CN112235324B - Key management system, updating method and reading method based on KeyStore key tree - Google Patents

Key management system, updating method and reading method based on KeyStore key tree Download PDF

Info

Publication number
CN112235324B
CN112235324B CN202011461506.4A CN202011461506A CN112235324B CN 112235324 B CN112235324 B CN 112235324B CN 202011461506 A CN202011461506 A CN 202011461506A CN 112235324 B CN112235324 B CN 112235324B
Authority
CN
China
Prior art keywords
key
node
alias
node key
tree
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011461506.4A
Other languages
Chinese (zh)
Other versions
CN112235324A (en
Inventor
刘志强
毛伟信
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Byte Information Technology Co ltd
Original Assignee
Hangzhou Byte Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Byte Information Technology Co ltd filed Critical Hangzhou Byte Information Technology Co ltd
Priority to CN202011461506.4A priority Critical patent/CN112235324B/en
Publication of CN112235324A publication Critical patent/CN112235324A/en
Application granted granted Critical
Publication of CN112235324B publication Critical patent/CN112235324B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
    • H04L9/0836Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key using tree structure or hierarchical structure
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to the technical field of secret communication, in particular to a key management system based on a KeyStore key tree, a key updating method and a key reading method applied to the system, wherein the management system comprises the key tree, and the key tree comprises a plurality of key layers in a layered topological structure; each node key is correspondingly provided with a key identification name for identifying the node key, and the key identification name is recorded as a KeyName; naming the association name Alias of the child node key by adopting a mode of suffix of the association name Alias of the parent node key and the KeyName of the child node key to obtain the association name Alias of the child node key; where KeyPass = FUN for child node key (parent node key, Alias for child node key); where FUN represents a one-way function with the input parameters parent node key and the associated name Alias of the child node key. The invention facilitates management of the secret key.

Description

Key management system, updating method and reading method based on KeyStore key tree
Technical Field
The invention relates to the technical field of secret communication, in particular to a key management system based on a KeyStore key tree, and a key updating method and a key reading method applied to the system.
Background
With the rapid development of the internet of things, more and more key security parameters (such as a key used by a terminal for access authentication, a private key used by an edge platform for identity recognition, and certificate information) of terminal equipment or an edge platform of the internet of things, user sensitive data, and the like need to be stored in a cloud service end of the internet of things for convenient management, so the cloud service end needs to provide management services of a key bank. Many times these key security parameters are often stored in the clear in the server database.
KeyStore is a key store file provided by Java, and is commonly used for encrypting a storage key at a cloud service end to prevent unauthorized access. Typically, the keys stored in this form include symmetric keys, or private keys that bind a chain of corresponding public key certificates. The idea is to encrypt the storage key by setting the associated mnemonic string Alias of the storage key and setting the KeyPass for protecting the key, so that all keys are stored in the KeyStore file independently and without association.
Currently, the key storage management of the cloud service side usually adopts database plaintext storage or KeyStore storage. Obviously, the security of the key cannot be ensured by adopting a database plaintext storage mode, on one hand, the database is dragged due to the fact that a benefit driver is possibly attacked by a hacker, on the other hand, the key is stored in the database in a plaintext form, and therefore, the possibility of ghost exists under the condition that internal developers and background maintenance and management personnel are greatly interested.
When the traditional KeyStore mode is used for storing and managing the keys, the key hierarchical management system cannot be embodied because the keys stored in the KeyStore have no correlation. Therefore, a plurality of corresponding KeyPass storage keys need to be set to protect the keys, and storage management of a large number of KeyPass storage keys needs to be assisted by a database, so that improvement is needed.
Disclosure of Invention
In view of the above, the present invention is directed to a key management system based on a KeyStore key tree.
In order to solve the technical problems, the technical scheme of the invention is as follows:
a key management system based on a KeyStore key tree comprises a key tree, wherein the key tree comprises a plurality of key layers in a layered topological structure;
each node key is correspondingly provided with a key identification name for identifying the node key, and the key identification name is recorded as a KeyName;
naming the association name Alias of the child node key by adopting a mode of suffix of the association name Alias of the parent node key and the KeyName of the child node key to obtain the association name Alias of the child node key;
where KeyPass = FUN for child node key (parent node key, Alias for child node key); where FUN represents a one-way function with the input parameters parent node key and the associated name Alias of the child node key.
Further, when naming the association name Alias of the child node key, if no parent node key exists or the parent node key is the root node key, then directly naming the association name Alias of the child node key by using the KeyName of the child node key.
Further, the FUN function adopts an HMAC or HASH function.
Further, the key tree includes the following layers of keys:
the master key is positioned at the highest layer of the whole key tree hierarchy;
the user key is positioned at the second layer of the whole key tree hierarchy, is encrypted and protected by the master key and is used for encrypting the subordinated branch node key;
the key encryption key is positioned on the third layer of the whole key tree hierarchy, is encrypted and protected by the user key on the upper layer and is used for encrypting the branch node key on the lower subordinate layer;
and the data key is positioned at the fourth layer of the whole key tree hierarchy, is encrypted and protected by the key at the upper layer of the key tree hierarchy, and is directly used for providing the key of the cryptographic operation for the user data.
The invention further provides a key reading method, which is applied to the key management system based on the KeyStore key tree and specifically comprises the following steps:
STP1, calculating to obtain a father node key according to KeyPass of the father node key and the Alias associated with the father node key;
STP2, calculating KeyPass of the child node key according to the parent node key obtained in the step STP1 and the Alias of the child node key;
STP3, the child node key is calculated from the KeyPass of the child node key obtained in step STP2 and the Alias of the child node key.
The invention further provides a key updating method, which is applied to the key management system based on the KeyStore key tree;
the method is used for correspondingly updating the lower-layer branch node keys corresponding to the node key when the current node key is updated, and specifically comprises the following steps:
s100, firstly, a system randomly generates a new secret key;
s200, traversing the lower-layer node key of the node key through the original key, and reading out a key plaintext;
s300, calculating KeyPass of the lower-layer node key by using the new key;
s400, re-encrypting and covering a storage key according to the KeyPass calculated in the step S300 and the Alias corresponding to the lower-layer node key;
s500, encrypting a new key by using the associated name Alias of the current node key and the KeyPass, and covering the original ciphertext of the current node key.
The invention further provides a key updating method, which is applied to the key management system based on the KeyStore key tree;
the method is used for updating the association name of the lower-layer branch node key corresponding to the node key when the association name Alias of the current node key is updated, and specifically comprises the following steps:
t100, reading all branch node keys taking the current node key as a root node key;
t200, correspondingly replacing the associated names Alias of all the branch node keys with the current node key as the root node key;
t300, recalculating KeyPass of all the branch node keys according to the updated associated names Alias of all the branch node keys;
t400, reading all corresponding branch node keys by using the updated associated names Alias of all branch node keys and the KeyPass calculated in the corresponding step T300, and re-executing key storage according to the hierarchical topological structure of the original key tree by using the step T100;
and T500, deleting all the key of all the branch node keys taking the original association name Alias as the root node key according to the original association name Alias of the current node key.
Compared with the prior art, the invention has the advantages that:
1. in the invention, a key tree type topological relation is formed among all key node keys stored in the KeyStore file, and a tree structure topological graph among the key node keys can be recovered through the Alias values of all the keys stored in the KeyStore file, thereby facilitating the key hierarchical management.
2. By means of a derivation method of a current node key KeyPass = FUN (parent node key, Alias of a child node key), it is possible to access all branch node keys taking the node key as a root node key through the node key, so that a database is not required to be established to record KeyPass of node keys of all layers of keys, and only KeyPass of the root node key is required to be recorded.
3. The two key updating methods provided by the invention can be applied to a key hierarchical management system of a subkey tree which takes any key node key as a root node key, thereby realizing multi-user key system management.
Drawings
FIG. 1 is a schematic diagram of KeyStore key storage;
FIG. 2 is a schematic diagram of KeyStore key reading;
FIG. 3 is a schematic diagram of a KeyStore key tree;
FIG. 4 is a table of Alias and KeyPass for KeyStore key tree node keys.
Detailed Description
The following detailed description of the embodiments of the present invention is provided in order to make the technical solution of the present invention easier to understand and understand.
For better illustration of the present invention, some terms and conceptual principles of the prior art will now be briefly described:
(1) concept of KeyStore
Is a key base file provided by Java, and the key stored by the KeyStore includes: symmetric keys, key material, private keys of a chain of bound certificates (e.g., a chain of x.509 certificates). When any Key is stored in the KeyStore file, an association name Alias with a unique Key is correspondingly set and used as the Key for storage or access, the Alias is usually a character string with no case distinction, and plaintext is stored in the KeyStore in an associated manner; and meanwhile, the KeyStore encrypts and protects the stored Key by setting one-to-one corresponding KeyPass.
(2) Keystore key storage
Fig. 1 is a schematic diagram of Key storage of a KeyStore, in which corresponding Key associated names Alias and KeyPass need to be set when storing a Key, and a KeyStore file stores Alias plaintext and Key ciphertext after encryption protection; all storage keys are queried for associated Alias through the KeyStore file.
(3) Keystore key reading
Fig. 2 is a schematic diagram of Key store Key reading, which is used for reading the Key. When reading, the user needs to provide Alias and KeyPass corresponding to the secret Key, and the KeyStore decrypts and verifies the secret Key according to the parameters provided by the user to recover the original secret Key. If the provided Alias does not match the KeyPass, the original key will not be recovered.
KeyStore management may be implemented according to the key storage and reading system KeyStore above, but there is no association between the stored keys.
The following is a detailed description of specific embodiments of the present invention:
example 1:
referring to fig. 1, the present embodiment provides a key management system based on a KeyStore key tree, including a key tree, where the key tree includes a plurality of key layers in a hierarchical topology, specifically, as shown in fig. 3:
the key tree includes the following layers of keys:
the master key is marked as MasterKey and is positioned at the highest layer of the whole key tree hierarchy;
the user key is marked as UserKey, is positioned at the second layer of the whole key tree hierarchy, is encrypted and protected by the main key and is used for encrypting the subordinated branch node key; the layer of keys can be distributed to cloud users or background management personnel and maintenance personnel with different permission levels by the cloud service system. If the layer contains multiple User keys, they are respectively denoted as User1_ Key, User2_ Key, and User3_ Key ….
The key encryption key is marked as KEK, is positioned at the third layer of the whole key tree hierarchy, is encrypted and protected by the user key at the upper layer and is used for encrypting the branch node key at the lower layer; if the layer includes multiple key encryption keys, they are respectively identified as KEK1, KEK2, and KEK3 ….
The data key is marked as a DataKey, is positioned at the fourth layer of the whole key tree hierarchy, is encrypted and protected by the key at the upper layer and is directly used for providing a key for cryptographic operation for user data; if the layer contains a plurality of data keys, they are respectively denoted as DataKey1, DataKey2, DataKey3 ….
In this embodiment, each node key is correspondingly provided with a key identification name for identifying the node key, and the key identification name is recorded as KeyName;
the associated name Alias of the child node key is named in a mode that the associated name Alias of the parent node key is suffixed with the KeyName of the child node key, so that the associated name Alias of the child node key is obtained, and the uniqueness of the associated name Alias is required during naming.
For example, the following is used for naming:
the associated name Alias of the child node key is 'farmalias: KeyName', wherein the farmalias represents the associated name Alias of the parent node key; the KeyName is a key identification name that identifies the child node key. The FatherAlias and SelfAlias are connected in:', although other ways may be used for connection, and are not limited herein.
When naming the association name Alias of the child node key, if the parent node key is absent or the parent node key is the root node key, the association name Alias of the child node key can omit Fatheralias and ": namely directly adopt KeyName.
As shown in fig. 4, the node keys are named according to the above naming method:
1. because one KeyStore file only has one master key MasterKey, the invention stipulates that the associated name Alias corresponding to the MasterKey is 'MasterKey'.
2. For the second layer User Key layer, taking User1_ Key as an example, the corresponding associated name Alias is 'MasterKey: User1_ Key', abbreviated as 'User 1_ Key', because the parent node Key MasterKey can be omitted and is not marked;
3. a Key encryption Key layer, taking KEK1 as an example, wherein the corresponding association name Alias is 'User 2_ Key: KEK 1', wherein 'User 2_ Key' is the Alias of the parent node Key User2_ Key;
4. the data Key layer takes DataKey3 as an example, and the corresponding Alias can be expressed as 'User 2_ Key: KEK1: DataKey 3', wherein 'User 2_ Key: KEK 1' is the Alias associated with the node Key of its parent node Key KEK1, and 'User 2_ Key' is the Alias associated with the node Key of the parent node Key User2_ Key of KEK 1;
the key naming of the keys of other nodes is shown in the table of fig. 4, and is not specifically expanded here.
In the present embodiment, KeyPass = FUN (parent node key, Alias associated with child node key) of the child node key; where FUN represents a one-way function with the input parameters parent node key and the associated name Alias of the child node key.
For example, the parent node Key of a node Key (child node Key) in the KeyStore is a farmerkey, the Alias of the parent node Key is a "farmerkey", and the association name Alias of the node Key is a "farmeralias: KeyName".
Then the KeyPass of the node Key satisfies: KeyPass = FUN (fantherkey, "fantheralias: KeyName"), where FUN (Key, Alias) represents a one-way function with input parameters Key and associated name Alias, and typically may employ HMAC, HASH, or similar cryptographically secure algorithm combining functions.
According to the above formula, KeyPass of the node keys of each layer can be obtained, which is specifically shown in fig. 1.
Based on the above scheme, this embodiment provides a key reading method, which specifically includes the following steps:
STP1, calculating to obtain a father node key according to KeyPass of the father node key and the Alias associated with the father node key;
STP2, calculating KeyPass of the child node key according to the parent node key obtained in the step STP1 and the Alias of the child node key;
STP3, the child node key is calculated from the KeyPass of the child node key obtained in step STP2 and the Alias of the child node key.
As can be seen from the above steps, as long as a certain node key KeyPass is known, all branch node keys with the node key as a root node key can be read, and for understanding, a specific key reading manner is given below:
assuming that the KeyPass of the node Key User2_ Key is known and the node Key of the target Key needs to be read as DataKey3, the recursive steps of reading are as follows:
since Alias = "User 2_ Key: KEK1: DataKey 3" of DataKey3 and KeyPass = FUN (KEK1, "User 2_ Key: KEK1: DataKey 3"), the node Key DataKey3 is read according to the method shown in fig. 2.
However, in the above formula, the KEK1 still belongs to an unknown parameter due to the parent node key of DataKey 3. At this time, with Alias = "User 2_ Key: KEK 1" of the node Key KEK1, KeyPass = FUN (User2_ Key, "User 2_ Key: KEK 1"), the node Key KEK1 can be read according to the method shown in fig. 2.
For the parent node Key User2_ Key of KEK1, when KeyPass of the node Key User2_ Key is known, Alias = "User 2_ Key", the node Key User2_ Key can be read according to the method shown in fig. 2.
Through the above recursive steps, the reading of the node key DataKey3 can be completed.
Example 2:
the present embodiment provides a key updating method, which is applied to the key management system based on the KeyStore key tree described in embodiment 1;
the method is used for correspondingly updating the lower-layer branch node keys corresponding to the current node key when the current node key is updated, and specifically comprises the following steps:
s100, firstly, a system randomly generates a new secret key;
s200, traversing the lower-layer node key of the node key through the original key, and reading out a key plaintext;
s300, calculating KeyPass of the lower-layer node key by using the new key;
s400, re-encrypting and covering a storage key according to the KeyPass calculated in the step S300 and the Alias corresponding to the lower-layer node key;
s500, encrypting a new key by using the associated name Alias of the current node key and the KeyPass, and covering the original ciphertext of the current node key.
In order to understand the above updating method more clearly, taking the node Key User2_ Key as an example, assuming that the User2_ Key is known or the KeyPass corresponding to the User Key is known, if the Key is updated, the node Key User2_ Key and the branch node keys KEK1 and KEK2 both need to be updated, and the updating steps are as follows:
the first step is as follows: firstly, the system randomly generates a new key User2_ NewKey;
the second step is that: traversing Key node Key lower-layer node keys KEK1 and KEK2 through an original Key User2_ Key and reading out a Key plaintext;
the third step: the new key User2_ NewKey is used for calculating the KeyPass of the lower-layer node keys KEK1 and KEK 2;
fourthly, the newly calculated KeyPass and respective Alias are re-encrypted and covered with the storage keys KEK1 and KEK2 according to the node keys KEK1 and KEK 2;
step five, encrypt the new Key User2_ NewKey and overwrite the original User2_ Key ciphertext with Alias and KeyPass of the User2_ Key.
Example 3
As there are two cases when updating the key, the first case is the case of embodiment 2 (updating the key hierarchy brought by updating the node key); the second is the key hierarchy update brought by the Alias of the node key
Therefore, the present embodiment provides a key update method for the second scenario, which is applied to the key management system based on the KeyStore key tree described in embodiment 1.
The method is mainly used for updating the associated name Alias of the lower-layer branch node key corresponding to the node key when the associated name Alias of the current node key is updated, and specifically comprises the following steps:
t100, reading all branch node keys taking the current node key as a root node key;
t200, correspondingly replacing the associated names Alias of all the branch node keys with the current node key as the root node key;
t300, recalculating KeyPass of all the branch node keys according to the updated associated names Alias of all the branch node keys;
t400, utilizing the updated associated names Alias of all the branch node keys and the KeyPass calculated in the corresponding step T300, and utilizing the step T100 to read all the corresponding branch node keys and re-execute key storage according to the hierarchical topological structure of the original key tree;
and T500, deleting all the key of all the branch node keys taking the original association name Alias as the root node key according to the original association name Alias of the current node key.
For a clearer understanding of the present embodiment, the following takes the node Key User2_ Key as an example, and assumes that KeyPass corresponding to the User2_ Key is known, and if its Alias is changed from "User 2_ Key" to "User 2_ Key _ Alias", the updating steps of the node Key and all the branch node keys using it as the root node Key are as follows:
firstly, since it is known that KeyPass corresponding to User2_ Key and Alias = "User 2_ Key", all tree node keys using Key node Key User2_ Key as root node Key can be read by using the Key reading method provided by the present invention;
secondly, replacing a 'User 2_ Key' field in Alias of all branch node keys under an original node Key User2_ Key with 'User 2_ Key _ Alias', for example, the Alias of a node Key KEK1 is changed from 'User 2_ Key: KEK 1' to 'User 2_ Key _ Alias: KEK 1';
and thirdly, recalculating the KeyPass of all the branch node keys according to the updated Alias of all the branch node keys. A KeyPass, such as the Key node Key KEK1, will be changed from FUN (User2_ Key, "User 2_ Key: KEK 1") to FUN (User2_ Key, "User 2_ Key _ Alias: KEK 1");
fourthly, utilizing all the Alias and KeyPass updated by the node keys of the branch keys to read all the corresponding tree node keys in the first step and re-execute key storage according to the original tree topology;
and fifthly, deleting keys for original association names Alias = 'User 2_ Key' of the User2_ Key (all node keys on the tree topology structure taking the User2_ Key as the root node Key are deleted).
The original KeyStore key deletion can delete the content of the key according to the Alias of the key without influencing other keys, however, because the invention adopts the tree structure to store the key, a certain incidence relation exists between the keys. Therefore, when a node key is deleted, all the branch node key data using the node key as the root node key are actually discarded, because the KeyPass corresponding to the branch node keys cannot be recovered. Therefore, the key deletion proposed by the invention is tree key deletion, namely deleting the key node key and all tree branch key node keys taking the node key as a root node key, thereby preventing the key tree from having dead fork.
Example 4
The present embodiment provides a key storage method based on embodiment 1, which is applied to the key management system based on the KeyStore key tree described in embodiment 1; the key storage mainly comprises storage of data keys and storage of other key layer keys, wherein the other key layer keys are randomly generated by a key management system when the KeyStore is established, and are stored in a KeyStore file based on Alias and KeyPass encryption of the keys. According to the key hierarchy, a bottom root node key master key is firstly constructed, then the bottom root node key master key is constructed layer by layer from the top layer until the storage of all leaf node key data keys is finally realized, the storage principle is consistent with that of fig. 1, and the Alias and the KeyPass of each node key are shown in fig. 4.
In a general KeyStore file, the correlation names Alias between keys are independent; in the invention, however:
the child node keys are associated with the Alias of the parent node key, so that a key tree type topological relation can be formed among all the node keys stored in the KeyStore file, and a tree structure topological graph among the node keys can be restored through the Alias values of all the keys stored in the KeyStore, so that key hierarchical management is facilitated.
Moreover, a method for deriving the key node key by adopting the KeyPass = FUN (parent node key, Alias of the child node key) of the child node key is provided, so that all branch key node keys taking the node key as a root node key can be accessed through the key node key, and thus, a database does not need to be established to record the KeyPass of the key node keys of all layers, and only the KeyPass of the root node key need to be recorded.
Sharing or authorizing a certain sub-key tree to a user management is technically easy to realize through a recursive key reading system, because if a certain node key KeyPass is known, all branch node keys taking the node key as a root node key can be read, updated or even deleted.
The flexible management system for key storage, key updating, key reading, key deletion and the like provided by the invention is suitable for a key hierarchical management system of a subkey tree taking any key node key as a root node key, so that multi-user key system management can be realized.
The tree-type key deleting mechanism provided by the key deletion enables the key deletion to be more thorough, and meanwhile, the condition that the key tree is divided into dead branches is avoided.
The above are only typical examples of the present invention, and besides, the present invention may have other embodiments, and all technical solutions formed by equivalent substitutions or equivalent transformations fall within the scope of the present invention.

Claims (7)

1. A key management system based on a KeyStore key tree, comprising a key tree, characterized in that:
the key tree comprises a plurality of key layers in a layered topological structure;
each node key is correspondingly provided with a key identification name for identifying the node key, and the key identification name is recorded as a KeyName;
naming the association name Alias of the child node key by adopting a mode of suffix of the association name Alias of the parent node key and the KeyName of the child node key to obtain the association name Alias of the child node key;
where KeyPass = FUN for child node key (parent node key, Alias for child node key); where FUN represents a one-way function with the input parameters parent node key and the associated name Alias of the child node key.
2. A key management system based on a KeyStore key tree according to claim 1, wherein: when naming the association name Alias of the child node key, if the parent node key does not exist or is the root node key, then directly naming the association name Alias of the child node key by using the KeyName of the child node key.
3. A key management system based on a KeyStore key tree according to claim 2, wherein: the FUN function adopts HMAC or HASH function.
4. A key management system based on a KeyStore key tree according to claim 1, wherein: the key tree includes the following layers of keys:
the master key is positioned at the highest layer of the whole key tree hierarchy;
the user key is positioned at the second layer of the whole key tree hierarchy, is encrypted and protected by the master key and is used for encrypting the subordinated branch node key;
the key encryption key is positioned on the third layer of the whole key tree hierarchy, is encrypted and protected by the user key on the upper layer and is used for encrypting the branch node key on the lower subordinate layer;
and the data key is positioned at the fourth layer of the whole key tree hierarchy, is encrypted and protected by the key at the upper layer of the key tree hierarchy, and is directly used for providing the key of the cryptographic operation for the user data.
5. A method of key reading, characterized by: the KeyStore key tree-based key management system applied to any one of claims 1 to 4, specifically comprising the following steps:
STP1, calculating to obtain a father node key according to KeyPass of the father node key and the Alias associated with the father node key;
STP2, calculating KeyPass of the child node key according to the parent node key obtained in the step STP1 and the Alias of the child node key;
STP3, the child node key is calculated from the KeyPass of the child node key obtained in step STP2 and the Alias of the child node key.
6. A method of updating a key, characterized by: applied to a KeyStore key tree based key management system as claimed in any one of claims 1-4;
the method is used for correspondingly updating the lower-layer branch node keys corresponding to the node key when the current node key is updated, and specifically comprises the following steps:
s100, firstly, a system randomly generates a new secret key;
s200, traversing the lower-layer node key of the node key through the original key, and reading out a key plaintext;
s300, calculating KeyPass of the lower-layer node key by using the new key;
s400, re-encrypting and covering the storage key according to the KeyPass obtained by calculation in the step S300 and the Alias corresponding to the lower-layer node key;
s500, encrypting a new key by using the associated name Alias of the current node key and the KeyPass, and covering the original ciphertext of the current node key.
7. A method of updating a key, characterized by: applied to a KeyStore key tree based key management system as claimed in any one of claims 1-4;
the method is used for updating the association name of the lower-layer branch node key corresponding to the node key when the association name Alias of the current node key is updated, and specifically comprises the following steps:
t100, reading all branch node keys taking the current node key as a root node key;
t200, correspondingly replacing the associated names Alias of all the branch node keys with the current node key as the root node key;
t300, recalculating KeyPass of all the branch node keys according to the updated associated names Alias of all the branch node keys;
t400, reading all corresponding branch node keys by using the updated associated names Alias of all branch node keys and the KeyPass calculated in the corresponding step T300, and re-executing key storage according to the hierarchical topological structure of the original key tree by using the step T100;
and T500, deleting all the key of all the branch node keys taking the original association name Alias as the root node key according to the original association name Alias of the current node key.
CN202011461506.4A 2020-12-14 2020-12-14 Key management system, updating method and reading method based on KeyStore key tree Active CN112235324B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011461506.4A CN112235324B (en) 2020-12-14 2020-12-14 Key management system, updating method and reading method based on KeyStore key tree

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011461506.4A CN112235324B (en) 2020-12-14 2020-12-14 Key management system, updating method and reading method based on KeyStore key tree

Publications (2)

Publication Number Publication Date
CN112235324A CN112235324A (en) 2021-01-15
CN112235324B true CN112235324B (en) 2021-03-02

Family

ID=74124481

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011461506.4A Active CN112235324B (en) 2020-12-14 2020-12-14 Key management system, updating method and reading method based on KeyStore key tree

Country Status (1)

Country Link
CN (1) CN112235324B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112600944B (en) * 2021-03-02 2021-05-25 杭州字节信息技术有限公司 Differential cloud storage method and system suitable for time sequence data of Internet of things

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1540914A (en) * 2003-04-22 2004-10-27 �Ҵ���˾ Layered cryption key generating method and device for digital resources
CN101557587A (en) * 2009-04-08 2009-10-14 哈尔滨工程大学 Management method of hierarchical tree key in wireless sensor network (WSN)
CN103530578A (en) * 2013-10-18 2014-01-22 武汉大学 Method for constructing STPM of android system
CN110268394A (en) * 2017-02-09 2019-09-20 美光科技公司 KVS tree

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9116939B2 (en) * 2012-09-06 2015-08-25 Empire Technology Development Llc Tree comparison to manage progressive data store switchover with assured performance
US9208335B2 (en) * 2013-09-17 2015-12-08 Auburn University Space-time separated and jointly evolving relationship-based network access and data protection system
US11349655B2 (en) * 2018-10-05 2022-05-31 Oracle International Corporation System and method for a distributed keystore

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1540914A (en) * 2003-04-22 2004-10-27 �Ҵ���˾ Layered cryption key generating method and device for digital resources
CN101557587A (en) * 2009-04-08 2009-10-14 哈尔滨工程大学 Management method of hierarchical tree key in wireless sensor network (WSN)
CN103530578A (en) * 2013-10-18 2014-01-22 武汉大学 Method for constructing STPM of android system
CN110268394A (en) * 2017-02-09 2019-09-20 美光科技公司 KVS tree

Also Published As

Publication number Publication date
CN112235324A (en) 2021-01-15

Similar Documents

Publication Publication Date Title
US10803194B2 (en) System and a method for management of confidential data
KR102025409B1 (en) Data access management system based on blockchain and method thereof
US8752196B2 (en) Protecting privacy of shared personal information
US8059818B2 (en) Accessing protected data on network storage from multiple devices
CN108768951B (en) Data encryption and retrieval method for protecting file privacy in cloud environment
ES2848030T3 (en) Server and method for safe and economical data exchange
CN103731395B (en) The processing method and system of file
US20110085664A1 (en) Systems and methods for managing multiple keys for file encryption and decryption
CN102571329B (en) Password key management
US20100098246A1 (en) Smart card based encryption key and password generation and management
US9485090B2 (en) Managed authentication on a distributed network
CN108632385B (en) Time sequence-based cloud storage privacy protection method for multi-branch tree data index structure
Mo et al. Two-party fine-grained assured deletion of outsourced data in cloud systems
US11646872B2 (en) Management of access authorization using an immutable ledger
CN107294701B (en) Multidimensional ciphertext interval query device and method with efficient key management
CN116668072A (en) Data security sharing method and system based on multi-authority attribute base encryption
JP2002111659A (en) File encryption system, file encryption program and storage medium having recorded data
CN112235324B (en) Key management system, updating method and reading method based on KeyStore key tree
US20220020019A1 (en) Smart Contract-Based Electronic Contract Forensics Method and System
CN105553661B (en) Key management method and device
CN108259606B (en) Cloud computing public cloud file storage and retrieval method
CN108763944A (en) Multicenter large attribute Domain Properties base encryption method can be revoked safely in calculating in mist
CN108494724A (en) Cloud storage encryption system based on more authorized organization's encryption attribute algorithms and method
CN116611083A (en) Medical data sharing method and system
CN114168703A (en) Group encrypted data retrieval method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: A key management system, updating method and reading method based on KeyStore key tree

Effective date of registration: 20221121

Granted publication date: 20210302

Pledgee: Zhejiang Fuyang Rural Commercial Bank Co.,Ltd. Jinqiao sub branch

Pledgor: HANGZHOU BYTE INFORMATION TECHNOLOGY Co.,Ltd.

Registration number: Y2022980022579

PE01 Entry into force of the registration of the contract for pledge of patent right