User 2_ Key _ Alias', for example, the Alias of a node Key KEK1 is changed from 'User 2_ Key: KEK 1' to 'User 2_ Key _ Alias: KEK 1';
and thirdly, recalculating the KeyPass of all the branch node keys according to the updated Alias of all the branch node keys. A KeyPass, such as the Key node Key KEK1, will be changed from FUN (User2_ Key, "User 2_ Key: KEK 1") to FUN (User2_ Key, "User 2_ Key _ Alias: KEK 1");
fourthly, utilizing all the Alias and KeyPass updated by the node keys of the branch keys to read all the corresponding tree node keys in the first step and re-execute key storage according to the original tree topology;
and fifthly, deleting keys for original association names Alias = 'User 2_ Key' of the User2_ Key (all node keys on the tree topology structure taking the User2_ Key as the root node Key are deleted).
The original KeyStore key deletion can delete the content of the key according to the Alias of the key without influencing other keys, however, because the invention adopts the tree structure to store the key, a certain incidence relation exists between the keys. Therefore, when a node key is deleted, all the branch node key data using the node key as the root node key are actually discarded, because the KeyPass corresponding to the branch node keys cannot be recovered. Therefore, the key deletion proposed by the invention is tree key deletion, namely deleting the key node key and all tree branch key node keys taking the node key as a root node key, thereby preventing the key tree from having dead fork.
Example 4
The present embodiment provides a key storage method based on embodiment 1, which is applied to the key management system based on the KeyStore key tree described in embodiment 1; the key storage mainly comprises storage of data keys and storage of other key layer keys, wherein the other key layer keys are randomly generated by a key management system when the KeyStore is established, and are stored in a KeyStore file based on Alias and KeyPass encryption of the keys. According to the key hierarchy, a bottom root node key master key is firstly constructed, then the bottom root node key master key is constructed layer by layer from the top layer until the storage of all leaf node key data keys is finally realized, the storage principle is consistent with that of fig. 1, and the Alias and the KeyPass of each node key are shown in fig. 4.
In a general KeyStore file, the correlation names Alias between keys are independent; in the invention, however:
the child node keys are associated with the Alias of the parent node key, so that a key tree type topological relation can be formed among all the node keys stored in the KeyStore file, and a tree structure topological graph among the node keys can be restored through the Alias values of all the keys stored in the KeyStore, so that key hierarchical management is facilitated.
Moreover, a method for deriving the key node key by adopting the KeyPass = FUN (parent node key, Alias of the child node key) of the child node key is provided, so that all branch key node keys taking the node key as a root node key can be accessed through the key node key, and thus, a database does not need to be established to record the KeyPass of the key node keys of all layers, and only the KeyPass of the root node key need to be recorded.
Sharing or authorizing a certain sub-key tree to a user management is technically easy to realize through a recursive key reading system, because if a certain node key KeyPass is known, all branch node keys taking the node key as a root node key can be read, updated or even deleted.
The flexible management system for key storage, key updating, key reading, key deletion and the like provided by the invention is suitable for a key hierarchical management system of a subkey tree taking any key node key as a root node key, so that multi-user key system management can be realized.
The tree-type key deleting mechanism provided by the key deletion enables the key deletion to be more thorough, and meanwhile, the condition that the key tree is divided into dead branches is avoided.
The above are only typical examples of the present invention, and besides, the present invention may have other embodiments, and all technical solutions formed by equivalent substitutions or equivalent transformations fall within the scope of the present invention.
Claims (7)
1. A key management system based on a KeyStore key tree, comprising a key tree, characterized in that:
the key tree comprises a plurality of key layers in a layered topological structure;
each node key is correspondingly provided with a key identification name for identifying the node key, and the key identification name is recorded as a KeyName;
naming the association name Alias of the child node key by adopting a mode of suffix of the association name Alias of the parent node key and the KeyName of the child node key to obtain the association name Alias of the child node key;
where KeyPass = FUN for child node key (parent node key, Alias for child node key); where FUN represents a one-way function with the input parameters parent node key and the associated name Alias of the child node key.
2. A key management system based on a KeyStore key tree according to claim 1, wherein: when naming the association name Alias of the child node key, if the parent node key does not exist or is the root node key, then directly naming the association name Alias of the child node key by using the KeyName of the child node key.
3. A key management system based on a KeyStore key tree according to claim 2, wherein: the FUN function adopts HMAC or HASH function.
4. A key management system based on a KeyStore key tree according to claim 1, wherein: the key tree includes the following layers of keys:
the master key is positioned at the highest layer of the whole key tree hierarchy;
the user key is positioned at the second layer of the whole key tree hierarchy, is encrypted and protected by the master key and is used for encrypting the subordinated branch node key;
the key encryption key is positioned on the third layer of the whole key tree hierarchy, is encrypted and protected by the user key on the upper layer and is used for encrypting the branch node key on the lower subordinate layer;
and the data key is positioned at the fourth layer of the whole key tree hierarchy, is encrypted and protected by the key at the upper layer of the key tree hierarchy, and is directly used for providing the key of the cryptographic operation for the user data.
5. A method of key reading, characterized by: the KeyStore key tree-based key management system applied to any one of claims 1 to 4, specifically comprising the following steps:
STP1, calculating to obtain a father node key according to KeyPass of the father node key and the Alias associated with the father node key;
STP2, calculating KeyPass of the child node key according to the parent node key obtained in the step STP1 and the Alias of the child node key;
STP3, the child node key is calculated from the KeyPass of the child node key obtained in step STP2 and the Alias of the child node key.
6. A method of updating a key, characterized by: applied to a KeyStore key tree based key management system as claimed in any one of claims 1-4;
the method is used for correspondingly updating the lower-layer branch node keys corresponding to the node key when the current node key is updated, and specifically comprises the following steps:
s100, firstly, a system randomly generates a new secret key;
s200, traversing the lower-layer node key of the node key through the original key, and reading out a key plaintext;
s300, calculating KeyPass of the lower-layer node key by using the new key;
s400, re-encrypting and covering the storage key according to the KeyPass obtained by calculation in the step S300 and the Alias corresponding to the lower-layer node key;
s500, encrypting a new key by using the associated name Alias of the current node key and the KeyPass, and covering the original ciphertext of the current node key.
7. A method of updating a key, characterized by: applied to a KeyStore key tree based key management system as claimed in any one of claims 1-4;
the method is used for updating the association name of the lower-layer branch node key corresponding to the node key when the association name Alias of the current node key is updated, and specifically comprises the following steps:
t100, reading all branch node keys taking the current node key as a root node key;
t200, correspondingly replacing the associated names Alias of all the branch node keys with the current node key as the root node key;
t300, recalculating KeyPass of all the branch node keys according to the updated associated names Alias of all the branch node keys;
t400, reading all corresponding branch node keys by using the updated associated names Alias of all branch node keys and the KeyPass calculated in the corresponding step T300, and re-executing key storage according to the hierarchical topological structure of the original key tree by using the step T100;
and T500, deleting all the key of all the branch node keys taking the original association name Alias as the root node key according to the original association name Alias of the current node key.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011461506.4A CN112235324B (en) | 2020-12-14 | 2020-12-14 | Key management system, updating method and reading method based on KeyStore key tree |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011461506.4A CN112235324B (en) | 2020-12-14 | 2020-12-14 | Key management system, updating method and reading method based on KeyStore key tree |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112235324A CN112235324A (en) | 2021-01-15 |
CN112235324B true CN112235324B (en) | 2021-03-02 |
Family
ID=74124481
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011461506.4A Active CN112235324B (en) | 2020-12-14 | 2020-12-14 | Key management system, updating method and reading method based on KeyStore key tree |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112235324B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112600944B (en) * | 2021-03-02 | 2021-05-25 | 杭州字节信息技术有限公司 | Differential cloud storage method and system suitable for time sequence data of Internet of things |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1540914A (en) * | 2003-04-22 | 2004-10-27 | �Ҵ���˾ | Layered cryption key generating method and device for digital resources |
CN101557587A (en) * | 2009-04-08 | 2009-10-14 | 哈尔滨工程大学 | Management method of hierarchical tree key in wireless sensor network (WSN) |
CN103530578A (en) * | 2013-10-18 | 2014-01-22 | 武汉大学 | Method for constructing STPM of android system |
CN110268394A (en) * | 2017-02-09 | 2019-09-20 | 美光科技公司 | KVS tree |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9116939B2 (en) * | 2012-09-06 | 2015-08-25 | Empire Technology Development Llc | Tree comparison to manage progressive data store switchover with assured performance |
US9208335B2 (en) * | 2013-09-17 | 2015-12-08 | Auburn University | Space-time separated and jointly evolving relationship-based network access and data protection system |
US11349655B2 (en) * | 2018-10-05 | 2022-05-31 | Oracle International Corporation | System and method for a distributed keystore |
-
2020
- 2020-12-14 CN CN202011461506.4A patent/CN112235324B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1540914A (en) * | 2003-04-22 | 2004-10-27 | �Ҵ���˾ | Layered cryption key generating method and device for digital resources |
CN101557587A (en) * | 2009-04-08 | 2009-10-14 | 哈尔滨工程大学 | Management method of hierarchical tree key in wireless sensor network (WSN) |
CN103530578A (en) * | 2013-10-18 | 2014-01-22 | 武汉大学 | Method for constructing STPM of android system |
CN110268394A (en) * | 2017-02-09 | 2019-09-20 | 美光科技公司 | KVS tree |
Also Published As
Publication number | Publication date |
---|---|
CN112235324A (en) | 2021-01-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10803194B2 (en) | System and a method for management of confidential data | |
KR102025409B1 (en) | Data access management system based on blockchain and method thereof | |
US8752196B2 (en) | Protecting privacy of shared personal information | |
US8059818B2 (en) | Accessing protected data on network storage from multiple devices | |
CN108768951B (en) | Data encryption and retrieval method for protecting file privacy in cloud environment | |
ES2848030T3 (en) | Server and method for safe and economical data exchange | |
CN103731395B (en) | The processing method and system of file | |
US20110085664A1 (en) | Systems and methods for managing multiple keys for file encryption and decryption | |
CN102571329B (en) | Password key management | |
US20100098246A1 (en) | Smart card based encryption key and password generation and management | |
US9485090B2 (en) | Managed authentication on a distributed network | |
CN108632385B (en) | Time sequence-based cloud storage privacy protection method for multi-branch tree data index structure | |
Mo et al. | Two-party fine-grained assured deletion of outsourced data in cloud systems | |
US11646872B2 (en) | Management of access authorization using an immutable ledger | |
CN107294701B (en) | Multidimensional ciphertext interval query device and method with efficient key management | |
CN116668072A (en) | Data security sharing method and system based on multi-authority attribute base encryption | |
JP2002111659A (en) | File encryption system, file encryption program and storage medium having recorded data | |
CN112235324B (en) | Key management system, updating method and reading method based on KeyStore key tree | |
US20220020019A1 (en) | Smart Contract-Based Electronic Contract Forensics Method and System | |
CN105553661B (en) | Key management method and device | |
CN108259606B (en) | Cloud computing public cloud file storage and retrieval method | |
CN108763944A (en) | Multicenter large attribute Domain Properties base encryption method can be revoked safely in calculating in mist | |
CN108494724A (en) | Cloud storage encryption system based on more authorized organization's encryption attribute algorithms and method | |
CN116611083A (en) | Medical data sharing method and system | |
CN114168703A (en) | Group encrypted data retrieval method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: A key management system, updating method and reading method based on KeyStore key tree Effective date of registration: 20221121 Granted publication date: 20210302 Pledgee: Zhejiang Fuyang Rural Commercial Bank Co.,Ltd. Jinqiao sub branch Pledgor: HANGZHOU BYTE INFORMATION TECHNOLOGY Co.,Ltd. Registration number: Y2022980022579 |
|
PE01 | Entry into force of the registration of the contract for pledge of patent right |