CN114124352A - Key rotation method, device and computer medium - Google Patents
Key rotation method, device and computer medium Download PDFInfo
- Publication number
- CN114124352A CN114124352A CN202111374083.7A CN202111374083A CN114124352A CN 114124352 A CN114124352 A CN 114124352A CN 202111374083 A CN202111374083 A CN 202111374083A CN 114124352 A CN114124352 A CN 114124352A
- Authority
- CN
- China
- Prior art keywords
- key
- barbican
- xxl
- handler
- plaintext
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 25
- 230000006870 function Effects 0.000 claims description 9
- 230000009471 action Effects 0.000 claims description 5
- 238000004891 communication Methods 0.000 claims description 4
- 238000002955 isolation Methods 0.000 abstract description 2
- 238000012545 processing Methods 0.000 abstract description 2
- 238000007616 round robin method Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0631—Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/068—Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to the field of computers, and particularly provides a key rotation method, which is characterized in that a Barbican component of openstack is used for key management to generate a reliable random key, and an xxl platform is used for timing tasks and appointing an execution strategy to complete automatic rotation of keys of encrypted contents. Compared with the prior art, the Barbican component of openstack is used for managing the secret key, so that the isolation of the secret key from the rear end is realized, and the safety of the secret key is ensured; the xxl timing task platform and the Barbican component communicate with the back end, so that the automatic processing of key rotation is realized, and the expense of manually performing key rotation by the back end of key management is reduced.
Description
Technical Field
The invention relates to the field of computers, and particularly provides a method, a device and a computer medium for key rotation.
Background
With the development of the internet industry, the problem of information security becomes more and more important, and how to protect the security of data and prevent information leakage also becomes the direction in which many internet manufacturers are researching. As a means for encrypting data, a key is the core of an encryption operation, and the security of the key can ensure the security of encrypted data.
Taking object storage needing encryption service in a cloud platform as an example, according to a traditional mode, an encryption key used by the object storage is provided for the object storage, the key generation efficiency is low, on the premise of considering safety, if key rotation is carried out on an encrypted file once, the plaintext of the encrypted file needs to be manually obtained, a new key is generated and then encryption is carried out, and under the condition that the data volume of the file needing encryption is large, the efficiency of the traditional mode is extremely low.
Disclosure of Invention
The invention provides a secret key rotation method with strong practicability aiming at the defects of the prior art,
the invention further aims to provide a key rotation device which is reasonable in design, safe and applicable.
A technical task of the third aspect is to provide a computer medium.
The technical scheme adopted by the invention for solving the technical problems is as follows:
a key rotation method is characterized in that a Barbican component of openstack is used for key management to generate a reliable random key, and an execution strategy is specified through a timing task of an xxl platform to finish automatic rotation of keys of encrypted contents.
Further, the method comprises the following steps:
s1, deploying a Barbican component in the openstack, wherein the core function of the Barbican component deployed for the first time is only opened for an admin user in the openstack, and only an administrator can use the creation function of the order and the secret;
s2, setting a key management executor, wherein the key management executor comprises a Barbican access module, a xxl timing task handler and a key replacement module.
S3, after several key round iterations, only the latest version of the key can complete the decryption operation.
Further, in step S1, if the tenant normally uses the order and secret functions, the policy file of Barbican is changed, and the attributes of order: post and secret: post are changed from rule: admin _ or _ creator to @, which is open for all users.
Further, in step S2, the Barbican access module is used for communication with Barbican to create a key, and the key is stored in an order of the Barbican component, and the clear text of the key can be obtained by calling a specific interface.
Further, the xxl timed task handler communicates with the xxl timed task platform to create a timed task;
when the back end receives the instruction key to open the key wheel, the handler calls xxl the timing task platform interface, the timing task execution period is set according to the cron expression, after the preset execution time is reached, xxl the timing task platform calls back the handler, and the back end starts to execute the encryption and decryption and key replacement actions.
Further, in the key replacement module, after the handler receives xxl timing task platform callback messages, the key replacement module obtains a current version ciphertext and a key to decrypt the ciphertext to obtain an encrypted plaintext, and obtains a key id identifier set in the plaintext at the same time.
Further, in step S3, after performing several rounds of iterations, the key and the ciphertext of the earlier version in Barbican and the database are deleted.
A key round apparatus comprising: at least one memory and at least one processor;
the at least one memory to store a machine readable program;
the at least one processor is configured to invoke the machine readable program to perform a key round method.
A computer readable medium having stored thereon computer instructions which, when executed by a processor, cause the processor to perform a method of key rotation.
Compared with the prior art, the key rotation method, the key rotation device and the computer medium have the following outstanding advantages that:
the key management of the invention uses the Barbican component of openstack, realizes the isolation of the key from the back end, and ensures the security of the key; the xxl timing task platform and the Barbican component communicate with the back end, so that the automatic processing of key rotation is realized, and the expense of manually performing key rotation by the back end of key management is reduced.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flow chart of a key round-robin method.
Detailed Description
The present invention will be described in further detail with reference to specific embodiments in order to better understand the technical solutions of the present invention. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
A preferred embodiment is given below:
as shown in fig. 1, in the key round-robin method in this embodiment, a Barbican component of openstack is used for key management, a reliable random key is generated, and an execution policy is specified by timing tasks on an xxl platform, so that automatic key round-robin of encrypted content is completed.
The method specifically comprises the following steps:
s1, the Barbican component needs to be deployed in the openstack firstly, the core function of the Barbican component which is deployed for the first time is only open to admin users in the openstack, and only an administrator can use the creation function of the order and the secret.
To enable the tenant to use the order and secret functions normally, the policy file of Barbican is changed, and the attributes of ' orders: post ' and ' secret: post ' are changed from ' rule: admin _ or _ creator ' to ' @ open to all users.
And S2, setting a key management executor. The executor is divided into three parts, wherein the first part is a Barbican access module, the second part is an xxl timing task handler, and the third part is a key replacement module.
The communication between the Barbican access module and Barbican has the main task of creating a key. Taking AES _256 key as an example, the access module can set "algorithmic" attribute as "AES" and "bit _ length" as "256" in the body by calling the Barbican's openAPI POST/v 1/orders.
By this method, a key of type "AES _ 256" can be created, which is stored in an order of the Barbican component, and the key plaintext can be obtained by calling a specific interface.
The timed task handler is responsible for the communication between the back end and the xxl timed task platform and is mainly responsible for creating timed tasks. When the back end receives an instruction to open the key rotation for a secret key, the handler calls xxl a timed task platform interface, and sets a timed task execution period according to the cron expression, such as: "0012? 1 "represents 12 pm execution every monday. When the preset execution time is reached, xxl times the task platform callback handler, and the backend starts to execute the encryption/decryption and key replacement actions.
The key replacement module ensures that the ciphertext encrypted by the keys of different versions can be decrypted smoothly.
In order to decrypt different versions of the ciphertext with a specific master key, the ciphertext is added with a specific identifier indicating the actual key id in Barbican. After the handler receives xxl timing task platform callback information, the key replacement module acquires a current version of ciphertext and a key to decrypt the ciphertext to acquire an encrypted plaintext, and simultaneously acquires a key id identifier set in the plaintext, after the action is completed, the key replacement module deletes the identifier, adds a new key id generated by the Barbican access module as a new identifier into the key plaintext, encrypts the newly generated plaintext by using the new key, and stores the encrypted plaintext, so that the key is replaced, and the ciphertexts of different versions are decrypted by using keys of different versions.
S3, after performing round-robin iterations for several times, the key and the ciphertext of the earlier version need to be deleted, and if the maximum round-robin frequency is set to 5 times, when a certain master key is used as the key to generate the 6 th key in round-robin, the 1 st key should be deleted in Barbican, and the ciphertext generated by the first encryption should be deleted in the database. Through the method, the security problem caused by leakage of a certain secret key generated in the front can be prevented, and the timeliness of data security is ensured.
When data decryption is carried out, the identifier area of the ciphertext is read to identify which key in the Barbican is used for encryption, and then decryption operation is carried out, so that the old version key can be used continuously until the key rotation is finished.
A key round apparatus comprising: at least one memory and at least one processor;
the at least one memory to store a machine readable program;
the at least one processor is configured to invoke the machine readable program to perform a key round method.
A computer readable medium having stored thereon computer instructions which, when executed by a processor, cause the processor to perform a method of key rotation.
The above embodiments are only specific ones of the present invention, and the scope of the present invention includes but is not limited to the above embodiments, and any suitable changes or substitutions that are consistent with the present invention and claimed by a key rotation method, apparatus and computer medium, and by a person of ordinary skill in the art, should be within the scope of the present invention.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (9)
1. A key rotation method is characterized in that a Barbican component of openstack is used for key management to generate a reliable random key, and an execution strategy is specified through an xxl platform timing task to complete automatic key rotation of encrypted contents.
2. A key round method according to claim 1, characterized by the steps of:
s1, deploying a Barbican component in the openstack, wherein the core function of the Barbican component deployed for the first time is only opened for an admin user in the openstack, and only an administrator can use the creation function of the order and the secret;
s2, setting a key management executor, wherein the key management executor comprises a Barbican access module, a xxl timing task handler and a key replacement module.
S3, after several key round iterations, only the latest version of the key can complete the decryption operation.
3. The key rotation method of claim 2, wherein in step S1, if the tenant uses the order and secret functions normally, the policy file of Barbican is changed, and the attributes of order: post and secret: post are changed from rule: admin _ or _ creator to @ open for all users.
4. The method according to claim 3, wherein in step S2, the Barbican access module is used for communication with Barbican to create keys, and the keys are stored in an order of Barbican components, and the keys can be obtained by calling a specific interface to obtain the plain text of the keys.
5. The key rotation method of claim 4, wherein the xxl timed task handler communicates with xxl timed task platform to create timed task;
when the back end receives the instruction key to open the key wheel, the handler calls xxl the timing task platform interface, the timing task execution period is set according to the cron expression, after the preset execution time is reached, xxl the timing task platform calls back the handler, and the back end starts to execute the encryption and decryption and key replacement actions.
6. The method according to claim 5, wherein in the key replacement module, after the handler receives xxl the message called back by the timed task platform, the key replacement module obtains the current version of the ciphertext and the key to decrypt the ciphertext to obtain the encrypted plaintext, and obtains the key id identifier set in the plaintext, after the action is completed, the key replacement module deletes the identifier, adds the new key id generated by the Barbican access module as a new identifier into the key plaintext, encrypts the newly generated plaintext with the new key, and stores the encrypted plaintext, so that the key is replaced.
7. The method of claim 5, wherein in step S3, after performing a number of round-robin iterations, the early version of the key and the ciphertext in the Barbican and the database are deleted.
8. A key round apparatus, comprising: at least one memory and at least one processor;
the at least one memory to store a machine readable program;
the at least one processor, configured to invoke the machine readable program to perform the method of any of claims 1 to 7.
9. A computer readable medium having stored thereon computer instructions which, when executed by a processor, cause the processor to perform the method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111374083.7A CN114124352A (en) | 2021-11-19 | 2021-11-19 | Key rotation method, device and computer medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111374083.7A CN114124352A (en) | 2021-11-19 | 2021-11-19 | Key rotation method, device and computer medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114124352A true CN114124352A (en) | 2022-03-01 |
Family
ID=80397927
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111374083.7A Pending CN114124352A (en) | 2021-11-19 | 2021-11-19 | Key rotation method, device and computer medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114124352A (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150236850A1 (en) * | 2012-08-30 | 2015-08-20 | Nec Corporation | Re-encryption system, re-encryption method and re-encryption program |
| CN106658493A (en) * | 2016-10-17 | 2017-05-10 | 东软集团股份有限公司 | Key management method, device and system |
| CN106936794A (en) * | 2015-12-30 | 2017-07-07 | 阿里巴巴集团控股有限公司 | Method, the device of a kind of method, device and setting key for changing key |
| CN108650676A (en) * | 2018-08-13 | 2018-10-12 | 青岛海信电器股份有限公司 | A kind of key updating method in bluetooth ad hoc network and device |
| US20190273613A1 (en) * | 2018-03-05 | 2019-09-05 | International Business Machines Corporation | Distributed encryption keys for tokens in a cloud environment |
| CN110602132A (en) * | 2019-09-24 | 2019-12-20 | 苏州浪潮智能科技有限公司 | Data encryption and decryption processing method |
| CN111666558A (en) * | 2020-04-30 | 2020-09-15 | 平安科技(深圳)有限公司 | Key alternation method, key alternation device, computer equipment and storage medium |
| CN111769950A (en) * | 2020-06-24 | 2020-10-13 | 苏州浪潮智能科技有限公司 | Key management method and system for token authentication in openstack system |
| CN113656814A (en) * | 2021-07-30 | 2021-11-16 | 成都长城开发科技有限公司 | Equipment key safety management method and system |
-
2021
- 2021-11-19 CN CN202111374083.7A patent/CN114124352A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150236850A1 (en) * | 2012-08-30 | 2015-08-20 | Nec Corporation | Re-encryption system, re-encryption method and re-encryption program |
| CN106936794A (en) * | 2015-12-30 | 2017-07-07 | 阿里巴巴集团控股有限公司 | Method, the device of a kind of method, device and setting key for changing key |
| CN106658493A (en) * | 2016-10-17 | 2017-05-10 | 东软集团股份有限公司 | Key management method, device and system |
| US20190273613A1 (en) * | 2018-03-05 | 2019-09-05 | International Business Machines Corporation | Distributed encryption keys for tokens in a cloud environment |
| CN108650676A (en) * | 2018-08-13 | 2018-10-12 | 青岛海信电器股份有限公司 | A kind of key updating method in bluetooth ad hoc network and device |
| CN110602132A (en) * | 2019-09-24 | 2019-12-20 | 苏州浪潮智能科技有限公司 | Data encryption and decryption processing method |
| CN111666558A (en) * | 2020-04-30 | 2020-09-15 | 平安科技(深圳)有限公司 | Key alternation method, key alternation device, computer equipment and storage medium |
| CN111769950A (en) * | 2020-06-24 | 2020-10-13 | 苏州浪潮智能科技有限公司 | Key management method and system for token authentication in openstack system |
| CN113656814A (en) * | 2021-07-30 | 2021-11-16 | 成都长城开发科技有限公司 | Equipment key safety management method and system |
Non-Patent Citations (2)
| Title |
|---|
| WEIXIN_30765475: "OpenStack-理论2.barbican 简介", Retrieved from the Internet <URL:https://blog.csdn.net/weixin_30765475/article/details/101113801?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522170306064416800186566882%2522%252C%2522scm%2522%253A%252220140713.130102334..%2522%257D&request_id=170306064416800186566882&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~all~so***end~default-1-101113801-null-null.142^v96^pc_search_result_base7&utm_term=OpenStack-%E7%90%86%E8%AE%BA2.barbican%20%E7%AE%80%E4%BB%8B&spm=1018.2226.3001.4187> * |
| 机智的豆子: "分布式定时任务—XXLJOB", Retrieved from the Internet <URL:https://blog.csdn.net/qq_39380737/article/details/107308551?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522170306052616800182790310%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fall.%2522%257D&request_id=170306052616800182790310&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~all~first_rank_ecpm_v1~rank_v31_ecpm-5-107308551-null-null.142^v96^pc_search_result_base7&utm_term=%E5%88%86%E5%B8%83%E5%BC%8F%E5%AE%9A%E6%97%B6%E4%BB%BB%E5%8A%A1-XXLJOB&spm=1018.2226.3001.4187> * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10439804B2 (en) | Data encrypting system with encryption service module and supporting infrastructure for transparently providing encryption services to encryption service consumer processes across encryption service state changes | |
| US10127401B2 (en) | Redacting restricted content in files | |
| US11184164B2 (en) | Secure crypto system attributes | |
| US11546348B2 (en) | Data service system | |
| CN109347625B (en) | Password operation method, work key creation method, password service platform and equipment | |
| CN109271798A (en) | Sensitive data processing method and system | |
| CN111884986B (en) | Data encryption processing method and device and storage medium | |
| CN111654367A (en) | Password operation method, work key creation method, password service platform and equipment | |
| CN109697370A (en) | Database data encipher-decipher method, device, computer equipment and storage medium | |
| CN107995147B (en) | Metadata encryption and decryption method and system based on distributed file system | |
| CN108270739A (en) | A kind of method and device of managing encrypted information | |
| CN108763401A (en) | A kind of reading/writing method and equipment of file | |
| CN111669434A (en) | Method, system, device and equipment for establishing communication group | |
| CN117113423B (en) | Transparent encryption method, device, equipment and storage medium for database | |
| CN114036538A (en) | Database transparent encryption and decryption implementation method and system based on virtual block device | |
| CN114024711A (en) | Data transmission method and device and computer readable storage medium | |
| CN103532709A (en) | IBE (Identity Based Encryption) cryptographic equipment and data encryption and decryption method | |
| CN115221183A (en) | Data processing method and device | |
| CN113315750A (en) | Kafka message issuing method, device and storage medium | |
| CN116975926A (en) | Database proxy encryption system based on trusted execution environment | |
| US20230041862A1 (en) | Cloud-side collaborative multi-mode private data circulation method based on smart contract | |
| CN114124352A (en) | Key rotation method, device and computer medium | |
| CN116049783A (en) | Enterprise bill management method and system based on secure hardware carrier | |
| CN116248253A (en) | Method and system for deriving database table keys based on domestic crypto-engine | |
| CN110737910B (en) | Android log decryption management method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |