CN114189388A - Alliance link key management system and method - Google Patents
Alliance link key management system and method Download PDFInfo
- Publication number
- CN114189388A CN114189388A CN202111554403.7A CN202111554403A CN114189388A CN 114189388 A CN114189388 A CN 114189388A CN 202111554403 A CN202111554403 A CN 202111554403A CN 114189388 A CN114189388 A CN 114189388A
- Authority
- CN
- China
- Prior art keywords
- key
- user
- desp
- module
- hash value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 26
- 238000009795 derivation Methods 0.000 claims abstract description 22
- 238000007726 management method Methods 0.000 claims description 189
- 230000001343 mnemonic effect Effects 0.000 claims description 40
- 238000011084 recovery Methods 0.000 claims description 31
- 238000012795 verification Methods 0.000 claims description 26
- 230000008676 import Effects 0.000 claims description 10
- 230000009977 dual effect Effects 0.000 claims description 3
- 238000013507 mapping Methods 0.000 claims description 3
- 230000007547 defect Effects 0.000 abstract description 4
- 230000003993 interaction Effects 0.000 description 16
- 230000008569 process Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 6
- 230000007246 mechanism Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 230000009897 systematic effect Effects 0.000 description 2
- 230000001174 ascending effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/104—Peer-to-peer [P2P] networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a key management system and method for a alliance chain, which belong to the technical field of block chains. The invention satisfies the technical characteristics of the block chain distributed distrusted network, provides the root key and the multi-type key derivation function, supports the full life cycle management of the multi-trust source key, makes up the defects of the traditional centralized key management in the aspects of efficiency, expansibility and the like when being applied to the block chain, and can provide key management guarantee for various alliance chain systems and applications.
Description
Technical Field
The present invention relates to the field of block chain technology, and more particularly, to a system and method for managing a key of a federation chain.
Background
The block chain is a chain data structure formed by combining data blocks in a sequential connection mode according to a time sequence, and a distributed account book which is not falsifiable and counterfeitable is guaranteed in a cryptographic mode. From a cryptographic engineering perspective, blockchains are cryptographic applications that address data tampering and counterfeiting issues. A federation chain is a relatively new way to apply blockchain technology to enterprises, and a blockchain jointly participated and managed by multiple parties, which is served only for certain specific groups, is an important branch of blockchain development. At present, more and more known enterprise organizations are ascending on the research of alliance chains, the basic technical framework of the enterprises is basically perfect, and the application business on the chains is increasingly abundant. The basis of an ownership verification mechanism on the block chain is cryptography, a key is a core element for constructing a block chain trust network, and a key management system is an important future infrastructure in the block chain field. However, no complete and systematic solution for key management of the alliance chain or related products exists at present, the alliance chain is used as a distributed and multi-center innovative technology, and has a great difference from the traditional centralized system, and a special and more targeted key management technical mechanism needs to be designed to ensure safe and reliable operation of an alliance chain platform and application.
The existing alliance chain keys are various in types, include block chain node keys, alliance chain keys, application access keys, terminal keys, supervision keys and the like, relate to whole life cycle management such as key generation, updating, storage and destruction, and need to meet the distributed characteristics of a block chain, so that higher requirements are provided for key management. At present, the research on the security of the key of the alliance chain is still in a starting stage, the related work is few, and the problems of difficult key security guarantee, poor user experience and the like generally exist.
(1) The security of the key is difficult to guarantee. At present, a plurality of alliance chain systems are not established into a systematic key management mechanism, a plurality of keys lack full-life-cycle closed-loop control, and the keys have potential safety hazards in aspects of updating frequency, safety keeping and the like, and once the keys are leaked, the data privacy safety on a block chain is further threatened.
(2) The key management user experience is poor. At present, most alliance chain systems leave the responsibility of key management to users themselves, so that the users can keep the keys properly, the usability of the users is not high, the users are required to memorize a plurality of long, random and unrelated keys difficultly, a large key loss risk exists, and once the keys cannot be found, the chain data corresponding to the keys cannot be used any more.
Disclosure of Invention
The invention aims to overcome the defects of the prior art, provides a alliance chain key management system and a alliance chain key management method, meets the technical characteristics of a block chain distributed and distrust-removing network, provides a root key and a multi-type key derivation function, supports the full life cycle management of a multi-trust source key, makes up the defects of the traditional centralized key management in the aspects of efficiency, expansibility and the like when being applied to the block chain, and can provide key management guarantee for various alliance chain systems and applications.
The purpose of the invention is realized by the following scheme:
a federation chain key management system includes a root key management module and an application-derived key management module, the application-derived key management module being generated from a root key.
Further, the root key management module comprises a user registration module, a root key generation/import module, a root key storage module, a root key recovery module and a password reset module.
Further, the application derived key management module comprises a signature/encryption key derivation module, a key storage module, a key recovery module, a key update module and a key revocation module.
A key management method based on the above alliance link key management system, wherein the user registration module comprises the following steps:
a11, the user sends the mobile phone number TelNum or Email to the confidential management system to initiate a registration request;
a12, the confidential management system checks whether the mobile phone number or the mailbox is registered, if the mobile phone number or the mailbox is registered, a message is returned to inform the user that the mobile phone number or the mailbox is registered;
a13, if the mobile phone number or the mailbox is not registered, the crypto-control system generates a user ID and pushes an identifying code to the mobile phone or the mailbox of the user;
a14, setting a password PW by a user, calculating a password hash value h (H) (PW) by the client by using an SM3 hash algorithm, and sending h to a secret management system;
a15, the client encrypted management system stores user's mobile phone number TelNum or mailbox Email, ID, password hash value h.
Further, the root key generation/import module comprises a root key generation module and/or a root key import module; the root key generation module comprises the following steps:
a21, the client generates a root key seed by using a random number generation algorithm;
a22, storing a root key according to a root key storage protocol;
the root key importing module comprises the following steps: the root key is generated by the crypto-entity, imported into the key management system, and then other blockchain keys are derived based on the root key.
A key management method based on the above alliance chain key management system, wherein the root key storage module comprises a storage mnemonic word module, and/or a cryptograph escrow module;
the storage mnemonic word module comprises the following modes: after the client generates the mnemonic words, the user stores the mnemonic words in a physical mode; or storing the mnemonic words in a physical mode or storing the mnemonic words locally;
the cryptograph escrow module of the cryptograph management system comprises the following steps:
a301, the client calculates a symmetric encryption key: SM3(ID PW), encrypts the root key using key: C-SM 4key(seed) transmitting (ID, C, seed _ desp, h) to the cryptosystem using default root key description information seed _ desp ═ seed ═ b;
a302, after verifying the password hash value, the crypto-control system stores a user ID, a root key ciphertext, root key description information and a password hash value h;
the plaintext trusteeship module of the confidential management system comprises the following steps:
a311, the client sends the user ID, the root key seed, the root key description information and the password hash value h to a password management system;
a312, after the crypto system verifies the password hash value, the user ID, the root key plaintext, the root key description information seed _ desp ═ seed "and the password hash value h are stored.
The key management method based on the alliance chain key management system comprises the following steps that the root key recovery module comprises a mnemonic word recovery module, a cryptograph recovery module and a plaintext acquisition module of a confidential management system;
the mnemonic word recovery module comprises the following steps: the user inputs the mnemonic word, and the client end uses the mnemonic word M1,M2,…,M24Calculating a root key seed;
the cryptograph recovery module of the cryptograph management system comprises the following steps:
b401, the user performs login authentication through the user ID and the password PW, the client calculates the password hash value h as SM3(PW), and sends the user ID and the password hash value h to the crypto-tube system to request to acquire the ciphertext of the root key;
b402, the password hash value h is verified by the close management system;
b403, after the verification is passed, the crypto-control system searches a root key ciphertext according to the user name ID, and then sends the stored ciphertext C to the client;
b404, the client calculates the symmetric encryption key (SM 3(ID | | | PW) using SM3 hash algorithm, decrypts the ciphertext using SM4 decryption algorithm, and obtains the root key: seed SM4_ DECkey(C);
The clear text acquisition module of the confidential management system comprises the following steps:
b411, the user performs login authentication through the user ID and the password PW, the client calculates the password hash value h as SM3(PW), and sends the user ID and the password hash value h to the crypto-system to request to acquire the root key;
b412, the password hash value h is verified by the close management system;
and B413, after the verification is passed, the cryptographic management system searches the root key according to the user name ID, and then sends the stored root key plaintext to the client.
A key management method based on the above-mentioned alliance-link key management system, wherein the password resetting module comprises the following steps:
c501, the client performs login authentication through the user ID and the password PW, calculates a password hash value h as SM3(PW), and sends the user ID and the password hash value h to the crypto system to request for password resetting;
c502, the confidential management system searches the registered mobile phone number or mailbox of the user and pushes an authentication code to the mobile phone of the user;
c503, the client side passes the verification code authentication, and the cryptograph of the key is returned after the crypto-control system is verified;
c504, the client calculates a symmetric encryption key (SM 3(ID | | | PW) by using SM3 hash algorithm, and then decrypts the ciphertext to obtain a key recv _ key (SM 4_ deckey (C)), and the recovered key includes a root key and an encryption key;
c505, the user resets the password PW', and the client calculates a symmetric encryption key (SM 3(ID | | PW) using SM3 hash algorithm, and then re-encrypts the key, and calculates a ciphertext C (seed);
c506, the client calculates a password hash value h-SM 3(PW) by using SM3 hash algorithm, and then sends the ID, h, C, key _ desp _ ex to the cryptosystem;
c507, the crypto-control system stores the user ID, the password hash value h, the key ciphertext C and the key description information key _ desp _ ex;
and C508, the close management system sends reset success to the client.
A key management method based on the above-mentioned alliance-link key management system, wherein the signing/encryption key derivation module comprises the following steps:
s101, inputting description information desp of a new key by a user, wherein the initial value of index is 0 and the number of updating times of the key is represented;
deriving a symmetric key using the master key:
key_desp="symm"||desp,key_desp_ex=key_desp||index
symm_key=SM3(seed||ID||key_desp_ex)
or derive asymmetric keys using the master key:
key_desp="asymm"||desp,key_desp_ex=key_desp||index
asymm_key=SM3(seed||ID||key_desp_ex)
or derive a dual key pair using the master key:
key_desp="asymm_d"||desp,key_desp_ex=key_desp||index
asymm_dkey1=SM3(seed||ID||key_desp_ex||1)
asymm_dkey2=SM3(seed||ID||key_desp_ex||2)
and S102, the client stores the signature and the encryption key according to the key storage protocol.
The key storage module comprises a confidential management system plaintext trusteeship module and/or a confidential management system ciphertext trusteeship module;
the plaintext trusteeship module of the confidential management system comprises the following steps:
s201, the client sends the user ID, the key pair (sk, pk), the key description information key _ desp _ ex and the password hash value h to a password management system;
s202, after the password hash value is verified by the crypto-system, storing the user ID, the key pair (sk, pk), the key description information key _ desp _ ex and the password hash value h;
the cryptograph escrow module of the cryptograph management system comprises the following steps:
s21, the client calculates a symmetric encryption key: SM3(ID PW), encrypts the private key using key: C-SM 4key(sk), compute signature: sig-SM 2sk(ID | | C), sending (ID, C, key _ desp _ ex, sig, pk) to the cryptosystem system;
s22, after the password hash value and the signature are verified by the crypto-system, the user ID, the root key ciphertext C, the public key pk, the root key description information key _ desp _ ex and the password hash value h are stored.
A key management method based on the above alliance chain key management system is disclosed, wherein the key recovery module comprises a root key derivation module, a plaintext acquisition module of the crypto-system and a ciphertext acquisition module of the crypto-system;
the root key derivation module comprises the following steps:
s301, a user logs in and authenticates through a user ID and a password PW, a client calculates a password hash value h which is SM3(PW), and sends the user ID, the password hash value h and a key description key _ desp to a crypto-tube system;
s302, the password hash value h is verified by the crypto-system, after the verification is passed, the crypto-system searches for the extended key description information key _ desp _ ex according to the user name ID and the key description key _ desp, and then sends the key _ desp _ ex to the client;
s303, the client calculates the key SM3(seed | | | ID | | | key _ desp _ ex);
the cryptographic management system obtains the plaintext module, and comprises the following steps:
s31, the user logs in and authenticates through the user ID and the password PW, the client calculates the password hash value h as SM3(PW), and sends the user ID and the password hash value h to the crypto-system to request to acquire the application key;
s32, the password hash value h is verified by the cryptographic management system;
s33, after the verification is passed, the encrypted management system searches the application key according to the user name ID, and then sends the stored application key plaintext to the client;
the cryptograph obtaining module of the cryptograph management system comprises the following steps:
s341, the user performs login authentication through the user ID and the password PW, the client calculates the password hash value h as SM3(PW), and sends the user ID, the password hash value h and the key description key _ desp to the crypto-tube system;
s342, the password hash value h is verified by the close management system;
s343, after the verification is passed, the crypto-tube system searches a key ciphertext according to the user name ID and the key description key _ desp, and then sends the stored ciphertext C to the client;
s344, the client calculates the symmetric encryption key (SM 3(ID | | | PW) using SM3 hash algorithm, decrypts the ciphertext using SM4 decryption algorithm, and obtains the symmetric key: key SM4 DECkey(C)。
A key management method based on the above-mentioned alliance-link key management system, wherein the key updating module comprises the following steps:
s401, a user logs in and authenticates through a user ID and a password PW, a client calculates a password hash value h which is SM3(PW), and sends the user ID, the password hash value h and a key description key _ desp to a crypto-tube system;
s402, the password hash value h is verified by the crypto-system, after the verification is passed, the crypto-system searches for the extended key description information key _ desp _ ex according to the user name ID and the key description key _ desp, and then sends the key _ desp _ ex to the client;
s403, the client executes the key revocation protocol to revoke the key description information as the key _ desp key;
s404, the client adds one to the key updating times index, and then executes a key derivation protocol to derive the extended key description information as the key _ desp | | index +1 key.
A key management method based on the above-mentioned alliance-link key management system, wherein the key revocation module comprises the following steps:
s501, a user logs in and authenticates through a user ID and a password PW, a client calculates a password hash value h which is SM3(PW), and sends the user ID, the password hash value h and a key description key _ desp to a crypto-tube system;
s502, the password hash value h is verified by the close management system;
s503, after the verification is passed, the client sends a key revocation request key description to the crypto-tube system;
s504, the crypto-system deletes the key ciphertext of which the key is described as key _ desp, and returns the revocation result to the client.
A key management method based on the above federation chain key management system, after the client generates the mnemonic word, the method includes the following sub-steps: the client calculates the 8bit fingerprint value fingerprint of the seed, and the fingerprint value fingerprint is marked as seed | | | fingerprint; selecting a word list A containing 2048 different words; the seed | finger prints are divided into 24 groups: seed1,seed2,…seed24(ii) a Each group is 11 bits in length, and each group represents an interval [0,2047 ]]Is an integer idx ofiMapping each grouping to a word in a word list:M1=A[idx1],M2=A[idx2],…,M24=A[idx24]The mnemonic word is M1,M2,…,M24。
The key management method based on the alliance chain key management system is characterized in that the client side is provided with a mnemonic word M1,M2,…,M24The calculating of the root key seed comprises the sub-steps of: for each mnemonic MiLooking up the word in word list A to get the word index in word list, the index is in the interval [0,2047 ]]In (1), converting the index into a bit string seed having a length equal to 11iTo obtain a bit string seed with a length of 264 bits1,seed2,…,seed24Then, the first 256 bits are taken as a root key seed, and the second 8 bits are taken as a checksum; and calculating an 8-bit fingerprint value fingerprint of the seed, comparing the fingerprint with the checksum, if the fingerprint value fingerprint is equal to the checksum, the recovered root key is the seed, and if the fingerprint value fingerprint is not equal to the checksum, the recovery of the root key fails.
The invention has the beneficial effects that:
(1) the system and the method provided by the invention provide a alliance chain multi-center key management mechanism, meet the technical characteristics of block chain distribution type and distrust removing networks, provide root keys and multi-type key derivation functions, support the full life cycle management of multi-trust source keys, make up the defects of the traditional centralized key management in the aspects of efficiency, expansibility and the like when being applied to the block chain, and provide key management guarantee for various alliance chain systems and applications.
(2) The scheme provided by the invention can meet the security requirement of key management and realize friendly user experience of key management. The federation chain realizes data encryption and decryption and user ownership verification through various cryptography mechanisms, wherein various keys are involved, the management scheme of combining the root key and the derivative key designed by the embodiment of the invention mainly focuses on the safety control of the root key in management, so that the complexity of key management can be reduced to the greatest extent, and meanwhile, a mnemonic method is adopted to replace the memory and storage of a private key, so that the good user experience of key management is realized.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flow diagram of a user registration interaction;
FIG. 2 is a flow diagram of a root key generation interaction;
FIG. 3 is a flowchart of ciphertext hosting interaction for a secure management system;
FIG. 4 is a flow chart of clear text escrow interaction of the secure management system;
FIG. 5 is a flowchart of ciphertext recovery interaction for a crypto-pipe system;
FIG. 6 is a flow chart of clear text acquisition interaction of the secure management system;
FIG. 7 is a password reset interaction flow diagram;
FIG. 8 is a flow diagram of a signing/encryption key derivation interaction;
FIG. 9 is a flowchart of a cryptographic system plaintext escrow interaction for key storage;
FIG. 10 is a flowchart of cipher text escrow interaction for a crypto system for key storage;
FIG. 11 is a flow diagram of a root key derivation interaction;
FIG. 12 is a flowchart of the interaction of the secure management system to obtain plaintext;
FIG. 13 is a flowchart illustrating the ciphertext interaction process performed by the crypto-pipe system;
FIG. 14 is a key update interaction flow diagram;
FIG. 15 is a flowchart of a key revocation interaction;
FIG. 16 is a flowchart of the federation chain key management overall interaction.
Detailed Description
All features disclosed in all embodiments in this specification, or all methods or process steps implicitly disclosed, may be combined and/or expanded, or substituted, in any way, except for mutually exclusive features and/or steps.
Example 1
The embodiment aims to solve the technical problem of the full life cycle safety management and control of the secret key in the multi-center management mode. As shown in fig. 16, there is provided a federation chain key management system including a root key management module and an application-derived key management module, the application-derived key management module being generated from a root key. In this embodiment, a key derivation mechanism is adopted to construct a federation chain key management system derived based on a root key, each organization participating in a federation chain has an independent key management system, each organization generates or imports a root key, and derives other block chain application keys such as a node key, a federation chain key, an application access key, a terminal key, a supervision key, and the like based on the root key. In specific application, the key management object includes a root key and an application derived key, wherein the application derived key is generated by the root key, and the application key includes a block link node key, a federation link key, an application access key, a terminal key, a supervision key, and the like. The root key management process comprises the processes of user registration, password resetting, root key generation, root key storage, root key acquisition and the like; the application derived key management process comprises the processes of derived key generation, key storage, key recovery, key updating, key revocation and the like.
Example 2
On the basis of the embodiment 1, the root key management module relates to processes of user registration, root key generation, storage, recovery, password resetting and the like, and comprises a user registration module, a root key generation/import module, a root key storage module, a root key recovery module and a password resetting module when being applied specifically.
As shown in fig. 1, a key management method based on the above alliance chain key management system is provided, where the user registration module needs to register according to the following steps when the user uses the secure management system for the first time:
a11, the user sends the mobile phone number TelNum or Email to the confidential management system to initiate a registration request;
a12, the confidential management system checks whether the mobile phone number or the mailbox is registered, if the mobile phone number or the mailbox is registered, a message is returned to inform the user that the mobile phone number or the mailbox is registered;
a13, if the mobile phone number or the mailbox is not registered, the crypto-control system generates a user ID and pushes an identifying code to the mobile phone or the mailbox of the user;
a14, setting a password PW by a user, calculating a password hash value h (H) (PW) by the client by using an SM3 hash algorithm, and sending h to a secret management system;
a15, the client encrypted management system stores user's mobile phone number TelNum or mailbox Email, ID, password hash value h.
Example 3
On the basis of embodiment 1, there is provided a key management method based on the above-mentioned federation chain key management system, and a root key generation process is shown in fig. 2. The root key generation/import module comprises a root key generation module and/or a root key import module; the root key generation module comprises the following steps:
a21, the client generates a root key seed (length 256bit) by using a random number generation algorithm;
a22, storing a root key according to a root key storage protocol;
the root key importing module comprises the following steps: the root key is generated by the crypto-entity, imported into the key management system, and then other blockchain keys are derived based on the root key.
Example 4
The present embodiment provides a key management method based on the above federation chain key management system, and root key storage is implemented by three methods. In specific application, the root key storage module comprises a storage mnemonic word module, and/or a cryptogra phic system cryptogra phic escrow module, and/or a cryptogra phic system plaintext escrow module;
the module for storing mnemonics optionally comprises the following modes: after the client generates the mnemonic words, the user stores the mnemonic words in a physical mode. In a specific application, the client calculates the 8-bit fingerprint value fingerprint of the seed (the first 8 bits of the SM3(seed) are intercepted), and calculates the mnemonic words (24 words in total) for the seed | | | fingerprint (264 bits in total). The specific method comprises the following steps: select one of 2048 cardsWord list a of same words. The seed | finger prints are divided into 24 groups: seed1,seed2,…seed24Each group is 11 bits in length, and each group can represent an interval [0,2047 ]]Is an integer idx ofiMapping each grouping to a word in the word list: m1=A[idx1],M2=A[idx2],…,M24=A[idx24]The mnemonic word is M1,M2,…,M24。
Or, the mnemonic words may be stored physically or locally.
The cryptograph escrow module of the cryptograph management system, as shown in fig. 3, includes the following steps:
a301, the client calculates a symmetric encryption key: SM3(ID PW), encrypts the root key using key: C-SM 4key(seed) transmitting (ID, C, seed _ desp, h) to the cryptosystem using default root key description information seed _ desp ═ seed ═ b;
a302, after verifying the password hash value, the crypto-control system stores a user ID, a root key ciphertext, root key description information and a password hash value h;
the plaintext hosting module of the secure management system, as shown in fig. 4, includes the following steps:
a311, the client sends the user ID, the root key seed, the root key description information and the password hash value h to a password management system;
a312, after the crypto system verifies the password hash value, the user ID, the root key plaintext, the root key description information seed _ desp ═ seed "and the password hash value h are stored.
Example 5
The root key recovery module comprises a mnemonic word recovery module, a cryptograph recovery module and/or a plaintext acquisition module of the confidential management system.
The mnemonic word recovery module optionally includes the following steps: the user inputs the mnemonic word, and the client end uses the mnemonic word M1,M2,…,M24The root key seed is calculated. In the specific application, forEach mnemonic word MiLooking up the word in the word list A to obtain the index idx of the word in the word listi(Mi=A[idxi]) The index is in the interval [0,2047]In (1), converting the index into a bit string seed having a length equal to 11iTo obtain a bit string seed with a length of 264 bits1,seed2,…,seed24Then, the first 256 bits are taken as the root key seed, and the last 8 bits are taken as the checksum. And calculating 8-bit fingerprint value finger print of the seed (intercepting the first 8 bits of SM3 (seed)), comparing the finger print with the checksum, if equal, the recovered root key is the seed, and if not, the recovery of the root key fails.
The ciphertext recovery module of the crypto-system, as shown in fig. 5, includes the following steps:
b401, the user performs login authentication through the user ID and the password PW, the client calculates the password hash value h as SM3(PW), and sends the user ID and the password hash value h to the crypto-tube system to request to acquire the ciphertext of the root key;
b402, the password hash value h is verified by the close management system;
b403, after the verification is passed, the crypto-control system searches a root key ciphertext according to the user name ID, and then sends the stored ciphertext C to the client;
b404, the client calculates the symmetric encryption key (SM 3(ID | | | PW) using SM3 hash algorithm, decrypts the ciphertext using SM4 decryption algorithm, and obtains the root key: seed SM4_ DECkey(C);
The plaintext acquisition module of the crypto-system, as shown in fig. 6, includes the following steps:
b411, the user performs login authentication through the user ID and the password PW, the client calculates the password hash value h as SM3(PW), and sends the user ID and the password hash value h to the crypto-system to request to acquire the root key;
b412, the password hash value h is verified by the close management system;
and B413, after the verification is passed, the cryptographic management system searches the root key according to the user name ID, and then sends the stored root key plaintext to the client.
Example 6
As shown in fig. 7, a key management method based on the above federation chain key management system is provided, where the password resetting module implements that a user can apply for resetting a password through a mobile phone number or a mailbox, and includes the following steps:
c501, the client performs login authentication through the user ID and the password PW, calculates a password hash value h as SM3(PW), and sends the user ID and the password hash value h to the crypto system to request for password resetting;
c502, the confidential management system searches the registered mobile phone number or mailbox of the user and pushes an authentication code to the mobile phone of the user;
c503, the client side passes the verification code authentication, and the cryptograph of the key is returned after the crypto-control system is verified;
c504, the client calculates the symmetric encryption key SM3(ID PW) using SM3 hash algorithm, and then decrypts the ciphertext to obtain the key recv _ key SM4_ DECkey(C) The recovered key comprises a root key and an emergency key;
c505, the user resets the password PW', the client calculates the symmetric encryption key SM3(ID PW) using SM3 hash algorithm, then re-encrypts the key, calculates the ciphertext C SM4key(seed);
C506, the client calculates a password hash value h-SM 3(PW) by using SM3 hash algorithm, and then sends the ID, h, C, key _ desp _ ex to the cryptosystem;
c507, the crypto-control system stores the user ID, the password hash value h, the key ciphertext C and the key description information key _ desp _ ex;
and C508, the close management system sends reset success to the client.
Example 7
On the basis of the embodiment 1, the application derived key is derived from the root key, and mainly comprises a signature key and an encryption key. The key (signature, encryption key) management process includes signature/encryption key derivation and storage, key recovery, key update, key revocation and other processes. In specific application, the application derived key management module comprises a signature/encryption key derivation module, a key storage module, a key recovery module, a key update module and a key revocation module.
As shown in fig. 8, the signing/encryption key derivation module includes the following steps:
s101, inputting description information desp of a new key by a user, wherein the initial value of index is 0 and the number of updating times of the key is represented;
deriving a symmetric key using the master key:
key_desp="symm"||desp,key_desp_ex=key_desp||index
symm_key=SM3(seed||ID||key_desp_ex)
or derive asymmetric keys using the master key:
key_desp="asymm"||desp,key_desp_ex=key_desp||index
asymm_key=SM3(seed||ID||key_desp_ex)
or derive a dual key pair using the master key:
key_desp="asymm_d"||desp,key_desp_ex=key_desp||index
asymm_dkey1=SM3(seed||ID||key_desp_ex||1)
asymm_dkey2=SM3(seed||ID||key_desp_ex||2)
and S102, the client stores the signature and the encryption key according to the key storage protocol.
Example 8
On the basis of embodiment 1, a key management method based on the above alliance chain key management system is provided, where the key storage module is implemented in two ways, and the crypto system plaintext hosting and crypto system ciphertext hosting include crypto system plaintext hosting and/or crypto system ciphertext hosting modules when being specifically applied;
the plaintext hosting module of the secure management system, as shown in fig. 9, includes the following steps:
s201, the client sends the user ID, the key pair (sk, pk), the key description information key _ desp _ ex and the password hash value h to a password management system;
s202, after the password hash value is verified by the crypto-system, storing the user ID, the key pair (sk, pk), the key description information key _ desp _ ex and the password hash value h;
the cryptograph escrow module of the cryptograph management system, as shown in fig. 10, includes the following steps:
s21, the client calculates a symmetric encryption key: SM3(ID PW), encrypts the private key using key: C-SM 4key(sk), compute signature: sig-SM 2sk(ID | | C), sending (ID, C, key _ desp _ ex, sig, pk) to the cryptosystem system;
s22, after the password hash value and the signature are verified by the crypto-system, the user ID, the root key ciphertext C, the public key pk, the root key description information key _ desp _ ex and the password hash value h are stored.
Example 9
On the basis of embodiment 1, there is provided a key management method based on the above federation chain key management system, where the key recovery module is implemented by three methods: and deriving a root key, acquiring a plaintext by the encrypted management system, and acquiring a ciphertext by the encrypted management system. In specific application, the method comprises a root key derivation module, a plaintext acquisition module of the crypto-tube system and a ciphertext acquisition module of the crypto-tube system.
The root key derivation module, as shown in fig. 11, includes the following steps:
s301, a user logs in and authenticates through a user ID and a password PW, a client calculates a password hash value h which is SM3(PW), and sends the user ID, the password hash value h and a key description key _ desp to a crypto-tube system;
s302, the password hash value h is verified by the crypto-system, after the verification is passed, the crypto-system searches for the extended key description information key _ desp _ ex according to the user name ID and the key description key _ desp, and then sends the key _ desp _ ex to the client;
s303, the client calculates the key SM3(seed | | | ID | | | key _ desp _ ex);
the cryptographic management system obtains the plaintext module, as shown in fig. 12, and includes the following steps:
s31, the user logs in and authenticates through the user ID and the password PW, the client calculates the password hash value h as SM3(PW), and sends the user ID and the password hash value h to the crypto-system to request to acquire the application key;
s32, the password hash value h is verified by the cryptographic management system;
s33, after the verification is passed, the encrypted management system searches the application key according to the user name ID, and then sends the stored application key plaintext to the client;
the cryptograph obtaining module of the cryptograph managing system, as shown in fig. 13, includes the following steps:
s341, the user performs login authentication through the user ID and the password PW, the client calculates the password hash value h as SM3(PW), and sends the user ID, the password hash value h and the key description key _ desp to the crypto-tube system;
s342, the password hash value h is verified by the close management system;
s343, after the verification is passed, the crypto-tube system searches a key ciphertext according to the user name ID and the key description key _ desp, and then sends the stored ciphertext C to the client;
s344, the client calculates the symmetric encryption key (SM 3(ID | | | PW) using SM3 hash algorithm, decrypts the ciphertext using SM4 decryption algorithm, and obtains the symmetric key: key SM4 DECkey(C)。
Example 10
On the basis of embodiment 1, there is provided a key management method based on the above federation chain key management system, where the key update module, as shown in fig. 14, includes the following steps:
s401, a user logs in and authenticates through a user ID and a password PW, a client calculates a password hash value h which is SM3(PW), and sends the user ID, the password hash value h and a key description key _ desp to a crypto-tube system;
s402, the password hash value h is verified by the crypto-system, after the verification is passed, the crypto-system searches for the extended key description information key _ desp _ ex according to the user name ID and the key description key _ desp, and then sends the key _ desp _ ex to the client;
s403, the client executes the key revocation protocol to revoke the key description information as the key _ desp key;
s404, the client adds one to the key updating times index, and then executes a key derivation protocol to derive the extended key description information as the key _ desp | | index +1 key.
Example 11
On the basis of embodiment 1, there is provided a key management method based on the above federation chain key management system, as shown in fig. 15, where the key revocation module includes the following steps:
s501, a user logs in and authenticates through a user ID and a password PW, a client calculates a password hash value h which is SM3(PW), and sends the user ID, the password hash value h and a key description key _ desp to a crypto-tube system;
s502, the password hash value h is verified by the close management system;
s503, after the verification is passed, the client sends a key revocation request key description to the crypto-tube system;
s504, the crypto-system deletes the key ciphertext of which the key is described as key _ desp, and returns the revocation result to the client.
The functionality of the present invention, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium, and all or part of the steps of the method according to the embodiments of the present invention are executed in a computer device (which may be a personal computer, a server, or a network device) and corresponding software. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, or an optical disk, exist in a read-only Memory (RAM), a Random Access Memory (RAM), and the like, for performing a test or actual data in a program implementation.
Claims (15)
1. A federation chain key management system comprising a root key management module and an application-derived key management module, the application-derived key management module being generated from a root key.
2. The Federation link key management system of claim 1 wherein the root key management module comprises a user registration module, a root key generation/import module, a root key storage module, a root key recovery module, and a password reset module.
3. A federation chain key management system according to claim 1 or 2 wherein the application derived key management module comprises a signing/encryption key derivation module, a key storage module, a key recovery module, a key renewal module and a key revocation module.
4. A key management method of the federation chain key management system according to claim 2, wherein the user registration module comprises the following steps:
a11, the user sends the mobile phone number TelNum or Email to the confidential management system to initiate a registration request;
a12, the confidential management system checks whether the mobile phone number or the mailbox is registered, if the mobile phone number or the mailbox is registered, a message is returned to inform the user that the mobile phone number or the mailbox is registered;
a13, if the mobile phone number or the mailbox is not registered, the crypto-control system generates a user ID and pushes an identifying code to the mobile phone or the mailbox of the user;
a14, setting a password PW by a user, calculating a password hash value h (H) (PW) by the client by using an SM3 hash algorithm, and sending h to a secret management system;
a15, the client encrypted management system stores user's mobile phone number TelNum or mailbox Email, ID, password hash value h.
5. A key management method based on the federation chain key management system of claim 2, wherein the root key generation/import module comprises a root key generation module and/or a root key import module; the root key generation module comprises the following steps:
a21, the client generates a root key seed by using a random number generation algorithm;
a22, storing a root key according to a root key storage protocol;
the root key importing module comprises the following steps: the root key is generated by the crypto-entity, imported into the key management system, and then other blockchain keys are derived based on the root key.
6. A key management method based on the alliance-link key management system of claim 2, wherein the root key storage module comprises a storage mnemonic module, and/or a cryptogra phic system cryptogra phic escrow module, and/or a cryptogra phic system plaintext escrow module;
the storage mnemonic word module comprises the following modes: after the client generates the mnemonic words, the user stores the mnemonic words in a physical mode; or storing the mnemonic words in a physical mode or storing the mnemonic words locally;
the cryptograph escrow module of the cryptograph management system comprises the following steps:
a301, the client calculates a symmetric encryption key: SM3(ID PW), encrypts the root key using key: C-SM 4key(seed) transmitting (ID, C, seed _ desp, h) to the cryptosystem using default root key description information seed _ desp ═ seed ═ b;
a302, after verifying the password hash value, the crypto-control system stores a user ID, a root key ciphertext, root key description information and a password hash value h;
the plaintext trusteeship module of the confidential management system comprises the following steps:
a311, the client sends the user ID, the root key seed, the root key description information and the password hash value h to a password management system;
a312, after the crypto system verifies the password hash value, the user ID, the root key plaintext, the root key description information seed _ desp ═ seed "and the password hash value h are stored.
7. A key management method based on the federation chain key management system of claim 2, wherein the root key recovery module comprises a mnemonic word recovery module, and/or a cryptograph recovery module of the cryptograph system, and/or a plaintext acquisition module of the cryptograph system;
the mnemonic word recovery module comprises the following steps: user inputThe mnemonic words are written by the client side1,M2,…,M24Calculating a root key seed;
the cryptograph recovery module of the cryptograph management system comprises the following steps:
b401, the user performs login authentication through the user ID and the password PW, the client calculates the password hash value h as SM3(PW), and sends the user ID and the password hash value h to the crypto-tube system to request to acquire the ciphertext of the root key;
b402, the password hash value h is verified by the close management system;
b403, after the verification is passed, the crypto-control system searches a root key ciphertext according to the user name ID, and then sends the stored ciphertext C to the client;
b404, the client calculates the symmetric encryption key (SM 3(ID | | | PW) using SM3 hash algorithm, decrypts the ciphertext using SM4 decryption algorithm, and obtains the root key: seed SM4_ DECkey(C);
The clear text acquisition module of the confidential management system comprises the following steps:
b411, the user performs login authentication through the user ID and the password PW, the client calculates the password hash value h as SM3(PW), and sends the user ID and the password hash value h to the crypto-system to request to acquire the root key;
b412, the password hash value h is verified by the close management system;
and B413, after the verification is passed, the cryptographic management system searches the root key according to the user name ID, and then sends the stored root key plaintext to the client.
8. A key management method of the federation chain key management system of claim 2, wherein the password resetting module comprises the following steps:
c501, the client performs login authentication through the user ID and the password PW, calculates a password hash value h as SM3(PW), and sends the user ID and the password hash value h to the crypto system to request for password resetting;
c502, the confidential management system searches the registered mobile phone number or mailbox of the user and pushes an authentication code to the mobile phone of the user;
c503, the client side passes the verification code authentication, and the cryptograph of the key is returned after the crypto-control system is verified;
c504, the client calculates the symmetric encryption key SM3(ID PW) using SM3 hash algorithm, and then decrypts the ciphertext to obtain the key recv _ key SM4_ DECkey(C) The recovered key comprises a root key and an emergency key;
c505, the user resets the password PW', the client calculates the symmetric encryption key SM3(ID PW) using SM3 hash algorithm, then re-encrypts the key, calculates the ciphertext C SM4key(seed);
C506, the client calculates a password hash value h-SM 3(PW) by using SM3 hash algorithm, and then sends the ID, h, C, key _ desp _ ex to the cryptosystem;
c507, the crypto-control system stores the user ID, the password hash value h, the key ciphertext C and the key description information key _ desp _ ex;
and C508, the close management system sends reset success to the client.
9. A key management method of the federation chain key management system of claim 3, wherein the signing/encryption key derivation module comprises the following steps:
s101, inputting description information desp of a new key by a user, wherein the initial value of index is 0 and the number of updating times of the key is represented;
deriving a symmetric key using the master key:
key_desp="symm"||desp,key_desp_ex=key_desp||index
symm_key=SM3(seed||ID||key_desp_ex)
or derive asymmetric keys using the master key:
key_desp="asymm"||desp,key_desp_ex=key_desp||index
asymm_key=SM3(seed||ID||key_desp_ex)
or derive a dual key pair using the master key:
key_desp="asymm_d"||desp,key_desp_ex=key_desp||index
asymm_dkey1=SM3(seed||ID||key_desp_ex||1)
asymm_dkey2=SM3(seed||ID||key_desp_ex||2)
and S102, the client stores the signature and the encryption key according to the key storage protocol.
10. A key management method based on the alliance-link key management system of claim 3, wherein the key storage module comprises a crypto-system plaintext hosting module and/or a crypto-system ciphertext hosting module;
the plaintext trusteeship module of the confidential management system comprises the following steps:
s201, the client sends the user ID, the key pair (sk, pk), the key description information key _ desp _ ex and the password hash value h to a password management system;
s202, after the password hash value is verified by the crypto-system, storing the user ID, the key pair (sk, pk), the key description information key _ desp _ ex and the password hash value h;
the cryptograph escrow module of the cryptograph management system comprises the following steps:
s21, the client calculates a symmetric encryption key: SM3(ID PW), encrypts the private key using key: C-SM 4key(sk), compute signature: sig-SM 2sk(ID | | C), sending (ID, C, key _ desp _ ex, sig, pk) to the cryptosystem system;
s22, after the password hash value and the signature are verified by the crypto-system, the user ID, the root key ciphertext C, the public key pk, the root key description information key _ desp _ ex and the password hash value h are stored.
11. A key management method based on the federation chain key management system of claim 3, wherein the key recovery module comprises a root key derivation module, a crypto-system plaintext acquisition module, and a crypto-system ciphertext acquisition module;
the root key derivation module comprises the following steps:
s301, a user logs in and authenticates through a user ID and a password PW, a client calculates a password hash value h which is SM3(PW), and sends the user ID, the password hash value h and a key description key _ desp to a crypto-tube system;
s302, the password hash value h is verified by the crypto-system, after the verification is passed, the crypto-system searches for the extended key description information key _ desp _ ex according to the user name ID and the key description key _ desp, and then sends the key _ desp _ ex to the client;
s303, the client calculates the key SM3(seed | | | ID | | | key _ desp _ ex);
the cryptographic management system obtains the plaintext module, and comprises the following steps:
s31, the user logs in and authenticates through the user ID and the password PW, the client calculates the password hash value h as SM3(PW), and sends the user ID and the password hash value h to the crypto-system to request to acquire the application key;
s32, the password hash value h is verified by the cryptographic management system;
s33, after the verification is passed, the encrypted management system searches the application key according to the user name ID, and then sends the stored application key plaintext to the client;
the cryptograph obtaining module of the cryptograph management system comprises the following steps:
s341, the user performs login authentication through the user ID and the password PW, the client calculates the password hash value h as SM3(PW), and sends the user ID, the password hash value h and the key description key _ desp to the crypto-tube system;
s342, the password hash value h is verified by the close management system;
s343, after the verification is passed, the crypto-tube system searches a key ciphertext according to the user name ID and the key description key _ desp, and then sends the stored ciphertext C to the client;
s344, the client calculates the symmetric encryption key (SM 3(ID | | | PW) using SM3 hash algorithm, decrypts the ciphertext using SM4 decryption algorithm, and obtains the symmetric key: key SM4 DECkey(C)。
12. A key management method of the federation chain key management system according to claim 3, wherein the key update module comprises the following steps:
s401, a user logs in and authenticates through a user ID and a password PW, a client calculates a password hash value h which is SM3(PW), and sends the user ID, the password hash value h and a key description key _ desp to a crypto-tube system;
s402, the password hash value h is verified by the crypto-system, after the verification is passed, the crypto-system searches for the extended key description information key _ desp _ ex according to the user name ID and the key description key _ desp, and then sends the key _ desp _ ex to the client;
s403, the client executes the key revocation protocol to revoke the key description information as the key _ desp key;
s404, the client adds one to the key updating times index, and then executes a key derivation protocol to derive the extended key description information as the key _ desp | | index +1 key.
13. A key management method of the federation chain key management system according to claim 3, wherein the key revocation module comprises the following steps:
s501, a user logs in and authenticates through a user ID and a password PW, a client calculates a password hash value h which is SM3(PW), and sends the user ID, the password hash value h and a key description key _ desp to a crypto-tube system;
s502, the password hash value h is verified by the close management system;
s503, after the verification is passed, the client sends a key revocation request key description to the crypto-tube system;
s504, the crypto-system deletes the key ciphertext of which the key is described as key _ desp, and returns the revocation result to the client.
14. The method according to claim 6, wherein after the client generates the mnemonic word, the method comprises the following sub-steps: the client calculates the 8bit fingerprint value fingerprint of the seed, and the fingerprint value fingerprint is marked as seed | | | fingerprint; selecting a word list A containing 2048 different words; the seed | finger prints are divided into 24 groups: seed1,seed2,…seed24(ii) a Each group is 11 bits in length, and each group represents an interval [0,2047 ]]Is an integer idx ofiMapping each grouping to a word in the word list: m1=A[idx1],M2=A[idx2],…,M24=A[idx24]The mnemonic word is M1,M2,…,M24。
15. The method of claim 7, wherein the client is assisted by a mnemonic M1,M2,…,M24The calculating of the root key seed comprises the sub-steps of: for each mnemonic MiLooking up the word in word list A to get the word index in word list, the index is in the interval [0,2047 ]]In (1), converting the index into a bit string seed having a length equal to 11iTo obtain a bit string seed with a length of 264 bits1,seed2,…,seed24Then, the first 256 bits are taken as a root key seed, and the second 8 bits are taken as a checksum; and calculating an 8-bit fingerprint value fingerprint of the seed, comparing the fingerprint with the checksum, if the fingerprint value fingerprint is equal to the checksum, the recovered root key is the seed, and if the fingerprint value fingerprint is not equal to the checksum, the recovery of the root key fails.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111554403.7A CN114189388A (en) | 2021-12-17 | 2021-12-17 | Alliance link key management system and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111554403.7A CN114189388A (en) | 2021-12-17 | 2021-12-17 | Alliance link key management system and method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN114189388A true CN114189388A (en) | 2022-03-15 |
Family
ID=80544416
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111554403.7A Pending CN114189388A (en) | 2021-12-17 | 2021-12-17 | Alliance link key management system and method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114189388A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116011041A (en) * | 2022-12-07 | 2023-04-25 | 成都海光集成电路设计有限公司 | Key management method, data protection method, system, chip and computer equipment |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018046009A1 (en) * | 2016-09-12 | 2018-03-15 | 上海鼎利信息科技有限公司 | Block chain identity system |
CN109474420A (en) * | 2018-10-26 | 2019-03-15 | 深圳市元征科技股份有限公司 | A kind of private key backup method and relevant device |
CN109495490A (en) * | 2018-12-04 | 2019-03-19 | 中国电子科技集团公司第三十研究所 | A kind of unified identity authentication method based on block chain |
CN110378152A (en) * | 2019-07-04 | 2019-10-25 | 绿漫科技有限公司 | A kind of contract signing management system and method based on PKICA certification and block chain technology |
CN110838912A (en) * | 2019-11-18 | 2020-02-25 | 深圳前海微众银行股份有限公司 | Key management method, device, equipment and computer medium based on block chain |
US20200389302A1 (en) * | 2017-12-15 | 2020-12-10 | Orange | Technique for protecting a cryptographic key by means of a user password |
US10873852B1 (en) * | 2020-04-10 | 2020-12-22 | Avila Technology, LLC | POOFster: a secure mobile text message and object sharing application, system, and method for same |
KR20210045326A (en) * | 2019-10-16 | 2021-04-26 | 주식회사 피어테크 | Key management mechanism for cryptocurrency wallet |
-
2021
- 2021-12-17 CN CN202111554403.7A patent/CN114189388A/en active Pending
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018046009A1 (en) * | 2016-09-12 | 2018-03-15 | 上海鼎利信息科技有限公司 | Block chain identity system |
US20200389302A1 (en) * | 2017-12-15 | 2020-12-10 | Orange | Technique for protecting a cryptographic key by means of a user password |
CN109474420A (en) * | 2018-10-26 | 2019-03-15 | 深圳市元征科技股份有限公司 | A kind of private key backup method and relevant device |
CN109495490A (en) * | 2018-12-04 | 2019-03-19 | 中国电子科技集团公司第三十研究所 | A kind of unified identity authentication method based on block chain |
CN110378152A (en) * | 2019-07-04 | 2019-10-25 | 绿漫科技有限公司 | A kind of contract signing management system and method based on PKICA certification and block chain technology |
KR20210045326A (en) * | 2019-10-16 | 2021-04-26 | 주식회사 피어테크 | Key management mechanism for cryptocurrency wallet |
CN110838912A (en) * | 2019-11-18 | 2020-02-25 | 深圳前海微众银行股份有限公司 | Key management method, device, equipment and computer medium based on block chain |
US10873852B1 (en) * | 2020-04-10 | 2020-12-22 | Avila Technology, LLC | POOFster: a secure mobile text message and object sharing application, system, and method for same |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116011041A (en) * | 2022-12-07 | 2023-04-25 | 成都海光集成电路设计有限公司 | Key management method, data protection method, system, chip and computer equipment |
CN116011041B (en) * | 2022-12-07 | 2024-06-18 | 成都海光集成电路设计有限公司 | Key management method, data protection method, system, chip and computer equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11316668B2 (en) | Methods and systems for cryptographic private key management for secure multiparty storage and transfer of information | |
CN109377198B (en) | Signing system based on multi-party consensus of alliance chain | |
CN108292402B (en) | Determination of a common secret and hierarchical deterministic keys for the secure exchange of information | |
CN108418680B (en) | Block chain key recovery method and medium based on secure multi-party computing technology | |
CN106664202B (en) | Method, system and computer readable medium for providing encryption on multiple devices | |
CN106104562B (en) | System and method for securely storing and recovering confidential data | |
KR100827650B1 (en) | Methods for authenticating potential members invited to join a group | |
US7571489B2 (en) | One time passcode system | |
US7395549B1 (en) | Method and apparatus for providing a key distribution center without storing long-term server secrets | |
CN107359998B (en) | A kind of foundation and operating method of portable intelligent password management system | |
US20170244687A1 (en) | Techniques for confidential delivery of random data over a network | |
US20140169554A1 (en) | System, processing device, computer program and method, to transparently encrypt and store data objects such that owners of the data object and permitted viewers are able to view decrypted data objects after entering user selected passwords | |
CN110519046B (en) | Quantum communication service station key negotiation method and system based on one-time asymmetric key pair and QKD | |
CN101005357A (en) | Method and system for updating certification key | |
CN109359464B (en) | Wireless security authentication method based on block chain technology | |
CN110601830B (en) | Key management method, device, equipment and storage medium based on block chain | |
Zhou et al. | EverSSDI: blockchain-based framework for verification, authorisation and recovery of self-sovereign identity using smart contracts | |
JP6049914B2 (en) | Cryptographic system, key generation device, and re-encryption device | |
CN114631285A (en) | Key generation for use in secure communications | |
WO2021098152A1 (en) | Blockchain-based data processing method, device, and computer apparatus | |
Peng et al. | Comments on “identity-based distributed provable data possession in multicloud storage” | |
US20160080336A1 (en) | Key Usage Detection | |
CN114189388A (en) | Alliance link key management system and method | |
CN112073182A (en) | Quantum key management method and system based on block chain | |
CN103916237A (en) | Method and system for managing user encrypted-key retrieval |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |