CN114640445A - HSM key management system, method, device and storage medium - Google Patents

HSM key management system, method, device and storage medium Download PDF

Info

Publication number
CN114640445A
CN114640445A CN202210278339.2A CN202210278339A CN114640445A CN 114640445 A CN114640445 A CN 114640445A CN 202210278339 A CN202210278339 A CN 202210278339A CN 114640445 A CN114640445 A CN 114640445A
Authority
CN
China
Prior art keywords
key
hsm
starting
kms
management system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210278339.2A
Other languages
Chinese (zh)
Inventor
段钧宝
王智慧
孟萨出拉
曾姝彦
马宝娟
韩金侠
张慧
杨德龙
朱思成
胡悦
张瑞兵
丁慧霞
汪洋
吴赛
王亚男
西本民
刘恒
滕玲
李健
张彤彤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Electric Power Research Institute Co Ltd CEPRI
Original Assignee
China Electric Power Research Institute Co Ltd CEPRI
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Electric Power Research Institute Co Ltd CEPRI filed Critical China Electric Power Research Institute Co Ltd CEPRI
Priority to CN202210278339.2A priority Critical patent/CN114640445A/en
Publication of CN114640445A publication Critical patent/CN114640445A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a HSM key management system, a method, a device and a storage medium, wherein the system comprises: the multi-HSM adaptation module is used for providing SDK or class library for different types of HSM to realize butt joint and calling the function of the HSM through an operation interface provided by the SDK or the class library; the adapter module is used for converting the interfaces provided by different HSMs into a uniform external operation interface for the calling of a service system; each HSM corresponds to one adapter module; and the unified external interface module is used for being connected with the plurality of adapter modules to acquire service access requests. The invention can support the butt joint of a plurality of HSMs with different models and the butt joint of a plurality of key management systems with the same model, and simultaneously provides services through the HSMs with different models to adapt to diversified service scenes.

Description

HSM key management system, method, device and storage medium
Technical Field
The present invention relates to the technical field of key management, and in particular, to a system, a method, a device, and a storage medium for HSM key management.
Background
With the continuous development of the eSIM technology, an organization or an operator needs to purchase or build an SM-DP + platform by itself to realize the secure storage of the eSIM code number resource and the secure downloading of the eSIM code number resource to the terminal device, and in the above-mentioned business process, there are a lot of requirements for key generation, data encryption and decryption, electronic signature verification, etc., so a high-security key management system is needed to provide such services, and the system should have the capability of docking a hardware encryption machine (HSM), a high-security access control mechanism, a secure key generation and storage mechanism, and diverse management interfaces.
A key management system based on a software security module. Namely, the core security module is implemented by software, and the software implementation mode determines the security level of the system.
The key management system based on the software security module uses programming languages such as Java or C + + and the like to compile the software security module and is used for realizing the functions of key creation, key storage, encryption, decryption, signature verification and the like. Such systems typically encrypt locally stored key data using a fixed system protection key that may be automatically generated at system initialization and stored in a database after being encrypted by a system boot key, which may be split into multiple components for holding by multiple people.
The SM-DP + service system interacts with the key management service module to send a service request, the key management service module calls the software security module to realize specific operations (key generation, key storage, encryption and decryption and the like), and the software security module for data needing to be persisted is encrypted by a system protection key and then stored in a database.
The prior art therefore has the following disadvantages:
firstly, the function of the software security module is realized by a general-purpose CPU, and the operational performance of the general-purpose CPU cannot reach the performance of a dedicated hardware encryption chip adopted by the HSM, so that the performance of the software security module is far lower than that of the HSM, and the software security module cannot adapt to a scene with higher performance requirements; in addition, the safety of the software safety module is completely guaranteed by the design and implementation of a software system, so that safety holes are easy to appear, and the risk of being cracked exists.
Secondly, the key management system of a single HSM is butted, the expandability is poor, and a service scene is limited to a certain specific HSM model; in addition, the capacity of a single HSM is limited, which will become a bottleneck in the development of services in the future.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides an HSM key management system, a method, equipment and a storage medium. The key management system can support the butt joint of a plurality of HSMs of different models and the butt joint of a plurality of HSMs of the same model, and simultaneously provides services through the HSMs of different models so as to adapt to diversified service scenes.
In order to achieve the purpose, the invention adopts the following technical scheme:
an HSM key management system comprising:
the multi-HSM adaptation module is used for providing SDK or class library for different types of HSM to realize butt joint and calling the function of the HSM through an operation interface provided by the SDK or the class library;
the adapter module is used for converting the interfaces provided by different HSMs into a uniform external operation interface for the calling of a service system; each HSM corresponds to one adapter module;
and the unified external interface module is used for being connected with the plurality of adapter modules to acquire service access requests.
As a further improvement of the present invention, the multi-HSM adaptation module encrypts and manages the internal data by using an internal data protection mechanism, randomly generates a master key when being started for the first time, encrypts the HSM docking password by using the master key, and stores the encrypted HSM docking password in the database of the HSM key management system.
As a further improvement of the present invention, the docking information of the HSMs of different models includes HSMType, Slot, IPAddress, access user, and access passed;
the multi-HSM adaptation module has an expansion module for expanding the number of HSM instances.
A management method of an HSM key management system comprises the following steps:
the unified external interface module reads a plurality of different HSM access information from the configuration file and starts a matched adapter module according to the HSMType in the configuration file;
the adapter module calls the SDK or the class library to complete the butt joint and initialization with the HSM;
and the key operation interface of the multiple HSM adapter modules supports the incoming HSMType and Slot, and calls the corresponding HSM to complete key operation according to the incoming HSMType.
As a further improvement of the invention, the configuration file exists in a temporary file mode in the deployment stage, and once the read start is completed, the configuration file is deleted.
As a further improvement of the present invention, before the key operation is completed by calling the corresponding HSM according to the incoming HSM type, the multi-HSM adaptation module further includes that the internal data is encrypted and managed by using an internal data protection mechanism, a master key is randomly generated when the internal data is first started, and the master key is used to encrypt the HSM docking password and then is stored in a database of the HSM key management system.
As a further improvement of the present invention, the multi-HSM adaptation module adopts an internal data protection mechanism to perform encryption management on internal data, and specifically includes:
randomly generating a starting key, splitting the starting key into M key components, and reducing the minimum number of key components required by the starting key to be N, wherein N KMS managers respectively hold one key component; m is more than or equal to N and more than 0;
after the first start and the generation of a start key, a master key is generated, and the master key is encrypted by the start key and then stored in a database of the HSM key management system; the service data is encrypted by the master key and then stored in a database;
and during unlocking, acquiring respective key components input by N KMS managers, restoring the N key components into a starting key, decrypting the master key through the starting key, unlocking the business data in the database by using the master key, and then enabling the KMS to become an unlocking state to perform business operation.
An internal data encryption management method, comprising:
randomly generating a starting key, splitting the starting key into M key components, and reducing the minimum number of key components required by the starting key to be N, wherein N KMS managers respectively hold one key component; m is more than or equal to N and more than 0;
after the first start and the generation of a start key, a master key is generated, and the master key is encrypted by the start key and then stored in a database of the HSM key management system; the service data is encrypted by the master key and then stored in the database;
and during unlocking, acquiring respective key components input by N KMS managers, restoring the N key components into a starting key, decrypting the master key through the starting key, unlocking the business data in the database by using the master key, and then enabling the KMS to become an unlocking state to perform business operation.
As a further improvement of the present invention, the starting key is split into M key components, specifically, using Shamir's Secret sharpening algorithm; the reduction of the N key components to the starting key specifically uses Shamir's Secret sharpening algorithm.
As a further improvement of the present invention, the N KMS administrators each hold a key component, specifically: the N key components are displayed one by one, only one key component is displayed each time, M KMS managers select and hold the respective components one by one, and the starting key can be restored only by simultaneously inputting the key components held by the N key managers.
As a further improvement of the present invention, acquiring that N KMS administrators input respective key components specifically means that N KMS administrators are required to input respective key components one by one, and the KMS restores the N key components to the boot key.
An internal data encryption management system comprising:
the starting key generation module is used for randomly generating a starting key, the starting key is split into M key components, the minimum number of key components required for restoring the starting key is N, and N KMS managers respectively hold one key component; m is more than or equal to N and more than 0;
the master key generation module is used for generating a master key after first starting and generating a starting key, and the master key is encrypted by the starting key and then stored in a database of the HSM key management system; the service data is encrypted by the master key and then stored in a database;
and the key unlocking module is used for acquiring respective key components input by N KMS managers during unlocking, restoring the N key components into a starting key, decrypting the master key through the starting key, and further unlocking the business data in the database by using the master key, so that the KMS becomes an unlocking state and performs business operation.
An electronic device comprising a memory, a processor and a computer program stored in said memory and executable on said processor, said processor implementing the steps of said internal data encryption management method when executing said computer program.
A computer-readable storage medium storing a computer program which, when executed by a processor, implements the steps of the internal data encryption management method.
Compared with the prior art, the invention has the beneficial effects that:
the invention provides an HSM key management system which is adaptive to multiple types of HSM, supports the expansion of HSM instance quantity, provides a uniform interface for the outside, and simultaneously ensures the security of self data through a multi-level key mechanism by a KMS. The system supports the butt joint of a plurality of HSMs of different models through a plurality of HSM adaptation modules, and supports the key management system butt joint of a plurality of HSMs of the same model to horizontally expand the capacity so as to solve the bottleneck problem of the capacity, and simultaneously provides services through the HSMs of different models to adapt to diversified service scenes.
The multi-HSM adaptation module is encrypted by a starting key through a main key and then stored in a database of an HSM key management system, specifically, a main key is randomly generated when the multi-HSM adaptation module is started for the first time, and the main key is used for encrypting an HSM docking password and then storing the HSM docking password in the database of the HSM key management system. The user key is stored in the HSM to ensure the highest security, the internal data with high security level is stored in the database through an internal data protection mechanism, and the KMS ensures the security of the data of the KMS through a multi-level key mechanism.
Drawings
FIG. 1 is a schematic diagram of an HSM key management system of the present invention;
fig. 2 is a schematic diagram of a multiple HSM adaptation module according to a preferred embodiment of the present invention;
FIG. 3 is a flow chart of an internal data encryption management method according to a preferred embodiment of the present invention;
FIG. 4 is a flow chart of a consistent internal data encryption management method of the present invention;
FIG. 5 is a schematic diagram of an internal data encryption management system according to the present invention;
FIG. 6 is a flow chart of an embodiment of an HSM key management system of the present invention;
fig. 7 is a schematic structural diagram of an electronic device according to the present invention.
Detailed Description
The present invention will be described in detail below with reference to the embodiments with reference to the attached drawings. It should be noted that, in the present application, the embodiments and features of the embodiments may be combined with each other without conflict.
The following detailed description is exemplary in nature and is intended to provide further details of the invention. Unless otherwise defined, all technical terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of exemplary embodiments according to the invention.
Interpretation of related terms
Subscription management Data Preparation server, the main functions are to prepare Profile, encrypt, store and distribute the Profile to a specified EID securely. And binding an encrypted Profile to be safely issued to the eUICC.
The GSMA is GSM Association, International telecommunication Union, and the main participants comprise operators, card merchants, terminal equipment manufacturers and the like and are responsible for the overall technical standard specification and unified coordination in the fields of communication, Profile, core network and the like.
A combination of data and applications to be provided for the SIM or the eUICC.
Remote SIM card configuration and management.
Hardware Security module, a computer Hardware device for securing and managing digital keys used by strong authentication systems and providing related cryptographic operations. The hardware security module is typically connected directly to the computer or network server in the form of an expansion card or external device.
KMS, Key Management System.
Symmetric key: symmetric key encryption is also called private key encryption or shared key encryption, i.e. both parties sending and receiving data must use the same key to encrypt and decrypt the plaintext. The symmetric key encryption algorithm mainly comprises the following steps: DES, 3DES, AES, RC5, RC6, etc.
Asymmetric cryptography: asymmetry cryptographic, an algorithm of cryptography that requires two keys, one Public Key and the other Private Key; the public key is used for encryption and the private key is used for decryption. The cipher text obtained after encrypting the plaintext by using the public key can be decrypted only by using the corresponding private key to obtain the original plaintext, and the public key used for encryption at first cannot be used for decryption. Since encryption and decryption require two different keys, it is called asymmetric encryption; unlike symmetric encryption where both encryption and decryption use the same key. The public key can be published and can be freely issued outwards; the private key cannot be disclosed, must be kept strictly secret by the user himself, must not be provided to anyone through any way, and cannot be disclosed to the other trusted party to communicate. Based on the characteristics of public key encryption, the Digital Signature (Digital Signature) can also provide a Digital Signature function, so that the electronic file can obtain the effect as if the electronic file is signed in person on a paper file.
Software Development kit, a set of tools that provide Application Programming Interfaces (APIs) for certain programming languages or embedded system communications.
Lib: class Library (Class Library) is a collection of comprehensive object-oriented reusable types, including: interfaces, abstract classes, and concrete classes. The class library can solve a series of common programming tasks (including tasks such as string management, data collection, database connection, and file access), and can also solve a variety of specialized development tasks (desktop applications, WEB applications, console applications, etc.).
Shamir's Secret sharpening: a key protection algorithm. For protecting keys in a distributed manner, are commonly used to protect other encryption keys. The key is divided into a number of parts, called key components, which can be used to reconstruct the original key.
In order to horizontally expand the capacity by using the key management system supporting the docking of a plurality of HSMs of different models and the docking of a plurality of HSMs of the same model so as to solve the bottleneck problem of the capacity, the HSMs of different models simultaneously provide services to adapt to diversified service scenes. As shown in fig. 1, the present invention provides an HSM key management system, which includes:
the multi-HSM adaptation module is used for providing SDK or class library for different types of HSM to realize butt joint and calling the function of the HSM through an operation interface provided by the SDK or the class library;
the adapter module is used for converting the interfaces provided by different HSMs into a uniform external operation interface for the calling of a service system; each HSM corresponds to one adapter module;
and the unified external interface module is used for being connected with the plurality of adapter modules to acquire service access requests.
The invention adapts to multiple types of HSM, supports expanding HSM instance quantity, provides a uniform interface for the outside, and simultaneously ensures the safety of self data through a multi-level key mechanism by the KMS.
Specifically, the multiple HSM adaptation modules are illustrated as follows:
aiming at HSMs of different models, the docking is realized by integrating SDKs or class libraries provided by the HSMs, and the functions of the HSMs can be called through operation interfaces provided by the SDKs or the class libraries.
The multi-HSM adaptation module adopts an internal data protection mechanism to encrypt and manage internal data, randomly generates a main key when being started for the first time, encrypts an HSM butt joint password by using the main key and then stores the HSM butt joint password into a database of an HSM key management system.
On the basis, each HSM corresponds to an adapter module realized by software, and the adapter converts interfaces provided by different HSMs into a uniform external operation interface for service system call, so that the difference of different HSM interfaces is shielded. As shown in fig. 2.
As a preferred embodiment, the docking information of the HSMs of different models includes HSMType, Slot, IPAddress, access user, and access passed; the multi-HSM adaptation module has an expansion module for expanding the number of HSM instances. The key management system supports the butt joint of a plurality of HSMs of different models and supports the butt joint of a plurality of HSMs of the same model, and the HSMs of different models simultaneously provide services to adapt to diversified service scenes.
The key management system supports docking information for configuring multiple HSMs, including but not limited to:
Figure BDA0003556804200000081
Figure BDA0003556804200000091
the invention also provides a management method of the HSM key management system, which comprises the following steps:
the unified external interface module reads a plurality of different HSM access information from the configuration file and starts a matched adapter module according to the HSMType in the configuration file;
the adapter module calls the SDK or the class library to complete the butt joint and initialization with the HSM;
and the key operation interface of the multi-HSM adaptation module supports the incoming HSMType and the Slot, and calls the corresponding HSM according to the incoming HSMType to complete the key operation.
In the starting stage, the key management system reads a plurality of different HSM access information from the configuration file, different adapters are started according to HSMType in the configuration file, and the adapter module calls the SDK or the class library to complete the butt joint and initialization with the HSM. And a key operation interface provided by the key management system externally supports incoming HSMType and Slot, and the system calls a corresponding HSM to complete key operation according to the incoming HSMType.
The configuration file exists only in a temporary file mode in the deployment stage, and once the read start is completed, the configuration file is deleted. The key management system randomly generates a master key when being started for the first time, encrypts an HSM docking password by using the master key and then stores the encrypted HSM docking password into a database of the HSM key management system.
Particularly, the method also comprises the steps that before the key operation is completed by calling the corresponding HSM according to the transmitted HSMType, the multi-HSM adaptation module adopts an internal data protection mechanism to encrypt and manage internal data, randomly generates a master key when the multi-HSM adaptation module is started for the first time, encrypts the HSM docking password by using the master key and stores the HSM docking password into a database of the HSM key management system.
Based on the multiple HSM adaptation modules, an internal data protection mechanism needs to be provided, which is specifically described as follows:
the key management system stores the user key in the HSM to ensure the highest security, and at the same time, the system needs to store some internal data with high security level in the database, including the KMS user access password, the HSM access password, etc., so an internal data protection mechanism with high security level is needed.
Referring to fig. 3, a security protection mechanism of KMS according to a preferred embodiment of the present invention is described as follows:
the method includes that a KMS randomly generates a key when the KMS is started for the first time, the key is called as a starting key, the starting key is split into a plurality of key components by using a Shamir's Secret Sharing algorithm, the number of the components is recorded as M (the value of M is 2-5), the minimum number of the components required for restoring an initial key is recorded as N (M > -N >0), M and N can be set on a KMS management interface, the key components are displayed on the KMS management interface one by one, only one component is displayed each time, M KMS managers click a next button one by one to display the components, namely each KMS manager holds one component, and the starting key can be restored only by inputting the key components held by N key managers at the same time.
After the KMS is started for the first time and generates a starting key, a main key is generated and used for encrypting sensitive data in the system (the sensitive data is encrypted by the main key and then stored in a database), and the encryption mode can adopt strong encryption algorithms such as AES256, RSA2048, ECDSA256 and the like; the master key is encrypted by the starting key and then stored in a database of the HSM key management system;
after the KMS is started for the first time and restarted, the KMS automatically enters a locked state, the master key is in a database encryption state, so business operation cannot be performed in the locked state, N KMS managers need to input respective key components one by one, the KMS restores the N key components to the starting key by using a Shamir's Secret Sharing algorithm, the master key is decrypted by the starting key, and then the KMS becomes an unlocked state after the business data in the database are unlocked by using the master key, so that the business operation can be performed normally.
Accordingly, as shown in fig. 4, the present invention further provides an internal data encryption management method applied to a security protection mechanism of a KMS, including:
randomly generating a starting key, splitting the starting key into M key components, reducing the minimum number of the key components required by the starting key to be N, wherein N KMS managers respectively hold one key component; m is more than or equal to N and more than 0;
after the first start and the generation of a start key, a master key is generated, and the master key is encrypted by the start key and then stored in a database of the HSM key management system; the service data is encrypted by the master key and then stored in the database;
and during unlocking, acquiring respective key components input by N KMS managers, restoring the N key components into a starting key, decrypting the master key through the starting key, unlocking the business data in the database by using the master key, and then enabling the KMS to become an unlocking state to perform business operation.
The starting key is split into M key components, specifically, a Shamir's Secret Sharing algorithm is adopted; the reduction of the N key components to the starting key specifically uses Shamir's Secret sharpening algorithm.
In order to improve security, each of the N KMS administrators has a key component, specifically: the N key components are displayed one by one, only one key component is displayed each time, M KMS managers select and hold the respective components one by one, and the starting key can be restored only by simultaneously inputting the key components held by the N key managers. Acquiring that N KMS administrators input respective key components specifically means that N KMS administrators need to input respective key components one by one, and the KMS restores the N key components to the starting key.
As shown in fig. 5, the present invention further provides an internal data encryption management system, including:
the starting key generation module is used for randomly generating a starting key, the starting key is split into M key components, the minimum number of key components required for restoring the starting key is N, and N KMS managers respectively hold one key component; m is more than or equal to N and more than 0;
the master key generation module is used for generating a master key after first starting and generating a starting key, and the master key is encrypted by the starting key and then stored in a database of the HSM key management system; the service data is encrypted by the master key and then stored in a database;
and the key unlocking module is used for acquiring respective key components input by N KMS managers during unlocking, restoring the N key components into a starting key, decrypting the master key through the starting key, and further unlocking the business data in the database by using the master key, so that the KMS becomes an unlocking state and performs business operation.
The operation of the system of the present invention will be described in detail with reference to the following embodiments and accompanying drawings.
Example 1
For example, two subordinate organizations exist in a certain organization, which are marked as a organization a and a organization B, the two organizations both use the same SM-DP + system to provide service for users of the respective organizations, the two organizations have different service scenes, the organization a has a large number of users, and has high requirements on service processing performance but low requirements on security level; organization B has a small number of users, with low processing performance requirements but higher security requirements.
According to the above scenario, a KMS system can be constructed by purchasing HSMs of two specifications, denoted as TYPE A and TYPE B.
TYPE a is high-performance TYPE, low in security level and low in cost, two TYPEs are purchased, high service capacity is supported, and the method is suitable for the organization a;
TYPE B is high security, and the security level is high, and is with high costs, purchases one, is applicable to mechanism B.
The following embodiment 1 describes the detailed implementation process of the technical solution of the present invention:
as shown in fig. 6, the KMS accesses two models of HSMs simultaneously, and the inside of the KMS is distinguished by using an HSMType field; meanwhile, TYPE a HSM runs two instances simultaneously, with slot differentiation inside the KMS.
The parameter set supported by the Type A HSM functional interface is recorded as a parameter set A, and after passing through the Type A adapter, the parameter set A is converted into a uniform parameter set; the parameter set supported by the Type B HSM functional interface is recorded as a parameter set B, and after the parameter set B is converted into a uniform parameter set through the Type A adapter. Thus, the business service can call Type a HSM and Type B HSM using the same set of parameters.
The method comprises the following implementation steps:
1. the service request carries HSMType and Slot 1 and a unified parameter set.
2. The unified external interface module is used for converting the parameter set according to the HSMType and the Slot calling Type A adapter 1.
3. The Type A adapter 1 converts the unified parameter group into a parameter group A, and calls the Type A HSM to complete the service operation by using the SDK.
In summary, the mechanism a and the mechanism B can transmit different HSMType to select the HSM meeting their own requirements to implement service operation. And the rapid processing of service calling is realized.
Based on the above description, it can be seen that the HSM key management system of the present invention has the following advantages:
1. the method is suitable for multi-element service scenes and reduces the cost.
The KMS can realize the business requirements of the same set of platform for supporting different scenes, is flexible in adaptation and reduces the cost.
2. High scalability
Firstly, the HSM of the same model can expand a plurality of instances, and the service capacity is flexibly expanded. In addition, the invention supports accessing different HSMs, thereby realizing the expansibility on functions.
3. High security level
Through the multi-level protection of the starting key and the master key and the scattered holding of the starting key, the safety of data in the KMS is effectively ensured.
As shown in fig. 7, the present invention provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the steps of the internal data encryption management method when executing the computer program.
The internal data encryption management method comprises the following steps:
randomly generating a starting key, splitting the starting key into M key components, reducing the minimum number of the key components required by the starting key to be N, wherein N KMS managers respectively hold one key component; m is more than or equal to N and more than 0;
after the first start and the generation of a start key, a master key is generated, and the master key is encrypted by the start key and then stored in a database of the HSM key management system; the service data is encrypted by the master key and then stored in a database;
and during unlocking, acquiring respective key components input by N KMS managers, restoring the N key components into a starting key, decrypting the master key through the starting key, unlocking the business data in the database by using the master key, and then enabling the KMS to become an unlocking state to perform business operation.
Finally, the invention provides a computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the internal data encryption management method.
The internal data encryption management method comprises the following steps:
randomly generating a starting key, splitting the starting key into M key components, and reducing the minimum number of key components required by the starting key to be N, wherein N KMS managers respectively hold one key component; m is more than or equal to N and more than 0;
after the first start and the generation of a start key, a master key is generated, and the master key is encrypted by the start key and then stored in a database of the HSM key management system; the service data is encrypted by the master key and then stored in a database;
and during unlocking, acquiring respective key components input by N KMS managers, restoring the N key components into a starting key, decrypting the master key through the starting key, unlocking the business data in the database by using the master key, and then enabling the KMS to become an unlocking state to perform business operation.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting the same, and although the present invention is described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: modifications and equivalents may be made to the embodiments of the invention without departing from the spirit and scope of the invention, which is to be covered by the claims.

Claims (14)

1. An HSM key management system, comprising:
the multi-HSM adaptation module is used for providing an SDK or class library for HSM of different models to realize butt joint and calling the function of the HSM through an operation interface provided by the SDK or the class library;
the adapter module is used for converting the interfaces provided by different HSMs into a uniform external operation interface for the calling of a service system; each HSM corresponds to one adapter module;
and the unified external interface module is used for being connected with the plurality of adapter modules to acquire service access requests.
2. The HSM key management system of claim 1, wherein:
the multi-HSM adaptation module adopts an internal data protection mechanism to encrypt and manage internal data, randomly generates a main key when being started for the first time, encrypts an HSM butt joint password by using the main key and then stores the HSM butt joint password into a database of an HSM key management system.
3. The HSM key management system of claim 1, wherein:
the docking information of the HSMs of different models comprises HSMType, Slot, IPAddress, Access user and Access passed;
the multi-HSM adaptation module has an expansion module for expanding the number of HSM instances.
4. A management method of an HSM key management system is characterized by comprising the following steps:
the unified external interface module reads a plurality of different HSM access information from the configuration file, and starts a matched adapter module according to the HSMType in the configuration file;
the adapter module calls the SDK or the class library to complete the butt joint and initialization with the HSM;
and a key operation interface of the multiple HSM adaptation modules supports the incoming HSMType and Slot, and calls the corresponding HSM according to the incoming HSMType to complete key operation.
5. The management method of HSM key management system according to claim 4,
the configuration file exists in a temporary file mode in a deployment stage, and once the reading and starting are completed, the configuration file is deleted.
6. The management method of HSM key management system according to claim 4,
the method comprises the following steps that a corresponding HSM is called according to an incoming HSMType to complete key operation, the multi-HSM adaptation module adopts an internal data protection mechanism to encrypt and manage internal data, a master key is randomly generated when the multi-HSM adaptation module is started for the first time, and the master key is used for encrypting an HSM docking password and then storing the HSM docking password in a database.
7. The management method of the HSM key management system according to claim 6, wherein the multi-HSM adaptation module performs encryption management on the internal data by using an internal data protection mechanism, and specifically comprises:
randomly generating a starting key, splitting the starting key into M key components, and reducing the minimum number of key components required by the starting key to be N, wherein N KMS managers respectively hold one key component; m is more than or equal to N and more than 0;
after the first start and the generation of a start key, a master key is generated, and the master key is encrypted by the start key and then stored in a database of the HSM key management system; the service data is encrypted by the master key and then stored in a database;
and during unlocking, acquiring respective key components input by N KMS managers, restoring the N key components into a starting key, decrypting the master key through the starting key, unlocking the business data in the database by using the master key, and then enabling the KMS to become an unlocking state to perform business operation.
8. An internal data encryption management method, comprising:
randomly generating a starting key, splitting the starting key into M key components, and reducing the minimum number of key components required by the starting key to be N, wherein N KMS managers respectively hold one key component; m is more than or equal to N and more than 0;
after the first startup and the generation of a startup key, a master key is generated and is stored in a database after being encrypted by the startup key; the service data is encrypted by the master key and then stored in a database;
and during unlocking, acquiring respective key components input by N KMS managers, restoring the N key components into a starting key, decrypting the master key through the starting key, unlocking the business data in the database by using the master key, and then enabling the KMS to become an unlocking state to perform business operation.
9. An internal data encryption management method according to claim 8, wherein the starting key usage is split into M key components, specifically using Shamir's Secret Sharing algorithm; the reduction of the N key components to the starting key specifically uses Shamir's Secret sharpening algorithm.
10. The internal data encryption management method according to claim 8, wherein each of the N KMS administrators holds a key component, specifically: the N key components are displayed one by one, only one key component is displayed each time, M KMS managers select and hold the respective components one by one, and the starting key can be restored only by simultaneously inputting the key components held by the N key managers.
11. The internal data encryption management method as claimed in claim 8, wherein the obtaining of the key components input by the N KMS administrators means that the N KMS administrators are required to input the key components one by one, and the KMS restores the start keys from the N key components.
12. An internal data encryption management system, comprising:
the starting key generation module is used for randomly generating a starting key, the starting key is split into M key components, the minimum number of key components required for restoring the starting key is N, and N KMS managers respectively hold one key component; m is more than or equal to N and more than 0;
the master key generation module is used for generating a master key after first starting and generating a starting key, and the master key is encrypted by the starting key and then stored in a database of the HSM key management system; the service data is encrypted by the master key and then stored in a database;
and the key unlocking module is used for acquiring respective key components input by N KMS managers during unlocking, restoring the N key components into a starting key, decrypting the master key through the starting key, and further unlocking the business data in the database by using the master key, so that the KMS becomes an unlocking state and performs business operation.
13. An electronic device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the internal data encryption management method according to any one of claims 8 to 11 when executing the computer program.
14. A computer-readable storage medium, storing a computer program which, when executed by a processor, implements the steps of the internal data encryption management method according to any one of claims 8 to 11.
CN202210278339.2A 2022-03-21 2022-03-21 HSM key management system, method, device and storage medium Pending CN114640445A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210278339.2A CN114640445A (en) 2022-03-21 2022-03-21 HSM key management system, method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210278339.2A CN114640445A (en) 2022-03-21 2022-03-21 HSM key management system, method, device and storage medium

Publications (1)

Publication Number Publication Date
CN114640445A true CN114640445A (en) 2022-06-17

Family

ID=81950464

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210278339.2A Pending CN114640445A (en) 2022-03-21 2022-03-21 HSM key management system, method, device and storage medium

Country Status (1)

Country Link
CN (1) CN114640445A (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107479482A (en) * 2017-08-21 2017-12-15 上海博泰悦臻网络技术服务有限公司 A kind of operating system and implementation method applied to automotive electronics
CN110189486A (en) * 2019-05-24 2019-08-30 上海银行股份有限公司 The self-service automatic delivery method of equipment key
CN111010275A (en) * 2019-12-31 2020-04-14 嘉兴太美医疗科技有限公司 Key management method, method for generating key and key management system
CN111464301A (en) * 2020-04-28 2020-07-28 郑州信大捷安信息技术股份有限公司 Key management method and system
CN111818032A (en) * 2020-06-30 2020-10-23 腾讯科技(深圳)有限公司 Data processing method and device based on cloud platform and computer program
CN112470425A (en) * 2018-05-02 2021-03-09 亚马逊技术有限公司 Key management system and method
CN113890731A (en) * 2021-09-29 2022-01-04 北京天融信网络安全技术有限公司 Key management method, key management device, electronic equipment and storage medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107479482A (en) * 2017-08-21 2017-12-15 上海博泰悦臻网络技术服务有限公司 A kind of operating system and implementation method applied to automotive electronics
CN112470425A (en) * 2018-05-02 2021-03-09 亚马逊技术有限公司 Key management system and method
CN110189486A (en) * 2019-05-24 2019-08-30 上海银行股份有限公司 The self-service automatic delivery method of equipment key
CN111010275A (en) * 2019-12-31 2020-04-14 嘉兴太美医疗科技有限公司 Key management method, method for generating key and key management system
CN111464301A (en) * 2020-04-28 2020-07-28 郑州信大捷安信息技术股份有限公司 Key management method and system
CN111818032A (en) * 2020-06-30 2020-10-23 腾讯科技(深圳)有限公司 Data processing method and device based on cloud platform and computer program
CN113890731A (en) * 2021-09-29 2022-01-04 北京天融信网络安全技术有限公司 Key management method, key management device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
CN109144961B (en) Authorization file sharing method and device
EP2095288B1 (en) Method for the secure storing of program state data in an electronic device
CN111191286A (en) HyperLegger Fabric block chain private data storage and access system and method thereof
CN110489996B (en) Database data security management method and system
US11831753B2 (en) Secure distributed key management system
US7765600B2 (en) Methods and apparatuses for authorizing features of a computer program for use with a product
CN106992851B (en) TrustZone-based database file password encryption and decryption method and device and terminal equipment
WO2020155812A1 (en) Data storage method and device, and apparatus
CN107040520B (en) Cloud computing data sharing system and method
US20210334356A1 (en) Authentication credential protection method and system
CN111274611A (en) Data desensitization method, device and computer readable storage medium
CN104468562A (en) Portable transparent data safety protection terminal oriented to mobile applications
CN103378971A (en) Data encryption system and method
EP3866039A1 (en) Method and system for protecting authentication credentials
CN113642014A (en) Data access system based on hybrid cloud and public cloud server
CN110602132A (en) Data encryption and decryption processing method
CN114372242A (en) Ciphertext data processing method, authority management server and decryption server
JP5678150B2 (en) User terminal, key management system, and program
CN110287725B (en) Equipment, authority control method thereof and computer readable storage medium
JP2016012902A (en) Electronic data utilization system, portable terminal device, and method for electronic data utilization system
JPH09139735A (en) Ciphering data communication system
CN115801232A (en) Private key protection method, device, equipment and storage medium
CN114640445A (en) HSM key management system, method, device and storage medium
WO2019216847A2 (en) A sim-based data security system
CN111881474B (en) Private key management method and device based on trusted computing environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination